Bug 247442

Summary: Network process crash in WebResourceLoadStatisticsStore::registrableDomains
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, mcatanzaro, webkit-bug-importer, wilander
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   

Michael Catanzaro
Reported 2022-11-03 09:57:36 PDT
Not sure how I triggered this crash, but here it is: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 tid = <optimized out> ret = 0 pd = <optimized out> old_mask = {__val = {140720907250576, 94914578345536, 8, 0, 140720907250656, 139706809536613, 8, 8, 1, 94914578345536, 0, 94914578216752, 0, 94914578336768, 140720907250768, 139706809538778}} ret = <optimized out> #1 0x00007f100a6601f3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f100a60e00e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 ret = <optimized out> #3 0x00007f100a5f77fc in __GI_abort () at abort.c:79 save_stage = 1 act = {__sigaction_handler = {sa_handler = 0x7f1002010118, sa_sigaction = 0x7f1002010118}, sa_mask = {__val = {139706871148193, 140720907250992, 8, 140720907250976, 8, 140720907251008, 139706809956059, 1, 7827239952684542464, 94914578090320, 0, 140720907251056, 139706809610868, 139706729824480, 140720907251080, 139706729824480}}, sa_flags = 33641664, sa_restorer = 0x7ffc23b06dc0} sigs = {__val = {32, 94914578429776, 140720907250896, 139706809751271, 94914578216752, 139601872175120, 139706810553504, 17, 17, 0, 94914578429776, 139706813294400, 140720907251040, 1, 140720907250928, 139706865000110}} #4 0x00007f100b0f65ae in WTFCrashWithInfo(int, char const*, char const*, int) () at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/_builddir/WTF/Headers/wtf/Assertions.h:754 #5 WebKit::WebResourceLoadStatisticsStore::postTask(WTF::Function<void ()>&&) (this=this@entry=0x7f1002008a00, task=...) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/NetworkProcess/Classifier/WebResourceLoadStatisticsStore.cpp:203 #6 0x00007f100b0ed48b in WebKit::WebResourceLoadStatisticsStore::registrableDomains(WTF::CompletionHandler<void (WTF::Vector<WebCore::RegistrableDomain, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&)>&&) (this=this@entry=0x7f1002008a00, completionHandler=...) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189 #7 0x00007f100b083d2a in WebKit::NetworkProcess::fetchWebsiteData(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&) (this=<optimized out>, sessionID=..., websiteDataTypes=..., fetchOptions=..., completionHandler=<optimized out>) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189 resourceLoadStatistics = 0x7f1002008a00 __func__ = "fetchWebsiteData" callbackAggregator = {static isRef = <optimized out>, m_ptr = 0x7f10020154c0} session = 0x7f100202c700 #8 0x00007f100af3a60a in IPC::callMemberFunctionImpl<WebKit::NetworkProcess, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&), void (WebKit::WebsiteData&&), std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >, 0ul, 1ul, 2ul>(WebKit::NetworkProcess*, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&), WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&, std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul>) (args=..., completionHandler=..., function=<optimized out>, object=0x7f10020300c0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:145 listenerID = std::optional<unsigned long> = {[contained value] = <optimized out>} arguments = std::optional<std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::W--Type <RET> for more, q to quit, c to continue without paging--c ebsiteDataFetchOption> >> containing std::tuple containing = {[1] = {m_identifier = <optimized out>}, [2] = {m_storage = <optimized out>}, [3] = {m_storage = <optimized out>}} #9 IPC::callMemberFunction<WebKit::NetworkProcess, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&), void (WebKit::WebsiteData&&), std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul> >(std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >&&, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&, WebKit::NetworkProcess*, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)) (function=<optimized out>, object=0x7f10020300c0, completionHandler=..., args=...) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:151 listenerID = std::optional<unsigned long> = {[contained value] = <optimized out>} arguments = std::optional<std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >> containing std::tuple containing = {[1] = {m_identifier = <optimized out>}, [2] = {m_storage = <optimized out>}, [3] = {m_storage = <optimized out>}} #10 IPC::handleMessageAsync<Messages::NetworkProcess::FetchWebsiteData, WebKit::NetworkProcess, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)>(IPC::Connection&, IPC::Decoder&, WebKit::NetworkProcess*, void (WebKit::NetworkProcess::*)(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)) (connection=..., decoder=..., object=object@entry=0x7f10020300c0, function=(void (WebKit::NetworkProcess::*)(class WebKit::NetworkProcess * const, class PAL::SessionID, class WTF::OptionSet<WebKit::WebsiteDataType>, class WTF::OptionSet<WebKit::WebsiteDataFetchOption>, class WTF::CompletionHandler<void(WebKit::WebsiteData&&)> &&)) 0x7f100b083ad0 <WebKit::NetworkProcess::fetchWebsiteData(PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption>, WTF::CompletionHandler<void (WebKit::WebsiteData&&)>&&)>) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:353 listenerID = std::optional<unsigned long> = {[contained value] = <optimized out>} arguments = std::optional<std::tuple<PAL::SessionID, WTF::OptionSet<WebKit::WebsiteDataType>, WTF::OptionSet<WebKit::WebsiteDataFetchOption> >> containing std::tuple containing = {[1] = {m_identifier = <optimized out>}, [2] = {m_storage = <optimized out>}, [3] = {m_storage = <optimized out>}} #11 0x00007f100af27606 in WebKit::NetworkProcess::didReceiveNetworkProcessMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f10020300c0, connection=..., decoder=...) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/_builddir/DerivedSources/WebKit/NetworkProcessMessageReceiver.cpp:1718 protectedThis = {m_ptr = 0x7f10020300c0} #12 0x00007f100b1c3ac5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f10020341a0, message=std::unique_ptr<IPC::Decoder> = {...}) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1150 isDispatchingMessageWhileWaitingForSyncReply = <optimized out> oldDidReceiveInvalidMessage = false #13 0x00007f100b1c538a in IPC::Connection::dispatchOneIncomingMessage() (this=0x7f10020341a0) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189 message = std::unique_ptr<IPC::Decoder> = {get() = 0x0} #14 0x00007f100a11def5 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/Function.h:79 function = {m_callableWrapper = std::unique_ptr<class WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f100203c130}} didSuspendFunctions = false #15 WTF::RunLoop::performWork() (this=0x7f10020100e0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/RunLoop.cpp:133 function = {m_callableWrapper = std::unique_ptr<class WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f100203c130}} didSuspendFunctions = false #16 0x00007f100a17e76d in operator() (userData=<optimized out>, __closure=0x0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #17 _FUN(gpointer) () at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:82 #18 0x00007f100a17f12d in operator() (__closure=0x0, userData=0x7f10020100e0, callback=0x7f100a17e760 <_FUN(gpointer)>, source=0x565305b60950) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 name = 0x565305b61a30 "[WebKit] RunLoop work" runLoopSource = @0x565305b60950: {source = {callback_data = 0x565305b5f680, callback_funcs = 0x7f1006d0d2e0 <g_source_callback_funcs>, source_funcs = 0x7f100a571000 <WTF::RunLoop::s_runLoopSourceFunctions>, ref_count = 3, context = 0x565305b5f780, priority = 100, flags = 35, source_id = 1, poll_fds = 0x0, prev = 0x0, next = 0x565305b8be20, name = 0x565305b61a30 "[WebKit] RunLoop work", priv = 0x565305b60a00}, runLoop = 0x7f10020100e0} returnValue = <optimized out> #19 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #20 0x00007f1006c29971 in g_main_dispatch (context=<optimized out>) at ../glib/gmain.c:3444 dispatch = 0x7f100a17f0d0 <_FUN(GSource*, GSourceFunc, gpointer)> prev_source = 0x0 begin_time_nsec = 6820129340251 was_in_call = 0 user_data = 0x7f10020100e0 callback = 0x7f100a17e760 <_FUN(gpointer)> cb_funcs = 0x7f1006d0d2e0 <g_source_callback_funcs> cb_data = 0x565305b5f680 need_destroy = <optimized out> source = 0x565305b60950 current = 0x565305b7baf0 i = 0 __func__ = "g_main_dispatch" #21 g_main_context_dispatch (context=<optimized out>) at ../glib/gmain.c:4162 #22 0x00007f1006c29ec8 in g_main_context_iterate (context=0x565305b5f780, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4238 max_priority = 2147483647 timeout = 55003 some_ready = 1 nfds = 2 allocated_nfds = <optimized out> fds = <optimized out> begin_time_nsec = 6819703034984 #23 0x00007f1006c2a1af in g_main_loop_run (loop=0x565305b60930) at ../glib/gmain.c:4438 __func__ = "g_main_loop_run" #24 0x00007f100a17f290 in WTF::RunLoop::run() () at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 runLoop = @0x7f10020100e0: {<WTF::FunctionDispatcher> = {_vptr.FunctionDispatcher = 0x7f100a55ea30 <vtable for WTF::RunLoop+16>}, <WTF::ThreadSafeRefCounted<WTF::RunLoop, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = std::atomic<unsigned int> = { 8 }}, <No data fields>}, m_currentIteration = {m_start = 1, m_end = 1, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7f1002044380, m_capacity = 16, m_size = 0}, <No data fields>}}, m_nextIterationLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = std::atomic<unsigned char> = { 0 '\000' }}}, m_nextIteration = {m_start = 0, m_end = 1, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7f1002009d00, m_capacity = 16, m_size = 0}, <No data fields>}}, m_isFunctionDispatchSuspended = false, m_hasSuspendedFunctions = false, static s_runLoopSourceFunctions = {prepare = 0x0, check = 0x0, dispatch = 0x7f100a17f0d0 <_FUN(GSource*, GSourceFunc, gpointer)>, finalize = 0x0, closure_callback = 0x0, closure_marshal = 0x0}, m_mainContext = {m_ptr = 0x565305b5f780}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop>, WTF::FastMalloc>> = {m_buffer = 0x7f1002008180, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x565305b60950}, m_observers = {m_set = {m_impl = {{m_table = 0x0, m_tableForLLDB = 0x0}}}}} mainContext = 0x565305b5f780 innermostLoop = 0x565305b60930 nestedMainLoop = <optimized out> #25 0x00007f100b1956a0 in WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argc=3, argv=0x7ffc23b07558, this=0x7ffc23b073b0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:71 auxiliaryMain = {m_storage = {__data = " \263\"\016\020\177", '\000' <repeats 26 times>, "\026\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\r", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\002\020\177\000", __align = {<No data fields>}}} #26 WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argv=0x7ffc23b07558, argc=3, this=0x7ffc23b073b0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:58 auxiliaryMain = {m_storage = {__data = " \263\"\016\020\177", '\000' <repeats 26 times>, "\026\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\r", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\002\020\177\000", __align = {<No data fields>}}} #27 WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainSoup>(int, char**) (argc=3, argv=0x7ffc23b07558) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:97 auxiliaryMain = {m_storage = {__data = " \263\"\016\020\177", '\000' <repeats 26 times>, "\026\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\r", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\002\020\177\000", __align = {<No data fields>}}} #28 0x00007f100a5f854a in __libc_start_call_main (main=main@entry=0x56530577a060 <main>, argc=argc@entry=3, argv=argv@entry=0x7ffc23b07558) at ../sysdeps/nptl/libc_start_call_main.h:58 self = <optimized out> result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140720907253080, 5824029807542122901, 3, 0, 94914574011792, 139706936602624, 5824029807527442837, 5839848887685724565}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3, 0x7ffc23b07550}, data = {prev = 0x0, cleanup = 0x0, canceltype = 3}}} not_first_call = <optimized out> #29 0x00007f100a5f860b in __libc_start_main_impl (main=0x56530577a060 <main>, argc=3, argv=0x7ffc23b07558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at ../csu/libc-start.c:389 #30 0x000056530577a095 in _start ()
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2022-11-10 12:37:56 PST
Uhh, it's an assert here: inline void WebResourceLoadStatisticsStore::postTask(WTF::Function<void()>&& task) { // Resource load statistics should not be captured for ephemeral sessions. RELEASE_ASSERT(!isEphemeral()); This seems familiar... I'm sure there is another bug report for this. Let's see if I can find it.
Michael Catanzaro
Comment 2 2022-11-10 12:42:36 PST
(In reply to Michael Catanzaro from comment #1) > I'm sure there is another bug report for this. Let's > see if I can find it. Can't find it.
Michael Catanzaro
Comment 3 2022-11-10 12:59:57 PST
So it looks like fetching the resource load statistics website data type crashes in ephemeral sessions. WebResourceLoadStatisticsStore::registrableDomains calls WebResourceLoadStatistics::postTask, and that is not supposed to be called at all in ephemeral mode. Makes sense... we should probably bail out before that. Either NetworkProcess::fetchWebsiteData should skip fetching website data if in an ephemeral session, or the NetworkSession should not have a WebResourceLoadStatistics object at all if ephemeral.
Michael Catanzaro
Comment 4 2022-11-10 13:45:06 PST
OK, NetworkSession::setTrackingPreventionEnabled intentionally always creates the WebResourceLoadStatisticsStore, and populates it with data from disk only in non-ephemeral mode. So the "the NetworkSession should not have a WebResourceLoadStatistics object at all if ephemeral" idea seems to be not what is intended. In that case, let's have NetworkProcess::fetchWebsiteData bail.
Michael Catanzaro
Comment 5 2022-11-10 14:00:40 PST
BTW, reproducer: open Epiphany incognito window, go to Preferences -> Privacy -> Clear Website Data, the network process will instantly crash when Epiphany does a webkit_website_data_manager_fetch(). I'm sure there's a preexisting bug report for this, but I've failed to find it.
Michael Catanzaro
Comment 6 2022-11-10 14:40:05 PST
Actually, looking at the design of WebResourceLoadStatisticsStore, many other functions are checking for ephemeral mode and bailing if enabled. So let's do that instead.
John Wilander
Comment 7 2022-11-10 14:53:03 PST
(In reply to Michael Catanzaro from comment #6) > Actually, looking at the design of WebResourceLoadStatisticsStore, many > other functions are checking for ephemeral mode and bailing if enabled. So > let's do that instead. That sounds like the right approach.
Michael Catanzaro
Comment 8 2022-11-10 15:02:46 PST
Pull request: https://github.com/WebKit/WebKit/pull/6370
EWS
Comment 9 2022-11-11 01:22:56 PST
Committed 256566@main (ca03533a50a8): <https://commits.webkit.org/256566@main> Reviewed commits have been landed. Closing PR #6370 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.