Summary: | Crash in HistoryController::updateForCommit dereferencing a null HistoryItem | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Brady Eidson <beidson> | ||||
Component: | Page Loading | Assignee: | Brady Eidson <beidson> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | cdumez, commit-queue, japhet | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Attachments: |
|
Description
Brady Eidson
2015-07-10 11:06:40 PDT
Created attachment 256593 [details]
Patch v1
Comment on attachment 256593 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=256593&action=review > Source/WebCore/loader/FrameLoader.cpp:3184 > + history().setCurrentItem(&item); Here it cannot be null. > Source/WebCore/loader/HistoryController.cpp:474 > + setCurrentItem(m_provisionalItem.get()); Here, we would hit the assert on the previous line if it were null. > Source/WebCore/loader/HistoryController.cpp:515 > + setCurrentItem(m_provisionalItem.get()); Here, we already made sure it isn't null at the beginning of the method. > Source/WebCore/loader/HistoryController.cpp:564 > + setCurrentItem(m_provisionalItem.get()); Here, we already made sure it isn't null at the beginning of the method. > Source/WebCore/loader/HistoryController.cpp:667 > + setCurrentItem(item.ptr()); Here it cannot be null. (In reply to comment #2) > Comment on attachment 256593 [details] > Patch v1 > > View in context: > https://bugs.webkit.org/attachment.cgi?id=256593&action=review > > > Source/WebCore/loader/FrameLoader.cpp:3184 > > + history().setCurrentItem(&item); > > Here it cannot be null. I know. > > Source/WebCore/loader/HistoryController.cpp:515 > > + setCurrentItem(m_provisionalItem.get()); > > Here, we already made sure it isn't null at the beginning of the method. I know. > > Source/WebCore/loader/HistoryController.cpp:564 > > + setCurrentItem(m_provisionalItem.get()); > > Here, we already made sure it isn't null at the beginning of the method. I know. > > Source/WebCore/loader/HistoryController.cpp:667 > > + setCurrentItem(item.ptr()); > > Here it cannot be null. I know. > > Source/WebCore/loader/HistoryController.cpp:474 > > + setCurrentItem(m_provisionalItem.get()); > > Here, we would hit the assert on the previous line if it were null. Yes, which is exactly what I described in the problem Description. But in release builds there is no ASSERT and we dereference null. This is not theoretical - It's definitely happening in release builds a non-trivial amount. Comment on attachment 256593 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=256593&action=review r=me to get rid of the crash short-term but it may be papering over a real bug :/ >>> Source/WebCore/loader/HistoryController.cpp:474 >>> + setCurrentItem(m_provisionalItem.get()); >> >> Here, we would hit the assert on the previous line if it were null. > > Yes, which is exactly what I described in the problem Description. But in release builds there is no ASSERT and we dereference null. > > This is not theoretical - It's definitely happening in release builds a non-trivial amount. Then, I think we should add a FIXME comment indicating that our assertion above doesn't always hold true and that it should be investigated why. (In reply to comment #4) > Comment on attachment 256593 [details] > Patch v1 > > View in context: > https://bugs.webkit.org/attachment.cgi?id=256593&action=review > > r=me to get rid of the crash short-term but it may be papering over a real > bug :/ There's definitely a real bug, and it's existed since at least 2009 without revealing itself. (That's when the assert was added) > >>> Source/WebCore/loader/HistoryController.cpp:474 > >>> + setCurrentItem(m_provisionalItem.get()); > >> > >> Here, we would hit the assert on the previous line if it were null. > > > > Yes, which is exactly what I described in the problem Description. But in release builds there is no ASSERT and we dereference null. > > > > This is not theoretical - It's definitely happening in release builds a non-trivial amount. > > Then, I think we should add a FIXME comment indicating that our assertion > above doesn't always hold true and that it should be investigated why. K. |