Bug 172952

Summary: fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: Web InspectorAssignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, commit-queue, ews-watchlist, Hironori.Fujii, inspector-bugzilla-changes, joepeck, keith_miller, mark.lam, mcatanzaro, msaboff, rniwa, saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
debug patch
none
Archive of layout-test-results from ews101 for mac-sierra
none
Archive of layout-test-results from ews104 for mac-sierra-wk2
none
Archive of layout-test-results from ews123 for ios-simulator-wk2
none
Archive of layout-test-results from ews201 for win-future
none
Patch none

Description Michael Catanzaro 2017-06-05 20:29:17 PDT 
fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing on the GTK release bot. This is caused by either the upgrade to Debian Stretch (r217598), or by r217599. I guess probably the former.

Thread 1 (Thread 0x7f040b72ef00 (LWP 32431)):
#0  0x00007f0418aa4f42 in _ZN9Inspector31createScriptCallStackForConsoleEPN3JSC9ExecStateEm () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#1  0x00007f0418a7549b in _ZN9Inspector14ConsoleMessage20autogenerateMetadataEPN3JSC9ExecStateE () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#2  0x00007f041ec0cfc2 in _ZN7WebCore17PageConsoleClient10addMessageEN3JSC13MessageSourceENS1_12MessageLevelERKN3WTF6StringES7_jjONS4_6RefPtrIN9Inspector15ScriptCallStackEEEPNS1_9ExecStateEm ()
#3  0x00007f041ec0d0d4 in _ZN7WebCore17PageConsoleClient10addMessageEN3JSC13MessageSourceENS1_12MessageLevelERKN3WTF6StringEmPNS_8DocumentE ()
#4  0x00007f041e717ed1 in _ZN7WebCoreL27printNavigationErrorMessageEPNS_5FrameERKNS_3URLEPKc ()
#5  0x00007f041e71819f in _ZN7WebCore8Document11canNavigateEPNS_5FrameE ()
#6  0x00007f041eaab0a9 in _ZN7WebCore11FrameLoader22findFrameForNavigationERKN3WTF12AtomicStringEPNS_8DocumentE ()
#7  0x00007f041ebfd56f in _ZN7WebCore8Location11setLocationERNS_9DOMWindowES2_RKN3WTF6StringE ()
#8  0x00007f041c7e2eed in _ZN7WebCore22setJSDOMWindowLocationEPN3JSC9ExecStateEll () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007f0418cf61be in _ZN3JSC16callCustomSetterEPNS_9ExecStateEPFbS1_llEbNS_7JSValueES4_ () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#10 0x00007f041e51be7a in _ZN7WebCore11JSDOMWindow3putEPN3JSC6JSCellEPNS1_9ExecStateENS1_12PropertyNameENS1_7JSValueERNS1_15PutPropertySlotE ()
#11 0x00007f0418acfa26 in _ZN3JSC11Interpreter14executeProgramERKNS_10SourceCodeEPNS_9ExecStateEPNS_8JSObjectE () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#12 0x00007f0418cebfbd in _ZN3JSC8evaluateEPNS_9ExecStateERKNS_10SourceCodeENS_7JSValueERN3WTF8NakedPtrINS_9ExceptionEEE () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#13 0x00007f0418cec231 in _ZN3JSC16profiledEvaluateEPNS_9ExecStateENS_15ProfilingReasonERKNS_10SourceCodeENS_7JSValueERN3WTF8NakedPtrINS_9ExceptionEEE () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#14 0x00007f041e5596e3 in _ZN7WebCore16ScriptController15evaluateInWorldERKNS_16ScriptSourceCodeERNS_15DOMWrapperWorldEPNS_16ExceptionDetailsE ()
#15 0x00007f041e5598a3 in _ZN7WebCore16ScriptController8evaluateERKNS_16ScriptSourceCodeEPNS_16ExceptionDetailsE ()
#16 0x00007f041e78eec7 in _ZN7WebCore13ScriptElement20executeClassicScriptERKNS_16ScriptSourceCodeE ()
#17 0x00007f041e79389c in _ZN7WebCore13ScriptElement13prepareScriptERKN3WTF12TextPositionENS0_17LegacyTypeSupportE ()
#18 0x00007f041e9ab7fb in _ZN7WebCore16HTMLScriptRunner9runScriptERNS_13ScriptElementERKN3WTF12TextPositionE ()
#19 0x00007f041e9ac0cf in _ZN7WebCore16HTMLScriptRunner7executeEON3WTF3RefINS_13ScriptElementEEERKNS1_12TextPositionE ()
#20 0x00007f041e99775d in _ZN7WebCore18HTMLDocumentParser30runScriptsForPausedTreeBuilderEv ()
#21 0x00007f041e997fdd in _ZN7WebCore18HTMLDocumentParser17pumpTokenizerLoopENS0_15SynchronousModeEbRNS_11PumpSessionE ()
#22 0x00007f041e9982d0 in _ZN7WebCore18HTMLDocumentParser13pumpTokenizerENS0_15SynchronousModeE ()
#23 0x00007f041e99bb9a in _ZN7WebCore18HTMLDocumentParser6appendEON3WTF6RefPtrINS1_10StringImplEEE ()
#24 0x00007f041e6ff45b in _ZN7WebCore25DecodedDataDocumentParser5flushERNS_14DocumentWriterE ()
#25 0x00007f041ea9d08d in _ZN7WebCore14DocumentWriter3endEv ()
#26 0x00007f041ea8cfc6 in _ZN7WebCore14DocumentLoader15finishedLoadingEv ()
#27 0x00007f041eb6b764 in _ZN7WebCore14CachedResource11checkNotifyEv.part.230 ()
#28 0x00007f041eb625b7 in _ZN7WebCore17CachedRawResource13finishLoadingEPNS_12SharedBufferE ()
#29 0x00007f041eb11332 in _ZN7WebCore17SubresourceLoader16didFinishLoadingERKNS_18NetworkLoadMetricsE ()
#30 0x00007f041b49eea5 in _ZN3IPC13handleMessageIN8Messages17WebResourceLoader21DidFinishResourceLoadEN6WebKit17WebResourceLoaderEMS5_FvRKN7WebCore18NetworkLoadMetricsEEEEvRNS_7DecoderEPT0_T1_ () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#31 0x00007f041b49eb5f in _ZN6WebKit17WebResourceLoader34didReceiveWebResourceLoaderMessageERN3IPC10ConnectionERNS1_7DecoderE () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#32 0x00007f041b0c125b in _ZN3IPC10Connection15dispatchMessageESt10unique_ptrINS_7DecoderESt14default_deleteIS2_EE () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#33 0x00007f041b0c218c in _ZN3IPC10Connection18dispatchOneMessageEv () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#34 0x00007f04190234a5 in _ZN3WTF7RunLoop11performWorkEv () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#35 0x00007f0419058a29 in _ZZN3WTF7RunLoopC4EvENUlPvE_4_FUNES1_ () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#36 0x00007f0416dfa5ca in g_main_dispatch () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3212
#37 g_main_context_dispatch () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3865
#38 0x00007f0416dfa948 in g_main_context_iterate () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3938
#39 0x00007f0416dfac62 in g_main_loop_run () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:4134
#40 0x00007f04190593d0 in _ZN3WTF7RunLoop3runEv () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#41 0x00007f041b454242 in _ZN6WebKit16ChildProcessMainINS_10WebProcessENS_14WebProcessMainEEEiiPPc () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#42 0x00007f041272f2b1 in __libc_start_main (main=0x7f041e2e95b0 <main>, argc=2, argv=0x7ffd707c2658, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd707c2648) at ../csu/libc-start.c:291
#43 0x00007f041e2e9aca in _start ()
Comment 1 Fujii Hironori 2018-02-02 01:58:38 PST 
Created attachment 332948 [details]
debug patch

This crash can't be reproduced with Debug build.

But, if I apply this debug patch, I can reproduce the crash with Debug build.
GTK port, Debug build, trunk@227995
Crash log: https://gist.github.com/fujii/880103ac36491f17b0affa429870a78c
Comment 2 EWS Watchlist 2018-02-02 03:01:58 PST 
Comment on attachment 332948 [details]
debug patch

Attachment 332948 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/6329325

New failing tests:
fast/frames/sandboxed-iframe-navigation-top-denied.html
Comment 3 EWS Watchlist 2018-02-02 03:01:59 PST 
Created attachment 332952 [details]
Archive of layout-test-results from ews101 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-sierra  Platform: Mac OS X 10.12.6
Comment 4 EWS Watchlist 2018-02-02 03:06:23 PST 
Comment on attachment 332948 [details]
debug patch

Attachment 332948 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/6329338

New failing tests:
fast/frames/sandboxed-iframe-navigation-top-denied.html
Comment 5 EWS Watchlist 2018-02-02 03:06:24 PST 
Created attachment 332953 [details]
Archive of layout-test-results from ews104 for mac-sierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-sierra-wk2  Platform: Mac OS X 10.12.6
Comment 6 EWS Watchlist 2018-02-02 03:32:32 PST 
Comment on attachment 332948 [details]
debug patch

Attachment 332948 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/6329365

New failing tests:
fast/frames/sandboxed-iframe-navigation-top-denied.html
Comment 7 EWS Watchlist 2018-02-02 03:32:34 PST 
Created attachment 332954 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6
Comment 8 EWS Watchlist 2018-02-02 06:18:50 PST 
Comment on attachment 332948 [details]
debug patch

Attachment 332948 [details] did not pass win-ews (win):
Output: http://webkit-queues.webkit.org/results/6330425

New failing tests:
fast/frames/sandboxed-iframe-navigation-top-denied.html
Comment 9 EWS Watchlist 2018-02-02 06:19:00 PST 
Created attachment 332964 [details]
Archive of layout-test-results from ews201 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews201  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 10 Fujii Hironori 2018-02-02 14:11:46 PST 
These EWS test failures means mac port also have this null dereference issue.
What does it mean if topCallFrame is null?
Should I do null-check?
Comment 11 Fujii Hironori 2018-02-04 18:12:55 PST 
(In reply to Fujii Hironori from comment #10)
> These EWS test failures means mac port also have this null dereference issue.
> What does it mean if topCallFrame is null?
> Should I do null-check?

I guess that's because scripts are not executed at all in this case.
I need to do null-check there.
Comment 12 Fujii Hironori 2018-02-04 18:34:33 PST 
Created attachment 333058 [details]
Patch
Comment 13 WebKit Commit Bot 2018-02-16 09:46:17 PST 
Comment on attachment 333058 [details]
Patch

Clearing flags on attachment: 333058

Committed r228561: <https://trac.webkit.org/changeset/228561>
Comment 14 WebKit Commit Bot 2018-02-16 09:46:19 PST 
All reviewed patches have been landed.  Closing bug.
Comment 15 Radar WebKit Bug Importer 2018-02-16 09:48:13 PST 
<rdar://problem/37608174>