[Webkit-unassigned] [Bug 234358] New: [iOS 15] Crash during WebProcessProxy::didClose while writing to NSUserDefaults on another thread

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 15 11:54:46 PST 2021


https://bugs.webkit.org/show_bug.cgi?id=234358

            Bug ID: 234358
           Summary: [iOS 15] Crash during WebProcessProxy::didClose while
                    writing to NSUserDefaults on another thread
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit API
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: achristensen at apple.com, justincohen at google.com,
                    pvollan at apple.com

Created attachment 447264

  --> https://bugs.webkit.org/attachment.cgi?id=447264&action=review

Crash report 1

Chrome for iOS is getting a large number of crash reports that have the following combination of events:

1) The main thread is in inside WebProcessProxy::didClose.

2) The crashing thread is writing to NSUserDefaults (this part is being called from Chrome code).

Since (2) happens every 30s in Chrome, it may be that when this happens to coincide with WebProcessProxy::didClose, something related to CFPREFS_DIRECT_MODE (e.g., WKPreferenceObserver gets callbacks for all changes to NSUserDefaults) is in a bad state.

Here's a sample crash stack. I'll also attach some crash reports.

Thread 0:
0x0000000198e53384      (libobjc.A.dylib + 0x00008384)          getMethodNoSuper_nolock(objc_class*, objc_selector*)
0x0000000198e50610      (libobjc.A.dylib + 0x00005610)          lookUpImpOrForward
0x0000000198e4c3fc      (libobjc.A.dylib + 0x000013fc)          _objc_msgSend_uncached
0x000000018fa6c180      (WebKit + 0x003c5180)           WebKit::WebPageProxy::resetStateAfterProcessTermination(WebKit::ProcessTerminationReason)
0x000000018fab4014      (WebKit + 0x0040d014)           WebKit::WebProcessProxy::processDidTerminateOrFailedToLaunch(WebKit::ProcessTerminationReason)
0x000000018fab39f8      (WebKit + 0x0040c9f8)           WebKit::WebProcessProxy::didClose(IPC::Connection&)
0x000000018f6dc91c      (WebKit + 0x0003591c)           WTF::Detail::CallableWrapper<IPC::Connection::connectionDidClose()::$_8, void>::call()
0x000000018d17bd64      (JavaScriptCore + 0x00fa7d64)           WTF::RunLoop::performWork()
0x000000018d17cc48      (JavaScriptCore + 0x00fa8c48)           WTF::RunLoop::performWork(void*)
0x0000000181ccc20c      (CoreFoundation + 0x000b220c)           __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x0000000181cdc234      (CoreFoundation + 0x000c2234)           __CFRunLoopDoSource0
0x0000000181c1f638      (CoreFoundation + 0x00005638)           __CFRunLoopDoSources0
0x0000000181c24a04      (CoreFoundation + 0x0000aa04)           __CFRunLoopRun
0x0000000181c37d78      (CoreFoundation + 0x0001dd78)           CFRunLoopRunSpecific
0x000000019beac99c      (GraphicsServices + 0x0000199c)         GSEventRunModal
0x000000018446a058      (UIKitCore + 0x004ec058)                -[UIApplication _run]
0x00000001841ffcdc      (UIKitCore + 0x00281cdc)                UIApplicationMain
0x0000000100bc826c      (Chrome -chrome_exe_main.mm:65)         main
0x0000000102f9418c      

Thread 4 (id: 0x00006003) CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0xffffffff90d301c0 ] 
0x0000000198e5081c      (libobjc.A.dylib + 0x0000581c)          class_getMethodImplementation
0x00000001833966c4      (Foundation + 0x0003e6c4)               _NSKVONotifyingOriginalClassForIsa
0x00000001833966c4      (Foundation + 0x0003e6c4)               _NSKVONotifyingOriginalClassForIsa
0x0000000183398088      (Foundation + 0x00040088)               _NSKeyValueObservationInfoGetObservances
0x0000000183399510      (Foundation + 0x00041510)               NSKeyValueWillChange
0x0000000183382ec4      (Foundation + 0x0002aec4)               -[NSObject(NSKeyValueObservingPrivate) _changeValueForKeys:count:maybeOldValuesDict:maybeNewValuesDict:usingBlock:]
0x00000001833a05b0      (Foundation + 0x000485b0)               -[NSObject(NSKeyValueObservingPrivate) _notifyObserversOfChangeFromValuesForKeys:toValuesForKeys:]
0x0000000181c75714      (CoreFoundation + 0x0005b714)           -[CFPrefsSource forEachObserver:]
0x0000000181d08cb0      (CoreFoundation + 0x000eecb0)           -[CFPrefsSource _notifyObserversOfChangeFromValuesForKeys:toValuesForKeys:]
0x0000000181ce5a54      (CoreFoundation + 0x000cba54)           ___CFPrefsDeliverPendingKVONotificationsGuts_block_invoke
0x0000000181c43ac4      (CoreFoundation + 0x00029ac4)           __CFDictionaryApplyFunction_block_invoke
0x0000000181c41718      (CoreFoundation + 0x00027718)           CFBasicHashApply
0x0000000181c432e0      (CoreFoundation + 0x000292e0)           CFDictionaryApplyFunction
0x0000000181cd1eb4      (CoreFoundation + 0x000b7eb4)           _CFPrefsDeliverPendingKVONotificationsGuts
0x0000000181c4093c      (CoreFoundation + 0x0002693c)           -[_CFXPreferences _deliverPendingKVONotifications]
0x0000000181c6c990      (CoreFoundation + 0x00052990)           __108-[_CFXPreferences(SearchListAdditions) withSearchListForIdentifier:container:cloudConfigurationURL:perform:]_block_invoke
0x0000000181c46d14      (CoreFoundation + 0x0002cd14)           normalizeQuintuplet
0x0000000181c40620      (CoreFoundation + 0x00026620)           -[_CFXPreferences withSearchListForIdentifier:container:cloudConfigurationURL:perform:]
0x0000000181ce88e8      (CoreFoundation + 0x000ce8e8)           -[_CFXPreferences setValue:forKey:appIdentifier:container:configurationURL:]
0x0000000181c71c2c      (CoreFoundation + 0x00057c2c)           _CFPreferencesSetAppValueWithContainerAndConfiguration
0x00000001833918ac      (Foundation + 0x000398ac)               -[NSUserDefaults(NSUserDefaults) setObject:forKey:]
0x0000000100ec6d68      (Chrome -previous_session_info.mm:625)          -[PreviousSessionInfo setReportParameterValue:forKey:]
0x0000000101a8ec2c      (Chrome -crash_key_breakpad_ios.mm:54)          crash_reporter::internal::CrashKeyStringImpl::Set(base::BasicStringPiece<char, std::__1::char_traits<char> >)
0x0000000101032e3c      (Chrome -crash_key.h:218)               crash_reporter::CrashKeyStringCombined<16u>::Set(base::BasicStringPiece<char, std::__1::char_traits<char> >)
0x0000000101033840      (Chrome -crash_keys_helper.mm:80)               crash_keys::SetCurrentFreeMemoryInKB(int)
0x0000000100bce108      (Chrome -memory_monitor.mm:38)          (anonymous namespace)::AsynchronousFreeMemoryMonitor()
0x00000001014f9648      (Chrome -callback.h:142)                base::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x000000010150d818      (Chrome -task_tracker.cc:660)           base::internal::TaskTracker::RunSkipOnShutdown(base::internal::Task*)
0x000000010150d42c      (Chrome -task_tracker.cc:675)           base::internal::TaskTracker::RunTask(base::internal::Task, base::internal::TaskSource*, base::TaskTraits const&)
0x0000000101535f18      (Chrome -task_tracker_posix.cc:22)              base::internal::TaskTrackerPosix::RunTask(base::internal::Task, base::internal::TaskSource*, base::TaskTraits const&)
0x000000010150d0cc      (Chrome -task_tracker.cc:431)           base::internal::TaskTracker::RunAndPopNextTask(base::internal::RegisteredTaskSource)
0x000000010151a29c      (Chrome -worker_thread.cc:377)          base::internal::WorkerThread::RunWorker()
0x0000000101519ec8      (Chrome -worker_thread.cc:271)          base::internal::WorkerThread::RunBackgroundPooledWorker()
0x0000000101536414      (Chrome -platform_thread_posix.cc:96)           base::(anonymous namespace)::ThreadFunc(void*)
0x00000001dad8b3a0      (libsystem_pthread.dylib + 0x000063a0)          _pthread_start

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211215/fb6a0ed9/attachment-0001.htm>


More information about the webkit-unassigned mailing list