Summary: | Crash in WebCore::DocumentLoader::stopLoadingForPolicyChange | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Brady Eidson <beidson> | ||||||||
Component: | Page Loading | Assignee: | Brady Eidson <beidson> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | aestes, cdumez, commit-queue, ddkilzer, japhet | ||||||||
Priority: | P2 | ||||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | All | ||||||||||
OS: | All | ||||||||||
Attachments: |
|
Description
Brady Eidson
2015-07-29 13:53:23 PDT
Created attachment 257765 [details]
Patch v1 - Speculative fix.
Comment on attachment 257765 [details] Patch v1 - Speculative fix. View in context: https://bugs.webkit.org/attachment.cgi?id=257765&action=review Good safety net, and seems safe besides my comment > Source/WebCore/loader/DocumentLoader.cpp:954 > + cancelPolicyCheckIfNeeded(); Based on the comment and the null check below, I am slightly worried we introduce crashes due to dereferencing frameLoader() without check in this method. How about we null check frameLoader() in cancelPolicyCheckIfNeeded() and reset m_waitingForContentPolicy to false no matter what? Comment on attachment 257765 [details] Patch v1 - Speculative fix. View in context: https://bugs.webkit.org/attachment.cgi?id=257765&action=review > Source/WebCore/loader/DocumentLoader.cpp:956 > // Even though we ASSERT at the top of this method that we have an m_frame, we're seeing crashes where m_frame is null. I was referring to this comment and the m_frame null check right after. (In reply to comment #2) > Comment on attachment 257765 [details] > Patch v1 - Speculative fix. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=257765&action=review > > Good safety net, and seems safe besides my comment > > > Source/WebCore/loader/DocumentLoader.cpp:954 > > + cancelPolicyCheckIfNeeded(); > > Based on the comment and the null check below, I am slightly worried we > introduce crashes due to dereferencing frameLoader() without check in this > method. How about we null check frameLoader() in cancelPolicyCheckIfNeeded() > and reset m_waitingForContentPolicy to false no matter what? I think that's reasonable. I actually also hope to make the ASSERT(frameLoader()) be a RELEASE_ASSERT in a separate patch so that's the status quo for trunk. We need to figure this out. :) (In reply to comment #3) > Comment on attachment 257765 [details] > Patch v1 - Speculative fix. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=257765&action=review > > > Source/WebCore/loader/DocumentLoader.cpp:956 > > // Even though we ASSERT at the top of this method that we have an m_frame, we're seeing crashes where m_frame is null. > > I was referring to this comment and the m_frame null check right after. Hell, you should've been referring to the remaining comment that has an if (m_frame) check. We'd already known this was happening. Created attachment 257766 [details]
Patch v2
Comment on attachment 257766 [details]
Patch v2
r=me
Created attachment 257770 [details]
RELEASE_ASSERT followup
Comment on attachment 257770 [details] RELEASE_ASSERT followup View in context: https://bugs.webkit.org/attachment.cgi?id=257770&action=review r=me > Source/WebCore/loader/DocumentLoader.cpp:1479 > m_waitingForContentPolicy = false; nit: Now, I'd move this back inside the if scope. (In reply to comment #9) > Comment on attachment 257770 [details] > RELEASE_ASSERT followup > > View in context: > https://bugs.webkit.org/attachment.cgi?id=257770&action=review > > r=me > > > Source/WebCore/loader/DocumentLoader.cpp:1479 > > m_waitingForContentPolicy = false; > > nit: Now, I'd move this back inside the if scope. Whoops. https://trac.webkit.org/changeset/187559 |