[Webkit-unassigned] [Bug 209847] [WinCairo][WK2] random crashes by 0xC0000374 (STATUS_HEAP_CORRUPTION) in UI process

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=209847

Fujii Hironori <Hironori.Fujii at sony.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #396625|0                           |1
        is obsolete|                            |
 Attachment #396691|0                           |1
        is obsolete|                            |
 Attachment #396697|0                           |1
        is obsolete|                            |

--- Comment #24 from Fujii Hironori <Hironori.Fujii at sony.com> ---
Created attachment 396926

  --> https://bugs.webkit.org/attachment.cgi?id=396926&action=review

Patch to replace m_readBuffer's VectorMalloc with mimalloc

heap corruption seems to happen in m_readBuffer of IPC::Connection.
I replaced m_readBuffer's VectorMalloc with mimalloc (MI_SECURE=4) and got the crashes.

> #  4  Id: 6510.79c8 Suspend: 1 Teb: 000000bb`e4575000 Unfrozen
>  # Child-SP          RetAddr           Call Site
> 00 (Inline Function) --------`-------- WebKit2!mi_ptr_decode+0x9 [C:\work\mimalloc\include\mimalloc-internal.h @ 580]
> 01 (Inline Function) --------`-------- WebKit2!mi_block_nextx+0x9 [C:\work\mimalloc\include\mimalloc-internal.h @ 591]
> 02 (Inline Function) --------`-------- WebKit2!_mi_heap_delayed_free+0x37 [C:\work\mimalloc\src\page.c @ 284]
> 03 000000bb`e4cff6a0 00007ffc`1f615063 WebKit2!_mi_malloc_generic(struct mi_heap_s * heap = 0x0000022d`e4710000, unsigned int64 size = 0x4e4)+0xca [C:\work\mimalloc\src\page.c @ 793]
> 04 (Inline Function) --------`-------- WebKit2!WTF::MiMalloc::malloc+0x8 [S:\gb\WebKitBuild\Release\WTF\Headers\wtf\FastMalloc.h @ 198]
> 05 (Inline Function) --------`-------- WebKit2!WTF::VectorBufferBase<unsigned char,WTF::MiMalloc>::allocateBuffer+0x28 [S:\gb\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 292]
> 06 (Inline Function) --------`-------- WebKit2!WTF::Vector<unsigned char,0,WTF::CrashOnOverflow,16,WTF::MiMalloc>::reserveCapacity+0x32 [S:\gb\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 1189]
> 07 000000bb`e4cff6f0 00007ffc`1f615497 WebKit2!WTF::Vector<unsigned char,0,WTF::CrashOnOverflow,16,WTF::MiMalloc>::expandCapacity(unsigned int64 newMinCapacity = <Value unavailable error>)+0x63 [S:\gb\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 1047]
> 08 (Inline Function) --------`-------- WebKit2!WTF::Vector<unsigned char,0,WTF::CrashOnOverflow,16,WTF::MiMalloc>::grow+0x1d [S:\gb\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 1128]
> 09 000000bb`e4cff720 00007ffc`38153dde WebKit2!IPC::Connection::readEventHandler(void)+0x157 [S:\gb\Source\WebKit\Platform\IPC\win\ConnectionWin.cpp @ 124]
> 0a (Inline Function) --------`-------- WTF!WTF::Function<void __cdecl+0x9 [S:\gb\Source\WTF\wtf\Function.h @ 84]
> 0b (Inline Function) --------`-------- WTF!WTF::WorkQueue::performWorkOnRegisteredWorkThread+0x7a [S:\gb\Source\WTF\wtf\win\WorkQueueWin.cpp @ 62]
> 0c 000000bb`e4cff7b0 00007ffc`5c70f655 WTF!WTF::WorkQueue::workThreadCallback(void * context = 0x0000022d`e47fcd60)+0x9e [S:\gb\Source\WTF\wtf\win\WorkQueueWin.cpp @ 42]
> 0d 000000bb`e4cff810 00007ffc`5c7145b4 ntdll!RtlpTpWorkCallback+0x165
> 0e 000000bb`e4cff8f0 00007ffc`5b597bd4 ntdll!TppWorkerThread+0x8d4
> 0f 000000bb`e4cffcb0 00007ffc`5c74ce51 KERNEL32!BaseThreadInitThunk+0x14
> 10 000000bb`e4cffce0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200419/8187ac81/attachment.htm>