RESOLVED FIXED Bug 51115
Crash in web process after the connection had been closed 
https://bugs.webkit.org/show_bug.cgi?id=51115
Summary Crash in web process after the connection had been closed
Balazs Kelemen
Reported 2010-12-15 09:48:17 PST
This is the story: 1. The UI process close the last page 2. The connection of the web process is invalidated 3. The work queue of the connection is still running and it detects disconnection and call connectionDidClose 4. m_client is 0 so connectionDidClose does a null dereference That means we need a null check in connectionDidClose. I don't know exactly how ports other than Qt affected by the problem but a null check does not costs too much so I think it is better to handle that in the common part of the implementation. I investigated a lot of how should that fixed correctly and I think this is the best.
Attachments
Patch (1.57 KB, patch)
2010-12-16 01:55 PST, Balazs Kelemen 		no flags
DetailsFormatted DiffDiff
Patch (2.51 KB, patch)
2010-12-20 05:09 PST, Balazs Kelemen 		no flags
DetailsFormatted DiffDiff
Patch (3.21 KB, patch)
2010-12-20 17:27 PST, Balazs Kelemen 		no flags
DetailsFormatted DiffDiff
patch v4 (3.92 KB, patch)
2011-01-14 05:52 PST, Balazs Kelemen 		no flags
DetailsFormatted DiffDiff
Patch (7.83 KB, patch)
2011-02-07 17:32 PST, Anders Carlsson 		sam: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Balazs Kelemen
Comment 1 2010-12-15 10:02:26 PST
Note that the crash is only visible in the debugger.
Balazs Kelemen
Comment 2 2010-12-16 01:55:02 PST
Created attachment 76743 [details] Patch
Balazs Kelemen
Comment 3 2010-12-20 04:59:12 PST
After I got an assert in connectionDidClose while working on other stuff but having this patch in my branch, I decided to fix by not calling connectionDidClose at all when the connection had been invalidated. That would rather need a Qt only change.
Balazs Kelemen
Comment 4 2010-12-20 05:09:15 PST
Created attachment 76988 [details] Patch
Kenneth Rohde Christiansen
Comment 5 2010-12-20 05:29:52 PST
Comment on attachment 76988 [details] Patch Looks sensible
Balazs Kelemen
Comment 6 2010-12-20 07:12:17 PST
Comment on attachment 76988 [details] Patch Clearing flags on attachment: 76988 Committed r74345: <http://trac.webkit.org/changeset/74345>
Balazs Kelemen
Comment 7 2010-12-20 07:12:26 PST
All reviewed patches have been landed. Closing bug.
Anders Carlsson
Comment 8 2010-12-20 10:33:49 PST
This patch is not correct, m_client must either be an atomic variable or protected by a lock. I'm going to revert this.
Kenneth Rohde Christiansen
Comment 9 2010-12-20 10:54:13 PST
(In reply to comment #8) > This patch is not correct, m_client must either be an atomic variable or protected by a lock. I'm going to revert this. Please do.
Anders Carlsson
Comment 10 2010-12-20 10:54:35 PST
Reverted r74345 for reason: Not the correct fix. Committed r74355: <http://trac.webkit.org/changeset/74355>
Balazs Kelemen
Comment 11 2010-12-20 17:27:41 PST
Created attachment 77057 [details] Patch
Darin Adler
Comment 12 2010-12-20 17:35:49 PST
Comment on attachment 77057 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=77057&action=review I think Anders should review, but I do have one comment. > WebKit2/Platform/CoreIPC/Connection.cpp:349 > + m_client = 0; // No need to lock here since the connectino has been closed on the work thread. Typo: connectino
Darin Adler
Comment 13 2010-12-29 17:16:11 PST
Comment on attachment 77057 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=77057&action=review I’d like to review, but I’d like to hear from Anders whether he thinks this is the right solution. > WebKit2/ChangeLog:8 > + Add mutual exclusion for m_client. Typically for a single pointer we could use a function like the Mac OS X OSAtomicCompareAndSwapPtrBarrier instead of a mutex. I don’t know if that’s desirable here or not. > WebKit2/Platform/CoreIPC/Connection.cpp:342 > - if (!m_client) > + if (!isValid()) Is this better? Generally speaking if code is going to be manipulating m_client directly, I am not sure that isValid is providing a helpful abstraction inside the Connection class.
Balazs Kelemen
Comment 14 2011-01-02 19:05:40 PST
(In reply to comment #13) > (From update of attachment 77057 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=77057&action=review > > I’d like to review, but I’d like to hear from Anders whether he thinks this is the right solution. > > > WebKit2/ChangeLog:8 > > + Add mutual exclusion for m_client. > > Typically for a single pointer we could use a function like the Mac OS X OSAtomicCompareAndSwapPtrBarrier instead of a mutex. I don’t know if that’s desirable here or not. I don't have a strong opinion about that. However, if we want atomic functionality then I think it should be introduced into WTF for all platforms. > > > WebKit2/Platform/CoreIPC/Connection.cpp:342 > > - if (!m_client) > > + if (!isValid()) > > Is this better? Generally speaking if code is going to be manipulating m_client directly, I am not sure that isValid is providing a helpful abstraction inside the Connection class. Yes, maybe just saying |!m_client| is more straightforward here.
Balazs Kelemen
Comment 15 2011-01-06 02:05:55 PST
I should refine my opinion about using atomic here. This is not enough in the following situation: { Client* client = ATOMIC_READ(m_client); if (!client) return; --> Right now the listener thread invalidates the connection. --> After that the client is allowed to be destructed so we can end up in --> accessing a deleted object in the following line. client->didCloseOnConnectionWorkQueue(&m_connectionQueue, this); } So the didClose... call should be in a mutually excluded block.
Balazs Kelemen
Comment 16 2011-01-14 05:52:51 PST
Created attachment 78932 [details] patch v4 Patch with the isValid/m_client change suggested by Darin.
Balazs Kelemen
Comment 17 2011-02-01 10:24:36 PST
ping
Anders Carlsson
Comment 18 2011-02-07 17:18:02 PST
(In reply to comment #17) > ping Sorry for not looking at this earlier. I've decided to go with a simpler approach and get rid of the Client::connectionDidCloseOnWorkQueue.
Anders Carlsson
Comment 19 2011-02-07 17:32:57 PST
Created attachment 81556 [details] Patch
Anders Carlsson
Comment 20 2011-02-07 17:44:54 PST
Committed r77874: <http://trac.webkit.org/changeset/77874>
Note You need to log in before you can comment on or make changes to this bug.