Bug 217440

Summary: [iOS 14] Crash in IPC::Connection::dispatchIncomingMessages
Product: WebKit Reporter: Ali Juma <ajuma>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: achristensen, ap, beidson, cdumez, ddkilzer, justincohen, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
A zip of various crash files. none

Description Ali Juma 2020-10-07 12:59:05 PDT 
Chrome for iOS is getting a large increase (at least a 2.5X increase compared to iOS 13) in crashes in IPC::Connection::dispatchIncomingMessages on iOS 14.

We don't have steps to reproduce, but based on the crash reports we're getting, it looks like this happens when we're in the middle of making a sequence of pushState calls in order to restore session history. Each pushState generates multiple IPC messages, so it might be that when restoring a large session, we're generating enough IPC to put the Connection into a bad state. We do know that restoring a large session (e.g. 75 items) can sometimes generate enough IPC to trigger the throttling logic in dispatchIncomingMessages(), but we don't know for sure whether that logic is at all related to the crash. Inspecting registers in the crash dump suggests that |this| might be null in dispatchIncomingMessages().

The crash stack is:

0x000000019cd9c01c (WebKit + 0x0002f01c)              IPC::Connection::dispatchIncomingMessages()
0x000000019ae19bc4 (JavaScriptCore + 0x00db4bc4)      WTF::RunLoop::performWork()
0x000000019ae19bc4 (JavaScriptCore + 0x00db4bc4)      WTF::RunLoop::performWork()
0x000000019ae1a6dc (JavaScriptCore + 0x00db56dc)      WTF::RunLoop::performWork(void*)
0x000000019134823c (CoreFoundation + 0x0009a23c)      __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x000000019134813c (CoreFoundation + 0x0009a13c)      __CFRunLoopDoSource0
0x0000000191347484 (CoreFoundation + 0x00099484)      __CFRunLoopDoSources0
0x0000000191341a3c (CoreFoundation + 0x00093a3c)      __CFRunLoopRun
0x00000001913411fc (CoreFoundation + 0x000931fc)      CFRunLoopRunSpecific
0x00000001a743c594 (GraphicsServices + 0x00003594)    GSEventRunModal
0x0000000193c07000 (UIKitCore + 0x00b21000)           -[UIApplication _run]
0x0000000193c0c5d4 (UIKitCore + 0x00b265d4)           UIApplicationMain
0x000000010462510c (Chrome -chrome_exe_main.mm:66)    main
0x0000000191020594 (libdyld.dylib + 0x00001594)       start
Comment 1 Radar WebKit Bug Importer 2020-10-07 22:21:00 PDT 
<rdar://problem/70080104>
Comment 2 Justin Cohen 2020-10-08 18:06:32 PDT 
I was able to trigger the crash by aborting session restore (i.e. closing the tab).  I could only reproduce on device, and only by artificially putting the device under heavy load.  I looped thru many session restores with plenty of pushStates and released the WKWebView before the IPC throttling could complete.
Comment 3 Chris Dumez 2020-10-26 08:57:41 PDT 
Can you please provide a full crash trace file?
Comment 4 Justin Cohen 2020-10-26 09:13:39 PDT 
Created attachment 412319 [details]
A zip of various crash files.
Comment 5 Chris Dumez 2020-10-26 09:38:42 PDT 
Seems to be crashing on:
        message = m_incomingMessages.takeFirst();

in Connection::dispatchIncomingMessages():
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000001bb8)
[  0] 0x00000001aaaad570 WebKit`IPC::Connection::dispatchIncomingMessages() [inlined] std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >::release() at memory:2613:26

     0x00000001aaaad560:      mov w22, #0x0
     0x00000001aaaad564:      mov x24, #0x0
     0x00000001aaaad568:        b 0x306ac              ; <+424> [inlined] WTF::compilerFence() at Locker.h:69
     0x00000001aaaad56c:      ldr x9, [x19, #0x90]
 ->  0x00000001aaaad570:      ldr x21, [x9, x8, lsl #3]
     0x00000001aaaad574:      str xzr, [x9, x8, lsl #3]
     0x00000001aaaad578:      ldr x9, [x19, #0x90]
     0x00000001aaaad57c:      add x0, x9, x8, lsl #3
     0x00000001aaaad580:      mov x1, #0x0

[  0] 0x00000001aaaad570 WebKit`IPC::Connection::dispatchIncomingMessages() [inlined] std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >::unique_ptr(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >&&) at memory:2519
[  0] 0x00000001aaaad570 WebKit`IPC::Connection::dispatchIncomingMessages() [inlined] std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >::unique_ptr(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >&&) at memory:2519
[  0] 0x00000001aaaad570 WebKit`IPC::Connection::dispatchIncomingMessages() [inlined] WTF::Deque<std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >, 0ul>::takeFirst() + 4 at Deque.h:458
[  0] 0x00000001aaaad56c WebKit`IPC::Connection::dispatchIncomingMessages() + 104 at Connection.cpp:1154