[Webkit-unassigned] [Bug 229003] New: ThreadSanitizer: data race in WTF::StringImpl::deref() under WebKit::NetworkCache::IOChannel::~IOChannel()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 11 08:35:12 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=229003

            Bug ID: 229003
           Summary: ThreadSanitizer: data race in WTF::StringImpl::deref()
                    under WebKit::NetworkCache::IOChannel::~IOChannel()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org
                CC: cdumez at apple.com, koivisto at iki.fi
        Depends on: 142810

ThreadSanitizer: data race in WTF::StringImpl::deref() under WebKit::NetworkCache::IOChannel::~IOChannel().

The WebKit::NetworkCache::IOChannel class is ThreadSafeRefCounted<>, but it doesn't make an isolatedCopy() for its m_path instance variable, resulting in a data race.

WARNING: ThreadSanitizer: data race (pid=70289)
  Read of size 4 at 0x7b3c00008250 by main thread:
    #0 WTF::StringImpl::deref() <null> (WebKit:x86_64+0x7aca)
    #1 WebKit::NetworkCache::IOChannel::~IOChannel() <null> (WebKit:x86_64+0x7b5ea6)
    #2 WebKit::NetworkCache::IOChannel::~IOChannel() <null> (WebKit:x86_64+0x7b5f39)
    #3 WTF::ThreadSafeRefCounted<WebKit::NetworkCache::IOChannel, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const <null> (WebKit:x86_64+0x7be829)
    #4 WTF::ThreadSafeRefCounted<WebKit::NetworkCache::IOChannel, (WTF::DestructionThread)0>::deref() const <null> (WebKit:x86_64+0x7be7ea)
    #5 WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8::~$_8() <null> (WebKit:x86_64+0x7b882b)
    #6 WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8::~$_8() <null> (WebKit:x86_64+0x7b63b9)
    #7 WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8>(WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8)::'lambda'(void const*)::operator()(void const*) const <null> (WebKit:x86_64+0x7b860d)
    #8 WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8>(WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8)::'lambda'(void const*)::__invoke(void const*) <null> (WebKit:x86_64+0x7b85d9)
    #9 _Block_release <null> (libsystem_blocks.dylib:x86_64+0x1650)
    #10 WKXPCServiceMain <null> (WebKit:x86_64+0x22543fe)
    #11 main <null> (com.apple.WebKit.Networking.Development:x86_64+0x100003e3e)

  Previous write of size 4 at 0x7b3c00008250 by thread T2:
    #0 WTF::StringImpl::deref() <null> (WebKit:x86_64+0x7ada)
    #1 WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22::operator()() const <null> (WebKit:x86_64+0xd98177)
    #2 WTF::Detail::CallableWrapper<WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22, void>::call() <null> (WebKit:x86_64+0xd97f1d)
    #3 WTF::Function<void ()>::operator()() const <null> (JavaScriptCore:x86_64+0x2620d)
    #4 WTF::(anonymous namespace)::DispatchWorkItem::operator()() <null> (JavaScriptCore:x86_64+0x11285d)
    #5 void WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(void*) <null> (JavaScriptCore:x86_64+0x111849)
    #6 __tsan::dispatch_callback_wrap(void*) <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x734d1)
    #7 _dispatch_client_callout <null> (libdispatch.dylib:x86_64+0x34ff)

  Location is heap block of size 240 at 0x7b3c00008250 allocated by thread T2:
    #0 __sanitizer_mz_malloc <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x5168a)
    #1 _malloc_zone_malloc <null> (libsystem_malloc.dylib:x86_64+0x1cf80)
    #2 bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) <null> (JavaScriptCore:x86_64+0x11d143)
    #3 bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) <null> (JavaScriptCore:x86_64+0x37fd9)
    #4 WTF::tryFastMalloc(unsigned long) <null> (JavaScriptCore:x86_64+0x36fdf)
    #5 WTF::FastMalloc::tryMalloc(unsigned long) <null> (JavaScriptCore:x86_64+0x18e4ee5)
    #6 WTF::String WTF::tryMakeStringFromAdapters<WTF::StringTypeAdapter<WTF::StringAppend<WTF::String, char const*>, void>, WTF::StringTypeAdapter<WTF::String, void> >(WTF::StringTypeAdapter<WTF::StringAppend<WTF::String, char const*>, void>, WTF::StringTypeAdapter<WTF::String, void>) <null> (JavaScriptCore:x86_64+0x46051)
    #7 WTF::String WTF::tryMakeString<WTF::StringAppend<WTF::String, char const*>, WTF::String>(WTF::StringAppend<WTF::String, char const*>, WTF::String) <null> (JavaScriptCore:x86_64+0x45f66)
    #8 WTF::StringAppend<WTF::StringAppend<WTF::String, char const*>, WTF::String>::operator WTF::String() const <null> (JavaScriptCore:x86_64+0x44f7d)
    #9 WTF::FileSystemImpl::pathByAppendingComponent(WTF::String const&, WTF::String const&) <null> (JavaScriptCore:x86_64+0x44bfb)
    #10 WebKit::NetworkCache::Storage::recordPathForKey(WebKit::NetworkCache::Key const&) const <null> (WebKit:x86_64+0xd6034f)
    #11 WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22::operator()() const <null> (WebKit:x86_64+0xd97fdd)
    #12 WTF::Detail::CallableWrapper<WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22, void>::call() <null> (WebKit:x86_64+0xd97f1d)
    #13 WTF::Function<void ()>::operator()() const <null> (JavaScriptCore:x86_64+0x2620d)
    #14 WTF::(anonymous namespace)::DispatchWorkItem::operator()() <null> (JavaScriptCore:x86_64+0x11285d)
    #15 void WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(void*) <null> (JavaScriptCore:x86_64+0x111849)
    #16 __tsan::dispatch_callback_wrap(void*) <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x734d1)
    #17 _dispatch_client_callout <null> (libdispatch.dylib:x86_64+0x34ff)

  Thread T2 (tid=13904706, running) is a GCD worker thread

SUMMARY: ThreadSanitizer: data race (WebKitBuild/WebKit.framework/Versions/A/WebKit:x86_64+0x7aca) in WTF::StringImpl::deref()+0x1a


Referenced Bugs:

https://bugs.webkit.org/show_bug.cgi?id=142810
[Bug 142810] Prune least valuable cache entries first
-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210811/a05662c1/attachment-0001.htm>

More information about the webkit-unassigned mailing list