Issue 782983 link

Starred by 0 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Nov 16
Cc:	nhiroki@chromium.org
Components:	Blink>ServiceWorker
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Bug
Hotlist-Recharge-Cold

Crash on ServiceWorkerVersion::StopWorker()

Project Member Reported by nhiroki@chromium.org, Nov 9 2017

Issue description

# How to repro:

I found this while writing WPT tests for Worklets with SW interception.

1) Apply https://chromium-review.googlesource.com/c/chromium/src/+/758973
2) run-webkit-tests external/wpt/worklets/paint-worklet-service-worker-interception.https.html

This test throws an exception because of 'undefined' attribute access in a controlled window. If it works without the crash, the test should simply time out.


# Callstack

Crash reason:  SIGSEGV
Crash address: 0x0
Process uptime: not available

Thread 18 (crashed)
 0  libcontent.so!content::EmbeddedWorkerInstance::status() const + 0xc
 1  libcontent.so!running_status [service_worker_version.h : 152 + 0x5]
 2  libcontent.so!StopWorker [service_worker_version.cc : 506 + 0xc]
 3  libcontent.so!DidGetAllRegistrations [service_worker_context_core.cc : 145 + 0xc]
 4  libcontent.so!Invoke<const scoped_refptr<content::(anonymous namespace)::ClearAllServiceWorkersHelper> &, const base::WeakPtr<content::ServiceWorkerContextCore> &, content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &> [bind_internal.h : 194 + 0x6]
 5  libcontent.so!MakeItSo<void (content::(anonymous namespace)::ClearAllServiceWorkersHelper::*const &)(const base::WeakPtr<content::ServiceWorkerContextCore> &, content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &), const scoped_refptr<content::(anonymous namespace)::ClearAllServiceWorkersHelper> &, const base::WeakPtr<content::ServiceWorkerContextCore> &, content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &> [bind_internal.h : 277 + 0x2b]
 6  libcontent.so!RunImpl<void (content::(anonymous namespace)::ClearAllServiceWorkersHelper::*const &)(const base::WeakPtr<content::ServiceWorkerContextCore> &, content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &), const std::__1::tuple<scoped_refptr<content::(anonymous namespace)::ClearAllServiceWorkersHelper>, base::WeakPtr<content::ServiceWorkerContextCore> > &, 0, 1> [bind_internal.h : 351 + 0x10]
 7  libcontent.so!Run [bind_internal.h : 333 + 0x13]
 8  libcontent.so!Run [callback.h : 94 + 0x9]
 9  libcontent.so!DidGetAllRegistrationsInfos [service_worker_storage.cc : 1257 + 0x5]
10  libcontent.so!Invoke<const base::WeakPtr<content::ServiceWorkerStorage> &, const base::RepeatingCallback<void (content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &)> &, std::__1::vector<content::ServiceWorkerDatabase::RegistrationData, std::__1::allocator<content::ServiceWorkerDatabase::RegistrationData> > *, content::ServiceWorkerDatabase::Status> [bind_internal.h : 194 + 0x6]
11  libcontent.so!MakeItSo<void (content::ServiceWorkerStorage::*const &)(const base::RepeatingCallback<void (content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &)> &, std::__1::vector<content::ServiceWorkerDatabase::RegistrationData, std::__1::allocator<content::ServiceWorkerDatabase::RegistrationData> > *, content::ServiceWorkerDatabase::Status), const base::WeakPtr<content::ServiceWorkerStorage> &, const base::RepeatingCallback<void (content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &)> &, std::__1::vector<content::ServiceWorkerDatabase::RegistrationData, std::__1::allocator<content::ServiceWorkerDatabase::RegistrationData> > *, content::ServiceWorkerDatabase::Status> [bind_internal.h : 297 + 0x20]
12  libcontent.so!RunImpl<void (content::ServiceWorkerStorage::*const &)(const base::RepeatingCallback<void (content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &)> &, std::__1::vector<content::ServiceWorkerDatabase::RegistrationData, std::__1::allocator<content::ServiceWorkerDatabase::RegistrationData> > *, content::ServiceWorkerDatabase::Status), const std::__1::tuple<base::WeakPtr<content::ServiceWorkerStorage>, base::RepeatingCallback<void (content::ServiceWorkerStatusCode, const std::__1::vector<content::ServiceWorkerRegistrationInfo, std::__1::allocator<content::ServiceWorkerRegistrationInfo> > &)>, base::internal::OwnedWrapper<std::__1::vector<content::ServiceWorkerDatabase::RegistrationData, std::__1::allocator<content::ServiceWorkerDatabase::RegistrationData> > > > &, 0, 1, 2> [bind_internal.h : 351 + 0x1a]
13  libcontent.so!Run [bind_internal.h : 333 + 0x8]

<snip>

Comment 1 by nhiroki@chromium.org, Nov 9 2017

Looks like EmbeddedWorkerInstance is null on ServiceWorkerVersion::StopWorker().

void ServiceWorkerVersion::StopWorker(base::OnceClosure callback) {
  switch (running_status()) {
    case EmbeddedWorkerStatus::STARTING:
    case EmbeddedWorkerStatus::RUNNING:
      embedded_worker_->Stop();                                   <== Nullify |embedded_worker_|???
      if (running_status() == EmbeddedWorkerStatus::STOPPED) {    <== Crash here
        RunSoon(std::move(callback));
        return;
      }
      stop_callbacks_.push_back(std::move(callback));
      return;
    case EmbeddedWorkerStatus::STOPPING:
      stop_callbacks_.push_back(std::move(callback));
      return;
    case EmbeddedWorkerStatus::STOPPED:
      RunSoon(std::move(callback));
      return;
  }
  NOTREACHED();
}

Comment 2 by shimazu@google.com, Nov 10 2017

Cc: nhiroki@chromium.org
Status: Available (was: Untriaged)

(bug triaging) Could you triage this?

Project Member

Comment 3 by sheriffbot@chromium.org, Nov 12

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)

This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by bashi@chromium.org, Nov 16

Status: WontFix (was: Untriaged)

(bug triage)

Closing for now. We'll file another issue when this happens again.

►

Issue 782983 link

Issue metadata

Crash on ServiceWorkerVersion::StopWorker()

Issue description

Comment 1 by nhiroki@chromium.org, Nov 9 2017

Comment 1 Deleted

Comment 2 by shimazu@google.com, Nov 10 2017

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Nov 12

Comment 3 Deleted

Comment 4 by bashi@chromium.org, Nov 16

Comment 4 Deleted

Sign in to add a comment