Bug 247442

Summary: Network process crash in WebResourceLoadStatisticsStore::registrableDomains
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, mcatanzaro, webkit-bug-importer, wilander
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   

Description Michael Catanzaro 2022-11-03 09:57:36 PDT 
Not sure how I triggered this crash, but here it is:

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
    at pthread_kill.c:44
        tid = <optimized out>
        ret = 0
        pd = <optimized out>

                    old_mask = {__val = {140720907250576, 94914578345536, 8, 0, 140720907250656, 139706809536613, 8, 8, 1, 94914578345536, 0, 94914578216752, 0, 94914578336768, 140720907250768, 139706809538778}}
        ret = <optimized out>
#1  0x00007f100a6601f3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f100a60e00e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
        ret = <optimized out>
#3  0x00007f100a5f77fc in __GI_abort () at abort.c:79
        save_stage = 1

                  act = {__sigaction_handler = {sa_handler = 0x7f1002010118, sa_sigaction = 0x7f1002010118}, sa_mask = {__val = {139706871148193, 140720907250992, 8, 140720907250976, 8, 140720907251008, 139706809956059, 1, 7827239952684542464, 94914578090320, 0, 140720907251056, 139706809610868, 139706729824480, 140720907251080, 139706729824480}}, sa_flags = 33641664, sa_restorer = 0x7ffc23b06dc0}

                    sigs = {__val = {32, 94914578429776, 140720907250896, 139706809751271, 94914578216752, 139601872175120, 139706810553504, 17, 17, 0, 94914578429776, 139706813294400, 140720907251040, 1, 140720907250928, 139706865000110}}
#4  0x00007f100b0f65ae in WTFCrashWithInfo(int, char const*, char const*, int) ()
    at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/_builddir/WTF/Headers/wtf/Assertions.h:754
#5  WebKit::WebResourceLoadStatisticsStore::postTask(WTF::Function<void ()>&&)
    (this=this@entry=0x7f1002008a00, task=...)
    at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/NetworkProcess/Classifier/WebResourceLoadStatisticsStore.cpp:203
#6  0x00007f100b0ed48b in WebKit::WebResourceLoadStatisticsStore::registrableDomains(WTF::CompletionHandler<void (WTF::Vector<WebCore::RegistrableDomain, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&)>&&)
    (this=this@entry=0x7f1002008a00, completionHandler=...) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189
#7  0x00007f100b083d2a in WebKit::NetworkProcess::fetchWebsiteData(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)
    (this=<optimized out>, sessionID=..., websiteDataTypes=..., fetchOptions=..., completionHandler=<optimized out>)
    at /usr/include/c++/12.1.0/bits/unique_ptr.h:189
        resourceLoadStatistics = 0x7f1002008a00
        __func__ = "fetchWebsiteData"
        callbackAggregator = {static isRef = <optimized out>, m_ptr = 0x7f10020154c0}
        session = 0x7f100202c700
#8  0x00007f100af3a60a in IPC::callMemberFunctionImpl<WebKit::NetworkProcess, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&), void (WebKit::WebsiteData&&), std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >, 0ul, 1ul, 2ul>(WebKit::NetworkProcess*, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&), WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&, std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul>)
    (args=..., completionHandler=..., function=<optimized out>, object=0x7f10020300c0)
    at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:145
        listenerID = std::optional<unsigned long> = {[contained value] = <optimized out>}

                    arguments = std::optional<std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::W--Type <RET> for more, q to quit, c to continue without paging--c
ebsiteDataFetchOption> >> containing std::tuple containing = {[1] = {m_identifier = <optimized out>}, [2] = {m_storage = <optimized out>}, [3] = {m_storage = <optimized out>}}
#9  IPC::callMemberFunction<WebKit::NetworkProcess, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&), void (WebKit::WebsiteData&&), std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul> >(std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >&&, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&, WebKit::NetworkProcess*, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)) (function=<optimized out>, object=0x7f10020300c0, completionHandler=..., args=...) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:151
        listenerID = std::optional<unsigned long> = {[contained value] = <optimized out>}
        arguments = std::optional<std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >> containing std::tuple containing = {[1] = {m_identifier = <optimized out>}, [2] = {m_storage = <optimized out>}, [3] = {m_storage = <optimized out>}}
#10 IPC::handleMessageAsync<Messages::NetworkProcess::FetchWebsiteData, WebKit::NetworkProcess, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)>(IPC::Connection&, IPC::Decoder&, WebKit::NetworkProcess*, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)) (connection=..., decoder=..., object=object@entry=0x7f10020300c0, function=(void (WebKit::NetworkProcess::*)(class WebKit::NetworkProcess * const, class PAL::SessionID, class WTF::OptionSet<WebKit::WebsiteDataType>, class WTF::OptionSet<WebKit::WebsiteDataFetchOption>, class WTF::CompletionHandler<void(WebKit::WebsiteData&&)> &&)) 0x7f100b083ad0 <WebKit::NetworkProcess::fetchWebsiteData(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)>) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:353
        listenerID = std::optional<unsigned long> = {[contained value] = <optimized out>}
        arguments = std::optional<std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >> containing std::tuple containing = {[1] = {m_identifier = <optimized out>}, [2] = {m_storage = <optimized out>}, [3] = {m_storage = <optimized out>}}
#11 0x00007f100af27606 in WebKit::NetworkProcess::didReceiveNetworkProcessMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f10020300c0, connection=..., decoder=...) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/_builddir/DerivedSources/WebKit/NetworkProcessMessageReceiver.cpp:1718
        protectedThis = {m_ptr = 0x7f10020300c0}
#12 0x00007f100b1c3ac5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f10020341a0, message=std::unique_ptr<IPC::Decoder> = {...}) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1150
        isDispatchingMessageWhileWaitingForSyncReply = <optimized out>
        oldDidReceiveInvalidMessage = false
#13 0x00007f100b1c538a in IPC::Connection::dispatchOneIncomingMessage() (this=0x7f10020341a0) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189
        message = std::unique_ptr<IPC::Decoder> = {get() = 0x0}
#14 0x00007f100a11def5 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/Function.h:79
        function = {m_callableWrapper = std::unique_ptr<class WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f100203c130}}
        didSuspendFunctions = false
#15 WTF::RunLoop::performWork() (this=0x7f10020100e0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/RunLoop.cpp:133
        function = {m_callableWrapper = std::unique_ptr<class WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f100203c130}}
        didSuspendFunctions = false
#16 0x00007f100a17e76d in operator() (userData=<optimized out>, __closure=0x0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#17 _FUN(gpointer) () at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#18 0x00007f100a17f12d in operator() (__closure=0x0, userData=0x7f10020100e0, callback=0x7f100a17e760 <_FUN(gpointer)>, source=0x565305b60950) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
        name = 0x565305b61a30 "[WebKit] RunLoop work"
        runLoopSource = @0x565305b60950: {source = {callback_data = 0x565305b5f680, callback_funcs = 0x7f1006d0d2e0 <g_source_callback_funcs>, source_funcs = 0x7f100a571000 <WTF::RunLoop::s_runLoopSourceFunctions>, ref_count = 3, context = 0x565305b5f780, priority = 100, flags = 35, source_id = 1, poll_fds = 0x0, prev = 0x0, next = 0x565305b8be20, name = 0x565305b61a30 "[WebKit] RunLoop work", priv = 0x565305b60a00}, runLoop = 0x7f10020100e0}
        returnValue = <optimized out>
#19 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#20 0x00007f1006c29971 in g_main_dispatch (context=<optimized out>) at ../glib/gmain.c:3444
        dispatch = 0x7f100a17f0d0 <_FUN(GSource*, GSourceFunc, gpointer)>
        prev_source = 0x0
        begin_time_nsec = 6820129340251
        was_in_call = 0
        user_data = 0x7f10020100e0
        callback = 0x7f100a17e760 <_FUN(gpointer)>
        cb_funcs = 0x7f1006d0d2e0 <g_source_callback_funcs>
        cb_data = 0x565305b5f680
        need_destroy = <optimized out>
        source = 0x565305b60950
        current = 0x565305b7baf0
        i = 0
        __func__ = "g_main_dispatch"
#21 g_main_context_dispatch (context=<optimized out>) at ../glib/gmain.c:4162
#22 0x00007f1006c29ec8 in g_main_context_iterate (context=0x565305b5f780, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4238
        max_priority = 2147483647
        timeout = 55003
        some_ready = 1
        nfds = 2
        allocated_nfds = <optimized out>
        fds = <optimized out>
        begin_time_nsec = 6819703034984
#23 0x00007f1006c2a1af in g_main_loop_run (loop=0x565305b60930) at ../glib/gmain.c:4438
        __func__ = "g_main_loop_run"
#24 0x00007f100a17f290 in WTF::RunLoop::run() () at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
        runLoop = @0x7f10020100e0: {<WTF::FunctionDispatcher> = {_vptr.FunctionDispatcher = 0x7f100a55ea30 <vtable for WTF::RunLoop+16>}, <WTF::ThreadSafeRefCounted<WTF::RunLoop, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = std::atomic<unsigned int> = { 8 }}, <No data fields>}, m_currentIteration = {m_start = 1, m_end = 1, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7f1002044380, m_capacity = 16, m_size = 0}, <No data fields>}}, m_nextIterationLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = std::atomic<unsigned char> = { 0 '\000' }}}, m_nextIteration = {m_start = 0, m_end = 1, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7f1002009d00, m_capacity = 16, m_size = 0}, <No data fields>}}, m_isFunctionDispatchSuspended = false, m_hasSuspendedFunctions = false, static s_runLoopSourceFunctions = {prepare = 0x0, check = 0x0, dispatch = 0x7f100a17f0d0 <_FUN(GSource*, GSourceFunc, gpointer)>, finalize = 0x0, closure_callback = 0x0, closure_marshal = 0x0}, m_mainContext = {m_ptr = 0x565305b5f780}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop>, WTF::FastMalloc>> = {m_buffer = 0x7f1002008180, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x565305b60950}, m_observers = {m_set = {m_impl = {{m_table = 0x0, m_tableForLLDB = 0x0}}}}}
        mainContext = 0x565305b5f780
        innermostLoop = 0x565305b60930
        nestedMainLoop = <optimized out>
#25 0x00007f100b1956a0 in WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argc=3, argv=0x7ffc23b07558, this=0x7ffc23b073b0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:71
        auxiliaryMain = {m_storage = {__data = " \263\"\016\020\177", '\000' <repeats 26 times>, "\026\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\r", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\002\020\177\000", __align = {<No data fields>}}}
#26 WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argv=0x7ffc23b07558, argc=3, this=0x7ffc23b073b0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:58
        auxiliaryMain = {m_storage = {__data = " \263\"\016\020\177", '\000' <repeats 26 times>, "\026\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\r", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\002\020\177\000", __align = {<No data fields>}}}
#27 WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainSoup>(int, char**) (argc=3, argv=0x7ffc23b07558) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:97
        auxiliaryMain = {m_storage = {__data = " \263\"\016\020\177", '\000' <repeats 26 times>, "\026\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\r", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\002\020\177\000", __align = {<No data fields>}}}
#28 0x00007f100a5f854a in __libc_start_call_main (main=main@entry=0x56530577a060 <main>, argc=argc@entry=3, argv=argv@entry=0x7ffc23b07558) at ../sysdeps/nptl/libc_start_call_main.h:58
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140720907253080, 5824029807542122901, 3, 0, 94914574011792, 139706936602624, 5824029807527442837, 5839848887685724565}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3, 0x7ffc23b07550}, data = {prev = 0x0, cleanup = 0x0, canceltype = 3}}}
        not_first_call = <optimized out>
#29 0x00007f100a5f860b in __libc_start_main_impl (main=0x56530577a060 <main>, argc=3, argv=0x7ffc23b07558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at ../csu/libc-start.c:389
#30 0x000056530577a095 in _start ()
Comment 1 Michael Catanzaro 2022-11-10 12:37:56 PST 
Uhh, it's an assert here:

inline void WebResourceLoadStatisticsStore::postTask(WTF::Function<void()>&& task)
{
    // Resource load statistics should not be captured for ephemeral sessions.
    RELEASE_ASSERT(!isEphemeral());

This seems familiar... I'm sure there is another bug report for this. Let's see if I can find it.
Comment 2 Michael Catanzaro 2022-11-10 12:42:36 PST 
(In reply to Michael Catanzaro from comment #1)
> I'm sure there is another bug report for this. Let's
> see if I can find it.

Can't find it.
Comment 3 Michael Catanzaro 2022-11-10 12:59:57 PST 
So it looks like fetching the resource load statistics website data type crashes in ephemeral sessions.

WebResourceLoadStatisticsStore::registrableDomains calls WebResourceLoadStatistics::postTask, and that is not supposed to be called at all in ephemeral mode. Makes sense... we should probably bail out before that. Either NetworkProcess::fetchWebsiteData should skip fetching website data if in an ephemeral session, or the NetworkSession should not have a WebResourceLoadStatistics object at all if ephemeral.
Comment 4 Michael Catanzaro 2022-11-10 13:45:06 PST 
OK, NetworkSession::setTrackingPreventionEnabled intentionally always creates the WebResourceLoadStatisticsStore, and populates it with data from disk only in non-ephemeral mode. So the "the NetworkSession should not have a WebResourceLoadStatistics object at all if ephemeral" idea seems to be not what is intended. In that case, let's have NetworkProcess::fetchWebsiteData bail.
Comment 5 Michael Catanzaro 2022-11-10 14:00:40 PST 
BTW, reproducer: open Epiphany incognito window, go to Preferences -> Privacy -> Clear Website Data, the network process will instantly crash when Epiphany does a webkit_website_data_manager_fetch(). I'm sure there's a preexisting bug report for this, but I've failed to find it.
Comment 6 Michael Catanzaro 2022-11-10 14:40:05 PST 
Actually, looking at the design of WebResourceLoadStatisticsStore, many other functions are checking for ephemeral mode and bailing if enabled. So let's do that instead.
Comment 7 John Wilander 2022-11-10 14:53:03 PST 
(In reply to Michael Catanzaro from comment #6)
> Actually, looking at the design of WebResourceLoadStatisticsStore, many
> other functions are checking for ephemeral mode and bailing if enabled. So
> let's do that instead.

That sounds like the right approach.
Comment 8 Michael Catanzaro 2022-11-10 15:02:46 PST 
Pull request: https://github.com/WebKit/WebKit/pull/6370
Comment 9 EWS 2022-11-11 01:22:56 PST 
Committed 256566@main (ca03533a50a8): <https://commits.webkit.org/256566@main>

Reviewed commits have been landed. Closing PR #6370 and removing active labels.