[Webkit-unassigned] [Bug 242518] IPC::Connection::sendOutputMessage(IPC::UnixMessage&) Syscall param sendmsg(msg.msg_iov[2]) points to uninitialised byte(s)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 8 14:33:57 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=242518

--- Comment #4 from James Hilliard <james.hilliard1 at gmail.com> ---
Also hit this one doing reloads

[-> UI 17 receiver 0x1c37c710] WebProcessPool_HandleMessage (messageName WebPage.DidInitiateLoadForResource) (messageBody ...)
[-> UI 17 receiver 0x1c1b6370] WebPageProxy_SetNetworkRequestsInProgress (networkRequestsInProgress 1)
[-> Web 74 receiver 0x37568640] DrawingArea_TargetRefreshRateDidChange (rate 60000)
WebPageProxy 8 activityStateDidChange - mayHaveChanged loading
ASSERTION FAILED: !RunLoop::isMain()
/app/webkit/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp(315) : void WebKit::ThreadedCompositor::targetRefreshRateDidChange(unsigned int)
WebPageProxy 8 dispatchActivityStateChange - potentiallyChangedActivityStateFlags loading
[-> UI 17 receiver 0x1c37c710] WebProcessPool_HandleMessage (messageName WebPage.DidSendRequestForResource) (messageBody ...)
1   0x10f7e8ab WTFCrash
2   0xd95b1a6 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x91081a6) [0xd95b1a6]
3   0xe6e3105 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x9e90105) [0xe6e3105]
4   0xeffa8f5 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xa7a78f5) [0xeffa8f5]
5   0xeff8387 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xa7a5387) [0xeff8387]
6   0xdfb33ad /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x97603ad) [0xdfb33ad]
7   0xdfb2df6 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x975fdf6) [0xdfb2df6]
8   0xdfb2b6b /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x975fb6b) [0xdfb2b6b]
9   0xdfb2710 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x975f710) [0xdfb2710]
10  0xe5b3dd8 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x9d60dd8) [0xe5b3dd8]
11  0xeca8fa9 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xa455fa9) [0xeca8fa9]
12  0xe58b524 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x9d38524) [0xe58b524]
13  0xe58b7bb /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x9d387bb) [0xe58b7bb]
14  0xe58bd62 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x9d38d62) [0xe58bd62]
15  0xe58b234 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x9d38234) [0xe58b234]
16  0xe592318 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x9d3f318) [0xe592318]
17  0xd9d63d5 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0x91833d5) [0xd9d63d5]
18  0x10fd52e1 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xc7822e1) [0x10fd52e1]
19  0x11080af0 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xc82daf0) [0x11080af0]
20  0x11080b14 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xc82db14) [0x11080b14]
21  0x11080a83 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xc82da83) [0x11080a83]
22  0x11080ad1 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xc82dad1) [0x11080ad1]
23  0x15fb5294 g_main_context_dispatch
24  0x15fb5638 /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x58638) [0x15fb5638]
25  0x15fb5943 g_main_loop_run
26  0x1108113c WTF::RunLoop::run()
27  0xf022551 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xa7cf551) [0xf022551]
28  0xf01fc03 /app/webkit/WebKitBuild/Debug/lib/libWPEWebKit-1.1.so.0(+0xa7ccc03) [0xf01fc03]
29  0xf01c15b WebKit::WebProcessMain(int, char**)
30  0x109919 /app/webkit/WebKitBuild/Debug/bin/WPEWebProcess(+0x1919) [0x109919]
31  0x1669fbc0 __libc_start_main
==74== Thread 1:
==74== Invalid write of size 4
==74==    at 0x10F7E8B0: WTFCrash (Assertions.cpp:328)
==74==    by 0xD95B1A5: WTFCrashWithInfo(int, char const*, char const*, int) (Assertions.h:754)
==74==    by 0xE6E3104: WebKit::ThreadedCompositor::targetRefreshRateDidChange(unsigned int) (ThreadedCompositor.cpp:315)
==74==    by 0xEFFA8F4: WebKit::LayerTreeHost::targetRefreshRateDidChange(unsigned int) (LayerTreeHost.cpp:254)
==74==    by 0xEFF8386: WebKit::DrawingAreaCoordinatedGraphics::targetRefreshRateDidChange(unsigned int) (DrawingAreaCoordinatedGraphics.cpp:469)
==74==    by 0xDFB33AC: void IPC::callMemberFunctionImpl<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned int), std::tuple<unsigned int>, 0ul>(WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned int), std::tuple<unsigned int>&&, std::integer_sequence<unsigned long, 0ul>) (HandleMessage.h:131)
==74==    by 0xDFB2DF5: void IPC::callMemberFunction<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned int), std::tuple<unsigned int>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<unsigned int>&&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned int)) (HandleMessage.h:137)
==74==    by 0xDFB2B6A: void IPC::handleMessage<Messages::DrawingArea::TargetRefreshRateDidChange, WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned int)>(IPC::Connection&, IPC::Decoder&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned int)) (HandleMessage.h:259)
==74==    by 0xDFB270F: WebKit::DrawingArea::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (DrawingAreaMessageReceiver.cpp:79)
==74==    by 0xE5B3DD7: IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (MessageReceiverMap.cpp:129)
==74==    by 0xECA8FA8: WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebProcess.cpp:912)
==74==    by 0xE58B523: IPC::Connection::dispatchMessage(IPC::Decoder&) (Connection.cpp:1108)
==74==    by 0xE58B7BA: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (Connection.cpp:1153)
==74==    by 0xE58BD61: IPC::Connection::dispatchOneIncomingMessage() (Connection.cpp:1222)
==74==    by 0xE58B233: IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() (Connection.cpp:1072)
==74==    by 0xE592317: WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}, void>::call() (Function.h:53)
==74==    by 0xD9D63D4: WTF::Function<void ()>::operator()() const (Function.h:82)
==74==    by 0x10FD52E0: WTF::RunLoop::performWork() (RunLoop.cpp:133)
==74==    by 0x11080AEF: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const (RunLoopGLib.cpp:80)
==74==    by 0x11080B13: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:82)
==74==    by 0x11080A82: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (RunLoopGLib.cpp:53)
==74==    by 0x11080AD0: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:56)
==74==    by 0x15FB5293: g_main_dispatch (gmain.c:3381)
==74==    by 0x15FB5293: g_main_context_dispatch (gmain.c:4099)
==74==    by 0x15FB5637: g_main_context_iterate.constprop.0 (gmain.c:4175)
==74==    by 0x15FB5942: g_main_loop_run (gmain.c:4373)
==74==    by 0x1108113B: WTF::RunLoop::run() (RunLoopGLib.cpp:108)
==74==    by 0xF022550: WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (AuxiliaryProcessMain.h:70)
==74==    by 0xF01FC02: int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWPE>(int, char**) (AuxiliaryProcessMain.h:96)
==74==    by 0xF01C15A: WebKit::WebProcessMain(int, char**) (WebProcessMainWPE.cpp:75)
==74==    by 0x109918: main (WebProcessMain.cpp:31)
==74==  Address 0xbbadbeef is not stack'd, malloc'd or (recently) free'd
==74== 

==74== Process terminating with default action of signal 11 (SIGSEGV)
==74==  Access not within mapped region at address 0xBBADBEEF
==74==    at 0x10F7E8B0: WTFCrash (Assertions.cpp:328)
==74==    by 0xD95B1A5: WTFCrashWithInfo(int, char const*, char const*, int) (Assertions.h:754)
==74==    by 0xE6E3104: WebKit::ThreadedCompositor::targetRefreshRateDidChange(unsigned int) (ThreadedCompositor.cpp:315)
==74==    by 0xEFFA8F4: WebKit::LayerTreeHost::targetRefreshRateDidChange(unsigned int) (LayerTreeHost.cpp:254)
==74==    by 0xEFF8386: WebKit::DrawingAreaCoordinatedGraphics::targetRefreshRateDidChange(unsigned int) (DrawingAreaCoordinatedGraphics.cpp:469)
==74==    by 0xDFB33AC: void IPC::callMemberFunctionImpl<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned int), std::tuple<unsigned int>, 0ul>(WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned int), std::tuple<unsigned int>&&, std::integer_sequence<unsigned long, 0ul>) (HandleMessage.h:131)
==74==    by 0xDFB2DF5: void IPC::callMemberFunction<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned int), std::tuple<unsigned int>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<unsigned int>&&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned int)) (HandleMessage.h:137)
==74==    by 0xDFB2B6A: void IPC::handleMessage<Messages::DrawingArea::TargetRefreshRateDidChange, WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned int)>(IPC::Connection&, IPC::Decoder&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned int)) (HandleMessage.h:259)
==74==    by 0xDFB270F: WebKit::DrawingArea::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (DrawingAreaMessageReceiver.cpp:79)
==74==    by 0xE5B3DD7: IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (MessageReceiverMap.cpp:129)
==74==    by 0xECA8FA8: WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebProcess.cpp:912)
==74==    by 0xE58B523: IPC::Connection::dispatchMessage(IPC::Decoder&) (Connection.cpp:1108)
==74==    by 0xE58B7BA: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (Connection.cpp:1153)
==74==    by 0xE58BD61: IPC::Connection::dispatchOneIncomingMessage() (Connection.cpp:1222)
==74==    by 0xE58B233: IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() (Connection.cpp:1072)
==74==    by 0xE592317: WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}, void>::call() (Function.h:53)
==74==    by 0xD9D63D4: WTF::Function<void ()>::operator()() const (Function.h:82)
==74==    by 0x10FD52E0: WTF::RunLoop::performWork() (RunLoop.cpp:133)
==74==    by 0x11080AEF: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const (RunLoopGLib.cpp:80)
==74==    by 0x11080B13: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:82)
==74==    by 0x11080A82: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (RunLoopGLib.cpp:53)
==74==    by 0x11080AD0: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:56)
==74==    by 0x15FB5293: g_main_dispatch (gmain.c:3381)
==74==    by 0x15FB5293: g_main_context_dispatch (gmain.c:4099)
==74==    by 0x15FB5637: g_main_context_iterate.constprop.0 (gmain.c:4175)
==74==    by 0x15FB5942: g_main_loop_run (gmain.c:4373)
==74==    by 0x1108113B: WTF::RunLoop::run() (RunLoopGLib.cpp:108)
==74==    by 0xF022550: WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (AuxiliaryProcessMain.h:70)
==74==    by 0xF01FC02: int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWPE>(int, char**) (AuxiliaryProcessMain.h:96)
==74==    by 0xF01C15A: WebKit::WebProcessMain(int, char**) (WebProcessMainWPE.cpp:75)
==74==    by 0x109918: main (WebProcessMain.cpp:31)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220708/4dd08103/attachment-0001.htm>

More information about the webkit-unassigned mailing list