185475 2018-05-09 09:13:47 -0700 REGRESSION (r231479): com.apple.WebCore crash in WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() 2018-05-09 11:46:54 -0700 1 1 1 Unclassified WebKit New Bugs Other Unspecified Unspecified RESOLVED FIXED InRadar, Regression P2 Normal --- 185410 1 ryanhaddad dbates aestes cdumez dbates ews-watchlist japhet mkwst webkit-bug-importer oldest_to_newest 1422286 0 ryanhaddad 2018-05-09 09:13:47 -0700 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000000000a4 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0xa4: --> __TEXT 000000010112b000-000000010112d000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST: /security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000103371156 WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(unsigned long, WebCore::ResourceResponse const&) + 198 (DocumentLoader.cpp:736) 1 com.apple.WebKit 0x000000010146fa78 WebKit::WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() + 262 (WebResourceLoader.cpp:188) 2 com.apple.WebKit 0x000000010121f4cb WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 681 (NetworkProcessConnection.cpp:112) 3 com.apple.WebKit 0x0000000101181fd7 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 119 (Connection.cpp:935) 4 com.apple.WebKit 0x0000000101184b3e IPC::Connection::dispatchOneMessage() + 176 (Connection.cpp:964) 5 com.apple.JavaScriptCore 0x0000000106acc94f WTF::RunLoop::performWork() + 447 (RunLoop.cpp:123) 6 com.apple.JavaScriptCore 0x0000000106accb02 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 7 com.apple.CoreFoundation 0x00007fffac7013e1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 8 com.apple.CoreFoundation 0x00007fffac6e265c __CFRunLoopDoSources0 + 556 9 com.apple.CoreFoundation 0x00007fffac6e1b46 __CFRunLoopRun + 934 10 com.apple.CoreFoundation 0x00007fffac6e1544 CFRunLoopRunSpecific + 420 11 com.apple.HIToolbox 0x00007fffabc40ebc RunCurrentEventLoopInMode + 240 12 com.apple.HIToolbox 0x00007fffabc40cf1 ReceiveNextEventCommon + 432 13 com.apple.HIToolbox 0x00007fffabc40b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71 14 com.apple.AppKit 0x00007fffaa1d7a54 _DPSNextEvent + 1120 15 com.apple.AppKit 0x00007fffaa9537ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796 16 com.apple.AppKit 0x00007fffaa1cc3db -[NSApplication run] + 926 17 com.apple.AppKit 0x00007fffaa196e0e NSApplicationMain + 1237 18 libxpc.dylib 0x00007fffc25048c7 _xpc_objc_main + 775 19 libxpc.dylib 0x00007fffc25032e4 xpc_main + 494 20 com.apple.WebKit.WebContent 0x000000010112c69a main + 490 (XPCServiceMain.mm:126) 21 libdyld.dylib 0x00007fffc22ab235 start + 1 https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r231480%20(9246)/results.html 1422287 1 ryanhaddad 2018-05-09 09:14:34 -0700 This is a flaky crash seen on the bots. It is attributed to http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html in the test results, but the crashlog blames http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html 1422289 2 ryanhaddad 2018-05-09 09:15:52 -0700 I think this is related to https://trac.webkit.org/changeset/231479/webkit 1422290 3 webkit-bug-importer 2018-05-09 09:16:18 -0700 <rdar://problem/40093853> 1422291 4 ryanhaddad 2018-05-09 09:18:00 -0700 This is seen on High Sierra and Sierra Release WK2 bots 1422365 5 dbates 2018-05-09 11:18:38 -0700 This regression is specific to WebKit2 and the new code path that we now use to check X-Frame-Options in NetworkProcess following r231479 (*). The issue is that DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() may cause its own destruction as a result of dispatching a DOM load event at the <iframe> because JavaScript can do anything in the onload handler including removing the <iframe>. And when a frame is removed we stop its document loader and destroy it among other cleanup operations (**). Prior to r231479 DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() was a private function and only called by DocumentLoader::responseReceived(). And DocumentLoader::responseReceived() takes out a ref on itself almost from the start and hence prevents itself from being destroyed should it need to invoke stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() and stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() causes the associated frame to be removed. Following r231479 stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() is now public and can also be invoked by WebResourceLoader. But WebResourceLoader does not take out a ref for DocumentLoader before invoking stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(). So, stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() can cause the document loader to destroy itself before reaching the end of the function by (**). One way to fix this issue is to have stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() take out a ref on itself from the getgo. (*) We only use this new code path if both the experimental feature "Restricted HTTP Response Access" (RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess()) and Setting::networkProcessCSPFrameAncestorsCheckingEnabled() are enabled. These two settings are enabled when running tests in WebKitTestRunner. 1422372 6 339994 dbates 2018-05-09 11:33:32 -0700 Created attachment 339994 Patch 1422376 7 dbates 2018-05-09 11:42:18 -0700 Committed r231579: <https://trac.webkit.org/changeset/231579> 339994 2018-05-09 11:33:32 -0700 2018-05-09 11:35:44 -0700 Patch bug-185475-20180509113332.patch text/plain 3081 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjMxNDAzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMDdmNTlhMjZhYzIxN2Zk ZjZmM2I3YzFmNGYyOTI3ZmM0YzE4OTg1Mi4uNzlhZGJiNDc3MTMyMWVjYmIyMWE5NmQ3NWMyNTI5 OTY0MWRjMDI2YyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI4IEBACisyMDE4LTA1LTA5ICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAgICBSRUdSRVNTSU9OIChyMjMx NDc5KTogY29tLmFwcGxlLldlYkNvcmUgY3Jhc2ggaW4gV2ViQ29yZTo6RG9jdW1lbnRMb2FkZXI6 OnN0b3BMb2FkaW5nQWZ0ZXJYRnJhbWVPcHRpb25zT3JDb250ZW50U2VjdXJpdHlQb2xpY3lEZW5p ZWQKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE4NTQ3 NQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vNDAwOTM4NTM+CisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgRG9jdW1lbnRMb2FkZXI6OnN0b3BMb2FkaW5n QWZ0ZXJYRnJhbWVPcHRpb25zT3JDb250ZW50U2VjdXJpdHlQb2xpY3lEZW5pZWQoKSBtdXN0IGV4 dGVuZHMgaXRzIGxpZmV0aW1lCisgICAgICAgIHVudGlsIGNvbXBsZXRpb24gYXMgZGlzcGF0Y2hp bmcgYSBET00gbG9hZCBldmVudCBhdCB0aGUgYXNzb2NpYXRlZCBmcmFtZSBjYW4gY2F1c2UgSmF2 YVNjcmlwdCBleGVjdXRpb24KKyAgICAgICAgdGhhdCBjYW4gZG8gYW55dGhpbmcsIGluY2x1ZGlu ZyBkZXN0cm95aW5nIHRoZSBsb2FkZXIgdGhhdCBkaXNwYXRjaGVkIHRoZSBldmVudC4KKworICAg ICAgICBGb2xsb3dpbmcgcjIzMTQ3OSBEb2N1bWVudExvYWRlcjo6c3RvcExvYWRpbmdBZnRlclhG cmFtZU9wdGlvbnNPckNvbnRlbnRTZWN1cml0eVBvbGljeURlbmllZCgpIGlzIG5vdworICAgICAg ICBpbnZva2VkIGJ5IGJvdGggRG9jdW1lbnRMb2FkZXI6OnJlc3BvbnNlUmVjZWl2ZWQoKSBhbmQg V2ViUmVzb3VyY2VMb2FkZXI6OnN0b3BMb2FkaW5nQWZ0ZXJYRnJhbWVPcHRpb25zT3JDb250ZW50 U2VjdXJpdHlQb2xpY3lEZW5pZWQoKS4KKyAgICAgICAgVGhlIGxhdHRlciBvbmx5IGNhbiBoYXBw ZW4gd2hlbiB1c2luZyBXZWJLaXQyIGFuZCB0aGUgZXhwZXJpbWVudGFsIGZlYXR1cmUgUmVzdHJp Y3RlZCBIVFRQIFJlc3BvbnNlIEFjY2VzcworICAgICAgICBpcyBlbmFibGVkIChSdW50aW1lRW5h YmxlZEZlYXR1cmVzOjpzaGFyZWRGZWF0dXJlcygpLnJlc3RyaWN0ZWRIVFRQUmVzcG9uc2VBY2Nl c3MoKSkuIFVubGlrZSBEb2N1bWVudExvYWRlcjo6cmVzcG9uc2VSZWNlaXZlZCgpCisgICAgICAg IFdlYlJlc291cmNlTG9hZGVyOjpzdG9wTG9hZGluZ0FmdGVyWEZyYW1lT3B0aW9uc09yQ29udGVu dFNlY3VyaXR5UG9saWN5RGVuaWVkKCkgZG9lcyBub3QgdGFrZSBvdXQgYSByZWYKKyAgICAgICAg b24gdGhlIERvY3VtZW50TG9hZGVyIGJlZm9yZSBpbnZva2luZyBEb2N1bWVudExvYWRlcjo6c3Rv cExvYWRpbmdBZnRlclhGcmFtZU9wdGlvbnNPckNvbnRlbnRTZWN1cml0eVBvbGljeURlbmllZCgp LgorICAgICAgICBUaGVyZWZvcmUsIERvY3VtZW50TG9hZGVyOjpzdG9wTG9hZGluZ0FmdGVyWEZy YW1lT3B0aW9uc09yQ29udGVudFNlY3VyaXR5UG9saWN5RGVuaWVkKCkgY2FuIGNhdXNlIGl0cwor ICAgICAgICBvd24gZGVzdHJ1Y3Rpb24gYXMgYSByZXN1bHQgb2YgZGlzcGF0Y2hpbmcgYSBET00g bG9hZCBldmVudCBhdCB0aGUgZnJhbWUuIFdlIHNob3VsZCB0YWtlIG91dCBhIHJlZiBvbgorICAg ICAgICB0aGUgRG9jdW1lbnRMb2FkZXIgd2hlbiBleGVjdXRpbmcgRG9jdW1lbnRMb2FkZXI6OnN0 b3BMb2FkaW5nQWZ0ZXJYRnJhbWVPcHRpb25zT3JDb250ZW50U2VjdXJpdHlQb2xpY3lEZW5pZWQo KS4KKworICAgICAgICAqIGxvYWRlci9Eb2N1bWVudExvYWRlci5jcHA6CisgICAgICAgIChXZWJD b3JlOjpEb2N1bWVudExvYWRlcjo6c3RvcExvYWRpbmdBZnRlclhGcmFtZU9wdGlvbnNPckNvbnRl bnRTZWN1cml0eVBvbGljeURlbmllZCk6CisKIDIwMTgtMDUtMDcgIERhbmllbCBCYXRlcyAgPGRh YmF0ZXNAYXBwbGUuY29tPgogCiAgICAgICAgIENoZWNrIFgtRnJhbWUtT3B0aW9ucyBhbmQgQ1NQ IGZyYW1lLWFuY2VzdG9ycyBpbiBuZXR3b3JrIHByb2Nlc3MKZGlmZiAtLWdpdCBhL1NvdXJjZS9X ZWJDb3JlL2xvYWRlci9Eb2N1bWVudExvYWRlci5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIv RG9jdW1lbnRMb2FkZXIuY3BwCmluZGV4IDA0YjM0ZTU1MDM5MDFjYmEzYTA1NDQwMjU5NTA5ZjFh NTFhZDUyYzQuLmJkOGU0YjRkMWMyNzk4MjNkYWI0MDYzYjA3ZWI5NWMwMzhiOWIzMTIgMTAwNjQ0 Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9Eb2N1bWVudExvYWRlci5jcHAKKysrIGIvU291 cmNlL1dlYkNvcmUvbG9hZGVyL0RvY3VtZW50TG9hZGVyLmNwcApAQCAtNzI3LDYgKzcyNyw3IEBA IHZvaWQgRG9jdW1lbnRMb2FkZXI6OnJlc3RhcnRMb2FkaW5nRHVlVG9TZXJ2aWNlV29ya2VyUmVn aXN0cmF0aW9uQ2hhbmdlKFJlc291cmNlCiAKIHZvaWQgRG9jdW1lbnRMb2FkZXI6OnN0b3BMb2Fk aW5nQWZ0ZXJYRnJhbWVPcHRpb25zT3JDb250ZW50U2VjdXJpdHlQb2xpY3lEZW5pZWQodW5zaWdu ZWQgbG9uZyBpZGVudGlmaWVyLCBjb25zdCBSZXNvdXJjZVJlc3BvbnNlJiByZXNwb25zZSkKIHsK KyAgICBSZWY8RG9jdW1lbnRMb2FkZXI+IHByb3RlY3RlZFRoaXMgeyAqdGhpcyB9OwogICAgIElu c3BlY3Rvckluc3RydW1lbnRhdGlvbjo6Y29udGludWVBZnRlclhGcmFtZU9wdGlvbnNEZW5pZWQo Km1fZnJhbWUsIGlkZW50aWZpZXIsICp0aGlzLCByZXNwb25zZSk7CiAgICAgbV9mcmFtZS0+ZG9j dW1lbnQoKS0+ZW5mb3JjZVNhbmRib3hGbGFncyhTYW5kYm94T3JpZ2luKTsKICAgICBpZiAoSFRN TEZyYW1lT3duZXJFbGVtZW50KiBvd25lckVsZW1lbnQgPSBtX2ZyYW1lLT5vd25lckVsZW1lbnQo KSkK