83311 2012-04-05 13:58:04 -0700 Crashes in WebProcess at WebCore::HistoryController::recursiveSetProvisionalItem when restoring previous session 2012-04-05 14:20:57 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 beidson beidson japhet webkit.review.bot oldest_to_newest 596890 0 beidson 2012-04-05 13:58:04 -0700 Crashes in WebProcess at WebCore::HistoryController::recursiveSetProvisionalItem In WebKit2 we can have a WebProcess that is in the middle of restoring a session while the UIProcess closes the associated WKPage. As a result, when HistoryController::goToItem asks the back/forward controller for the current item, which then messages up to the UIProcess for that item, no item can be found. We then do some work that accesses the current item without null checking it first, leading to this crash. We have a couple of ASSERTS attesting to our expectation the current item is not null. Here's the backtrace of the ASSERT, which is pretty close to the backtrace of the crash itself: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000108de26bc WebCore::HistoryController::recursiveSetProvisionalItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 172 (HistoryController.cpp:688) 1 com.apple.WebCore 0x0000000108de2582 WebCore::HistoryController::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 450 (HistoryController.cpp:272) 2 com.apple.WebCore 0x00000001096c4419 WebCore::Page::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 201 (Page.cpp:342) 3 com.apple.WebKit2 0x0000000106e1aad7 WebKit::WebPage::goToBackForwardItem(unsigned long long) + 183 (WebPage.cpp:771) 4 com.apple.WebKit2 0x0000000106e1c91e WebKit::WebPage::restoreSessionAndNavigateToCurrentItem(WebKit::SessionState const&) + 78 (WebPage.cpp:1447) 5 com.apple.WebKit2 0x0000000106e4ed77 void CoreIPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::SessionState const&), WebKit::SessionState>(CoreIPC::Arguments1<WebKit::SessionState> const&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::SessionState const&)) + 135 (HandleMessage.h:20) 6 com.apple.WebKit2 0x0000000106e46b26 void CoreIPC::handleMessage<Messages::WebPage::RestoreSessionAndNavigateToCurrentItem, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::SessionState const&)>(CoreIPC::ArgumentDecoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::SessionState const&)) + 118 (HandleMessage.h:303) 7 com.apple.WebKit2 0x0000000106e440a6 WebKit::WebPage::didReceiveWebPageMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 1750 (WebPageMessageReceiver.cpp:182) 8 com.apple.WebKit2 0x0000000106e1f97d WebKit::WebPage::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 301 (WebPage.cpp:2507) 9 com.apple.WebKit2 0x0000000106ecdc8b WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 923 (WebProcess.cpp:669) 10 com.apple.WebKit2 0x0000000106d79b8e WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 350 (WebConnectionToUIProcess.cpp:88) In radar as <rdar://problem/9359029> 596898 1 135901 beidson 2012-04-05 14:06:31 -0700 Created attachment 135901 Patch v1 596907 2 beidson 2012-04-05 14:20:57 -0700 http://trac.webkit.org/changeset/113379 135901 2012-04-05 14:06:31 -0700 2012-04-05 14:07:40 -0700 Patch v1 patch.txt text/plain 3027 beidson ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCA2Y2U2MWY5Li45ZWI0OTBjIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjQg QEAKKzIwMTItMDQtMDUgIEJyYWR5IEVpZHNvbiAgPGJlaWRzb25AYXBwbGUuY29tPgorCisgICAg ICAgIDxyZGFyOi8vcHJvYmxlbS85MzU5MDI5PiBhbmQgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcv c2hvd19idWcuY2dpP2lkPTgzMzExCisgICAgICAgIENyYXNoZXMgaW4gV2ViUHJvY2VzcyBhdCBX ZWJDb3JlOjpIaXN0b3J5Q29udHJvbGxlcjo6cmVjdXJzaXZlU2V0UHJvdmlzaW9uYWxJdGVtIHdo ZW4gcmVzdG9yaW5nIHByZXZpb3VzIHNlc3Npb24KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBJdCdzIHBvc3NpYmxlIHRvIGhpdCBhIHJhY2UgY29uZGl0 aW9uIGJldHdlZW4gdGhlIFVJUHJvY2VzcyBhbmQgdGhlIFdlYlByb2Nlc3Mgd2hlcmUgdGhlIFVJ UHJvY2VzcyByZWNvcmRzIGZvciBhIAorICAgICAgICBwYWdlIGhhdmUgYmVlbiBjbGVhcmVkIG91 dCBidXQgdGhlIFdlYlByb2Nlc3MgaXMgc3RpbGwgdHJ5aW5nIHRvIHBlcmZvcm0gYSBoaXN0b3J5 IG5hdmlnYXRpb24gd2l0aGluIHRoYXQgcGFnZS4KKyAgICAgICAgCisgICAgICAgIEluIHRoaXMg c2l0dWF0aW9uIEhpc3RvcnlDb250cm9sbGVyIGNvZGUgdGhhdCBleHBlY3RzIHRoZXJlIHRvIGFs d2F5cyBiZSBhIGN1cnJlbnQgaGlzdG9yeSBpdGVtIGluIHRoZSBiYWNrL2ZvcndhcmQKKyAgICAg ICAgY29udHJvbGxlciBpcyB3cm9uZy4KKworICAgICAgICBObyBuZXcgdGVzdHMuIChUaGUgcmFj ZSBjb25kaXRpb25zIGludm9sdmVkIGhhdmUgcHJvdmVuIG1ha2luZyBhIHRlc3QgaW1wcmFjdGlj YWwpCisKKyAgICAgICAgKiBsb2FkZXIvSGlzdG9yeUNvbnRyb2xsZXIuY3BwOgorICAgICAgICAo V2ViQ29yZTo6SGlzdG9yeUNvbnRyb2xsZXI6OnJlY3Vyc2l2ZVNldFByb3Zpc2lvbmFsSXRlbSk6 IERvbid0IEFTU0VSVCB0aGUgZnJvbUl0ZW0uIFdlIG5vdyBrbm93IHRoZXJlIG1pZ2h0IG5vdCBi ZSBvbmUuCisgICAgICAgIChXZWJDb3JlOjpIaXN0b3J5Q29udHJvbGxlcjo6cmVjdXJzaXZlR29U b0l0ZW0pOiBEaXR0bworICAgICAgICAoV2ViQ29yZTo6SGlzdG9yeUNvbnRyb2xsZXI6Oml0ZW1z QXJlQ2xvbmVzKTogQWx3YXlzIHJldHVybiBmYWxzZSBpZiBlaXRoZXIgaXRlbSBpcyBudWxsLCBh cyBhIG51bGwgaXRlbSBhbmQgYSBub24tbnVsbAorICAgICAgICAgIGl0ZW0gY2Fubm90IHBvc3Np YmxlIGJlIGNsb25lcyBvZiBlYWNoIG90aGVyLgorCiAyMDEyLTA0LTA1ICBTaGVyaWZmIEJvdCAg PHdlYmtpdC5yZXZpZXcuYm90QGdtYWlsLmNvbT4KIAogICAgICAgICBVbnJldmlld2VkLCByb2xs aW5nIG91dCByMTEzMjU0LgpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvbG9hZGVyL0hpc3Rv cnlDb250cm9sbGVyLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9IaXN0b3J5Q29udHJvbGxl ci5jcHAKaW5kZXggZTQ0YmExZS4uZWM0NzhhNyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUv bG9hZGVyL0hpc3RvcnlDb250cm9sbGVyLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIv SGlzdG9yeUNvbnRyb2xsZXIuY3BwCkBAIC02ODUsNyArNjg1LDYgQEAgUGFzc1JlZlB0cjxIaXN0 b3J5SXRlbT4gSGlzdG9yeUNvbnRyb2xsZXI6OmNyZWF0ZUl0ZW1UcmVlKEZyYW1lKiB0YXJnZXRG cmFtZSwgYm8KIHZvaWQgSGlzdG9yeUNvbnRyb2xsZXI6OnJlY3Vyc2l2ZVNldFByb3Zpc2lvbmFs SXRlbShIaXN0b3J5SXRlbSogaXRlbSwgSGlzdG9yeUl0ZW0qIGZyb21JdGVtLCBGcmFtZUxvYWRU eXBlIHR5cGUpCiB7CiAgICAgQVNTRVJUKGl0ZW0pOwotICAgIEFTU0VSVChmcm9tSXRlbSk7CiAK ICAgICBpZiAoaXRlbXNBcmVDbG9uZXMoaXRlbSwgZnJvbUl0ZW0pKSB7CiAgICAgICAgIC8vIFNl dCBwcm92aXNpb25hbCBpdGVtLCB3aGljaCB3aWxsIGJlIGNvbW1pdHRlZCBpbiByZWN1cnNpdmVV cGRhdGVGb3JDb21taXQuCkBAIC03MTEsNyArNzEwLDYgQEAgdm9pZCBIaXN0b3J5Q29udHJvbGxl cjo6cmVjdXJzaXZlU2V0UHJvdmlzaW9uYWxJdGVtKEhpc3RvcnlJdGVtKiBpdGVtLCBIaXN0b3J5 SXQKIHZvaWQgSGlzdG9yeUNvbnRyb2xsZXI6OnJlY3Vyc2l2ZUdvVG9JdGVtKEhpc3RvcnlJdGVt KiBpdGVtLCBIaXN0b3J5SXRlbSogZnJvbUl0ZW0sIEZyYW1lTG9hZFR5cGUgdHlwZSkKIHsKICAg ICBBU1NFUlQoaXRlbSk7Ci0gICAgQVNTRVJUKGZyb21JdGVtKTsKIAogICAgIGlmIChpdGVtc0Fy ZUNsb25lcyhpdGVtLCBmcm9tSXRlbSkpIHsKICAgICAgICAgLy8gSnVzdCBpdGVyYXRlIG92ZXIg dGhlIHJlc3QsIGxvb2tpbmcgZm9yIGZyYW1lcyB0byBuYXZpZ2F0ZS4KQEAgLTc0MCw3ICs3Mzgs OSBAQCBib29sIEhpc3RvcnlDb250cm9sbGVyOjppdGVtc0FyZUNsb25lcyhIaXN0b3J5SXRlbSog aXRlbTEsIEhpc3RvcnlJdGVtKiBpdGVtMikgYwogICAgIC8vIGEgcmVsb2FkLiAgVGh1cywgaWYg aXRlbTEgYW5kIGl0ZW0yIGFyZSB0aGUgc2FtZSwgd2UgbmVlZCB0byBjcmVhdGUgYQogICAgIC8v IG5ldyBkb2N1bWVudCBhbmQgc2hvdWxkIG5vdCBjb25zaWRlciB0aGVtIGNsb25lcy4KICAgICAv LyAoU2VlIGh0dHA6Ly93ZWJraXQub3JnL2IvMzU1MzIgZm9yIGRldGFpbHMuKQotICAgIHJldHVy biBpdGVtMSAhPSBpdGVtMgorICAgIHJldHVybiBpdGVtMQorICAgICAgICAmJiBpdGVtMgorICAg ICAgICAmJiBpdGVtMSAhPSBpdGVtMgogICAgICAgICAmJiBpdGVtMS0+aXRlbVNlcXVlbmNlTnVt YmVyKCkgPT0gaXRlbTItPml0ZW1TZXF1ZW5jZU51bWJlcigpCiAgICAgICAgICYmIGN1cnJlbnRG cmFtZXNNYXRjaEl0ZW0oaXRlbTEpCiAgICAgICAgICYmIGl0ZW0yLT5oYXNTYW1lRnJhbWVzKGl0 ZW0xKTsK