Bug 229003 - ThreadSanitizer: data race in WTF::StringImpl::deref() under WebKit::NetworkCache::IOChannel::~IOChannel()
Summary: ThreadSanitizer: data race in WTF::StringImpl::deref() under WebKit::NetworkC...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: David Kilzer (:ddkilzer)
URL:
Keywords: InRadar
Depends on: 142810
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-11 08:35 PDT by David Kilzer (:ddkilzer)
Modified: 2021-08-11 15:33 PDT (History)
5 users (show)

See Also:


Attachments
Patch v1 (5.01 KB, patch)
2021-08-11 08:47 PDT, David Kilzer (:ddkilzer)
cdumez: review+
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch v2 (6.07 KB, patch)
2021-08-11 11:47 PDT, David Kilzer (:ddkilzer)
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2021-08-11 08:35:12 PDT
ThreadSanitizer: data race in WTF::StringImpl::deref() under WebKit::NetworkCache::IOChannel::~IOChannel().

The WebKit::NetworkCache::IOChannel class is ThreadSafeRefCounted<>, but it doesn't make an isolatedCopy() for its m_path instance variable, resulting in a data race.

WARNING: ThreadSanitizer: data race (pid=70289)
  Read of size 4 at 0x7b3c00008250 by main thread:
    #0 WTF::StringImpl::deref() <null> (WebKit:x86_64+0x7aca)
    #1 WebKit::NetworkCache::IOChannel::~IOChannel() <null> (WebKit:x86_64+0x7b5ea6)
    #2 WebKit::NetworkCache::IOChannel::~IOChannel() <null> (WebKit:x86_64+0x7b5f39)
    #3 WTF::ThreadSafeRefCounted<WebKit::NetworkCache::IOChannel, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const <null> (WebKit:x86_64+0x7be829)
    #4 WTF::ThreadSafeRefCounted<WebKit::NetworkCache::IOChannel, (WTF::DestructionThread)0>::deref() const <null> (WebKit:x86_64+0x7be7ea)
    #5 WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8::~$_8() <null> (WebKit:x86_64+0x7b882b)
    #6 WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8::~$_8() <null> (WebKit:x86_64+0x7b63b9)
    #7 WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8>(WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8)::'lambda'(void const*)::operator()(void const*) const <null> (WebKit:x86_64+0x7b860d)
    #8 WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8>(WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8)::'lambda'(void const*)::__invoke(void const*) <null> (WebKit:x86_64+0x7b85d9)
    #9 _Block_release <null> (libsystem_blocks.dylib:x86_64+0x1650)
    #10 WKXPCServiceMain <null> (WebKit:x86_64+0x22543fe)
    #11 main <null> (com.apple.WebKit.Networking.Development:x86_64+0x100003e3e)

  Previous write of size 4 at 0x7b3c00008250 by thread T2:
    #0 WTF::StringImpl::deref() <null> (WebKit:x86_64+0x7ada)
    #1 WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22::operator()() const <null> (WebKit:x86_64+0xd98177)
    #2 WTF::Detail::CallableWrapper<WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22, void>::call() <null> (WebKit:x86_64+0xd97f1d)
    #3 WTF::Function<void ()>::operator()() const <null> (JavaScriptCore:x86_64+0x2620d)
    #4 WTF::(anonymous namespace)::DispatchWorkItem::operator()() <null> (JavaScriptCore:x86_64+0x11285d)
    #5 void WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(void*) <null> (JavaScriptCore:x86_64+0x111849)
    #6 __tsan::dispatch_callback_wrap(void*) <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x734d1)
    #7 _dispatch_client_callout <null> (libdispatch.dylib:x86_64+0x34ff)

  Location is heap block of size 240 at 0x7b3c00008250 allocated by thread T2:
    #0 __sanitizer_mz_malloc <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x5168a)
    #1 _malloc_zone_malloc <null> (libsystem_malloc.dylib:x86_64+0x1cf80)
    #2 bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) <null> (JavaScriptCore:x86_64+0x11d143)
    #3 bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) <null> (JavaScriptCore:x86_64+0x37fd9)
    #4 WTF::tryFastMalloc(unsigned long) <null> (JavaScriptCore:x86_64+0x36fdf)
    #5 WTF::FastMalloc::tryMalloc(unsigned long) <null> (JavaScriptCore:x86_64+0x18e4ee5)
    #6 WTF::String WTF::tryMakeStringFromAdapters<WTF::StringTypeAdapter<WTF::StringAppend<WTF::String, char const*>, void>, WTF::StringTypeAdapter<WTF::String, void> >(WTF::StringTypeAdapter<WTF::StringAppend<WTF::String, char const*>, void>, WTF::StringTypeAdapter<WTF::String, void>) <null> (JavaScriptCore:x86_64+0x46051)
    #7 WTF::String WTF::tryMakeString<WTF::StringAppend<WTF::String, char const*>, WTF::String>(WTF::StringAppend<WTF::String, char const*>, WTF::String) <null> (JavaScriptCore:x86_64+0x45f66)
    #8 WTF::StringAppend<WTF::StringAppend<WTF::String, char const*>, WTF::String>::operator WTF::String() const <null> (JavaScriptCore:x86_64+0x44f7d)
    #9 WTF::FileSystemImpl::pathByAppendingComponent(WTF::String const&, WTF::String const&) <null> (JavaScriptCore:x86_64+0x44bfb)
    #10 WebKit::NetworkCache::Storage::recordPathForKey(WebKit::NetworkCache::Key const&) const <null> (WebKit:x86_64+0xd6034f)
    #11 WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22::operator()() const <null> (WebKit:x86_64+0xd97fdd)
    #12 WTF::Detail::CallableWrapper<WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22, void>::call() <null> (WebKit:x86_64+0xd97f1d)
    #13 WTF::Function<void ()>::operator()() const <null> (JavaScriptCore:x86_64+0x2620d)
    #14 WTF::(anonymous namespace)::DispatchWorkItem::operator()() <null> (JavaScriptCore:x86_64+0x11285d)
    #15 void WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(void*) <null> (JavaScriptCore:x86_64+0x111849)
    #16 __tsan::dispatch_callback_wrap(void*) <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x734d1)
    #17 _dispatch_client_callout <null> (libdispatch.dylib:x86_64+0x34ff)

  Thread T2 (tid=13904706, running) is a GCD worker thread

SUMMARY: ThreadSanitizer: data race (WebKitBuild/WebKit.framework/Versions/A/WebKit:x86_64+0x7aca) in WTF::StringImpl::deref()+0x1a
Comment 1 David Kilzer (:ddkilzer) 2021-08-11 08:35:36 PDT
Regressed in:

    Prune least valuable cache entries first
    https://bugs.webkit.org/show_bug.cgi?id=142810
Comment 2 Radar WebKit Bug Importer 2021-08-11 08:35:47 PDT
<rdar://problem/81795626>
Comment 3 David Kilzer (:ddkilzer) 2021-08-11 08:47:34 PDT
Created attachment 435349 [details]
Patch v1
Comment 4 David Kilzer (:ddkilzer) 2021-08-11 11:39:24 PDT
Lol...I created a use-after-move bug.  Fixing.
Comment 5 David Kilzer (:ddkilzer) 2021-08-11 11:47:48 PDT
Created attachment 435365 [details]
Patch v2
Comment 6 EWS 2021-08-11 15:33:26 PDT
Committed r280935 (240452@main): <https://commits.webkit.org/240452@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 435365 [details].