[Webkit-unassigned] [Bug 217440] New: [iOS 14] Crash in IPC::Connection::dispatchIncomingMessages

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 7 12:59:05 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=217440

            Bug ID: 217440
           Summary: [iOS 14] Crash in
                    IPC::Connection::dispatchIncomingMessages
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: achristensen at apple.com, cdumez at apple.com,
                    justincohen at google.com

Chrome for iOS is getting a large increase (at least a 2.5X increase compared to iOS 13) in crashes in IPC::Connection::dispatchIncomingMessages on iOS 14.

We don't have steps to reproduce, but based on the crash reports we're getting, it looks like this happens when we're in the middle of making a sequence of pushState calls in order to restore session history. Each pushState generates multiple IPC messages, so it might be that when restoring a large session, we're generating enough IPC to put the Connection into a bad state. We do know that restoring a large session (e.g. 75 items) can sometimes generate enough IPC to trigger the throttling logic in dispatchIncomingMessages(), but we don't know for sure whether that logic is at all related to the crash. Inspecting registers in the crash dump suggests that |this| might be null in dispatchIncomingMessages().

The crash stack is:

0x000000019cd9c01c (WebKit + 0x0002f01c)              IPC::Connection::dispatchIncomingMessages()
0x000000019ae19bc4 (JavaScriptCore + 0x00db4bc4)      WTF::RunLoop::performWork()
0x000000019ae19bc4 (JavaScriptCore + 0x00db4bc4)      WTF::RunLoop::performWork()
0x000000019ae1a6dc (JavaScriptCore + 0x00db56dc)      WTF::RunLoop::performWork(void*)
0x000000019134823c (CoreFoundation + 0x0009a23c)      __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x000000019134813c (CoreFoundation + 0x0009a13c)      __CFRunLoopDoSource0
0x0000000191347484 (CoreFoundation + 0x00099484)      __CFRunLoopDoSources0
0x0000000191341a3c (CoreFoundation + 0x00093a3c)      __CFRunLoopRun
0x00000001913411fc (CoreFoundation + 0x000931fc)      CFRunLoopRunSpecific
0x00000001a743c594 (GraphicsServices + 0x00003594)    GSEventRunModal
0x0000000193c07000 (UIKitCore + 0x00b21000)           -[UIApplication _run]
0x0000000193c0c5d4 (UIKitCore + 0x00b265d4)           UIApplicationMain
0x000000010462510c (Chrome -chrome_exe_main.mm:66)    main
0x0000000191020594 (libdyld.dylib + 0x00001594)       start

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201007/70bf5c95/attachment.htm>

More information about the webkit-unassigned mailing list