[wpe-2.28] [wpe-2.38] crash in remote web inspector when connection closed during data transfer

[Scony]

Steps to reproduce:

1. Run WPE-WebKit-based browser with remote web inspector (RWI) enabled
2. Navigate to URL: https://scony.github.io/stb-lab/console-spam/index.html
3. Connect to RWI and make sure console logs are spamming to console
4. Close RWI connection (I'm basically closing the tab of the chrome browser where I connect to RWI from)
5. If no WPEWebKit-based browser crash is seen, go to step 3)

Stacktrace from UI Process from ARM-based device (WPE WebKit from some fairly recent version of wpe-2.38 branch):

Program terminated with signal SIGSEGV, Segmentation fault.
#0  WTF::Vector<char, 0u, WTF::CrashOnOverflow, 16u, WTF::FastMalloc>::capacity () at ../git/Source/WTF/wtf/Vector.h:767
767 ../git/Source/WTF/wtf/Vector.h: No such file or directory.
[Current thread is 1 (Thread 0xa87ff3c0 (LWP 26))]
#0  WTF::Vector<char, 0u, WTF::CrashOnOverflow, 16u, WTF::FastMalloc>::capacity () at ../git/Source/WTF/wtf/Vector.h:767
#1  WTF::Vector<char, 0u, WTF::CrashOnOverflow, 16u, WTF::FastMalloc>::grow () at ../git/Source/WTF/wtf/Vector.h:1226
#2  WTF::SocketConnection::sendMessage () at ../git/Source/WTF/wtf/glib/SocketConnection.cpp:194
#3  0xac980fc2 in operator() () at ../git/Source/JavaScriptCore/inspector/remote/glib/RemoteInspectorServer.cpp:147
#4  _FUN () at ../git/Source/JavaScriptCore/inspector/remote/glib/RemoteInspectorServer.cpp:148
#5  0xacd90bf0 in WTF::SocketConnection::readMessage () at ../git/Source/WTF/wtf/glib/SocketConnection.cpp:161
#6  0xacd90df2 in WTF::SocketConnection::read () at ../git/Source/WTF/wtf/glib/SocketConnection.cpp:91
#7  0xacd90e9e in operator() () at ../git/Source/WTF/wtf/glib/SocketConnection.cpp:56
#8  call () at ../git/Source/WTF/wtf/Function.h:53
#9  0xabe18f82 in socket_source_dispatch (source=0xa7e16280, callback=0xacd8f905 <WTF::GSocketMonitor::socketSourceCallback(_GSocket*, GIOCondition, WTF::GSocketMonitor*)>, user_data=0xa6af875c) at ../glib-2.72.3/gio/gsocket.c:4030
#10 0xabcc2034 in g_main_dispatch (context=0xa7e013d8) at ../glib-2.72.3/glib/gmain.c:3417
#11 g_main_context_dispatch (context=context@entry=0xa7e013d8) at ../glib-2.72.3/glib/gmain.c:4135
#12 0xabcc219e in g_main_context_iterate (context=0xa7e013d8, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib-2.72.3/glib/gmain.c:4211
#13 0xabcc24c6 in g_main_loop_run (loop=0xa7e01eb0) at ../glib-2.72.3/glib/gmain.c:4411
#14 0xae6faaa6 in WpeWebKitThread::run() () from rootfs/runtime/wpewebkit/libSkyWebKitBackend-1.1.so
#15 0xb356d008 in QThreadPrivate::start (arg=0x7d7f9458) at /usr/src/debug/qtbase/5.12.3+gitAUTOINC+b527725766-r0/git/src/corelib/thread/qthread_unix.cpp:361
#16 0xb33c879e in start_thread (arg=0x74e58070) at pthread_create.c:477
#17 0xb31e01ac in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:73 from rootfs/lib/libc.so.6

As seen above, the crash is most likely some kind of lack of synchronization between data transfer and connection closure.

Please note that the above issue can be reproduced on x86_64 builds, however, in such case one has to workaround the https://github.com/WebPlatformForEmbedded/WPEWebKit/issues/1219 issue locally.

Btw. This issue occurs on wpe-2.28 branch as well.

[pgorszkowski-igalia]

The problem can be reproduced also on upstream so I created the bug report also there: https://bugs.webkit.org/show_bug.cgi?id=265304

[pgorszkowski-igalia]

@Scony : I upstreamed(https://github.com/WebKit/WebKit/pull/20868) your fix with small modification from https://github.com/WebPlatformForEmbedded/WPEWebKit/pull/1225. It is also merged in 2.38 and 2.42: https://github.com/WebPlatformForEmbedded/WPEWebKit/pull/1241 https://github.com/WebPlatformForEmbedded/WPEWebKit/pull/1242

I close it, if it does not work for you please reopen the ticket, thanks.

[Scony]

@pgorszkowski-igalia sounds good, thank you!