Bug 170114

Summary: Crash in WebCore::DocumentLoader::popArchiveForSubframe
Product: WebKit Reporter: buch0 <buchob7>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: buchob7, ddkilzer, eric.carlson, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

buch0
Reported 2017-03-27 03:29:05 PDT
CODE: [main.html] <!DOCTYPE html> <html> <head> <title></title> <script> function boom() { document.getElementById("form").reset(); setInterval(function () { document.write(document.body.innerHTML); }, ( Math.random() * ( ( 40 + 1 ) - 0 ) ) + 0); } window.addEventListener("DOMContentLoaded",boom); </script> </head> <body> <form id="form"> <form> <iframe id="ifr1" src="data:text/html;base64,PGh0bWw+DQo8aGVhZD4NCgk8c2NyaXB0Pg0KDQoJCWZ1bmN0aW9uIERvKCkNCgkJew0KCQkJZG9jdW1lbnQud3JpdGUoImNyYXNoPyIpOw0KCQkJd2luZG93LnN0b3AoKTsNCgkJfQ0KDQoJPC9zY3JpcHQ+DQo8L2hlYWQ+DQo8Ym9keSBvbmxvYWQ9IkRvKCkiPg0KDQo8L2JvZHk+DQo8L2h0bWw+"></iframe> //child.html </form> </form> <script> setInterval(function () { document.write(document.body.innerHTML); }, ( Math.random() * ( ( 40 + 1 ) - 0 ) ) + 0); document.getElementById("form").submit(); </script> </body> </html> [child.html] <html> <head> <script> function Do() { document.write("crash?"); window.stop(); } </script> </head> <body onload="Do()"> </body> </html> Null Crash.(?) LLDB LOG: * thread #1: tid = 0x20a2b, 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x9e0) frame #0: 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9 WebCore`WebCore::DocumentLoader::popArchiveForSubframe: -> 0x7fff9d589a49 <+9>: movq 0x9e0(%rsi), %rsi 0x7fff9d589a50 <+16>: testq %rsi, %rsi 0x7fff9d589a53 <+19>: je 0x7fff9d589a5f ; <+31> 0x7fff9d589a55 <+21>: movq %rbx, %rdi (lldb) reg re General Purpose Registers: rax = 0x00000001099ad0f0 rbx = 0x00007fff5a2071c0 rcx = 0x00007fff5a207600 rdx = 0x00000001098463d8 rdi = 0x00007fff5a2071c0 rsi = 0x0000000000000000 rbp = 0x00007fff5a207070 rsp = 0x00007fff5a207060 r8 = 0x000000010a1f58c0 r9 = 0x0000000000000000 r10 = 0x0000000000000001 r11 = 0x0000000000000073 r12 = 0x00000001099ad090 r13 = 0x00000001098463d8 r14 = 0x00007fff5a207598 r15 = 0x0000000109846380 rip = 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9 rflags = 0x0000000000010246 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000 (lldb) bt * thread #1: tid = 0x20a2b, 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x9e0) * frame #0: 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9 frame #1: 0x00007fff9d6ca65f WebCore`WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::URL const&, WTF::String const&, WebCore::Frame*) + 95 frame #2: 0x00007fff9e6198a2 WebKit`WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) + 120 frame #3: 0x00007fff9dfa558e WebCore`WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) + 302 frame #4: 0x00007fff9dfa4493 WebCore`WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 291 frame #5: 0x00007fff9dfa42d7 WebCore`WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 951 frame #6: 0x00007fff9d757c6b WebCore`WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) + 187 frame #7: 0x00007fff9d46d72c WebCore`WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) + 332 frame #8: 0x00007fff9d46c9a5 WebCore`WebCore::ContainerNode::parserAppendChild(WebCore::Node&) + 165 frame #9: 0x00007fff9d0fd14d WebCore`WebCore::HTMLConstructionSite::executeQueuedTasks() + 141 frame #10: 0x00007fff9d743db6 WebCore`WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) + 166 frame #11: 0x00007fff9d743bdc WebCore`WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 508 frame #12: 0x00007fff9d0fb293 WebCore`WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115 frame #13: 0x00007fff9d1a47d2 WebCore`WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString const&) + 146 frame #14: 0x00007fff9d21e9f2 WebCore`WebCore::Document::write(WebCore::SegmentedString const&, WebCore::Document*) + 146 frame #15: 0x00007fff9d9cc737 WebCore`WebCore::documentWrite(JSC::ExecState&, WebCore::JSHTMLDocument*, WebCore::NewlineRequirement) + 999 frame #16: 0x00007fff9d9cc344 WebCore`WebCore::JSHTMLDocument::write(JSC::ExecState&) + 20 frame #17: 0x00005a91e5c01028 frame #18: 0x00007fff98d96595 JavaScriptCore`llint_entry + 24967 frame #19: 0x00007fff98d9022b JavaScriptCore`vmEntryToJavaScript + 299 frame #20: 0x00007fff98c55e0e JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 frame #21: 0x00007fff9858d5ec JavaScriptCore`JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 412 frame #22: 0x00007fff988a2e4f JavaScriptCore`JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 191 frame #23: 0x00007fff9de8903f WebCore`WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) + 575 frame #24: 0x00007fff9de88c66 WebCore`WebCore::ScheduledAction::execute(WebCore::Document&) + 134 frame #25: 0x00007fff9d1fc63c WebCore`WebCore::DOMTimer::fired() + 332 frame #26: 0x00007fff9d0db120 WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 176 frame #27: 0x00007fff9d0db05f WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 31 frame #28: 0x00007fff960e9244 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 frame #29: 0x00007fff960e8ecf CoreFoundation`__CFRunLoopDoTimer + 1071 frame #30: 0x00007fff960e8a2a CoreFoundation`__CFRunLoopDoTimers + 298 frame #31: 0x00007fff960e03e1 CoreFoundation`__CFRunLoopRun + 2065 frame #32: 0x00007fff960df974 CoreFoundation`CFRunLoopRunSpecific + 420 frame #33: 0x00007fff9566ba5c HIToolbox`RunCurrentEventLoopInMode + 240 frame #34: 0x00007fff9566b891 HIToolbox`ReceiveNextEventCommon + 432 frame #35: 0x00007fff9566b6c6 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #36: 0x00007fff93c115b4 AppKit`_DPSNextEvent + 1120 frame #37: 0x00007fff9438bd6b AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789 frame #38: 0x00007fff93c05f35 AppKit`-[NSApplication run] + 926 frame #39: 0x00007fff93bd0850 AppKit`NSApplicationMain + 1237 frame #40: 0x00007fffab89b8c7 libxpc.dylib`_xpc_objc_main + 775 frame #41: 0x00007fffab89a2e4 libxpc.dylib`xpc_main + 494 frame #42: 0x00000001059f67a2 com.apple.WebKit.WebContent`___lldb_unnamed_symbol1$$com.apple.WebKit.WebContent + 380 frame #43: 0x00007fffab637255 libdyld.dylib`start + 1 (lldb)
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-03-27 08:19:23 PDT
<rdar://problem/31273463>
Alexey Proskuryakov
Comment 2 2017-03-27 13:27:19 PDT
Could you please clarify what the expected behavior is? This appears to create an unbounded number of iframes, which will certainly to fail one way or another.
buch0
Comment 3 2017-03-27 20:38:25 PDT
(In reply to Alexey Proskuryakov from comment #2) > Could you please clarify what the expected behavior is? This appears to > create an unbounded number of iframes, which will certainly to fail one way > or another. plz fix. i wanna remove bugs.
buch0
Comment 4 2017-03-27 21:15:23 PDT
(In reply to Alexey Proskuryakov from comment #2) > Could you please clarify what the expected behavior is? This appears to > create an unbounded number of iframes, which will certainly to fail one way > or another. should i report lead to rce bug? sorry man.
youenn fablet
Comment 5 2017-03-27 21:19:44 PDT
How do other browsers (Firefox, Chrome...) do with main.html? What is WebKit expected to do with main.html?
buch0
Comment 6 2017-03-27 23:31:51 PDT
(In reply to youenn fablet from comment #5) > How do other browsers (Firefox, Chrome...) do with main.html? > What is WebKit expected to do with main.html? crash only on webkit. child.html is source code of base64 code so just working on main.html alone. and i am japanese sorry for my bad english.
youenn fablet
Comment 7 2017-03-28 09:15:28 PDT
(In reply to buch0 from comment #6) > (In reply to youenn fablet from comment #5) > > How do other browsers (Firefox, Chrome...) do with main.html? > > What is WebKit expected to do with main.html? > > crash only on webkit. > > child.html is source code of base64 code > > so just working on main.html alone. > > and i am japanese sorry for my bad english. No problem! And thanks for taking the time to submit this report, this is very valuable.
Note You need to log in before you can comment on or make changes to this bug.