Bug 183610

Summary: fast/loader/javascript-url-iframe-remove-on-navigate.html is a flaky crash on iOS with async delegates
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Page LoadingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, ajuma, beidson, commit-queue, dbates, ews-watchlist, japhet, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 180568    
Attachments:
Description Flags
Patch
none
Patch none

Description Chris Dumez 2018-03-13 13:30:06 PDT
fast/loader/javascript-url-iframe-remove-on-navigate.html is a flaky crash on iOS with async delegates:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000030
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

VM Regions Near 0x30:
--> 
    __TEXT                 00000001042d1000-00000001042d3000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc/com.apple.WebKit.WebContent.Development

Application Specific Information:
CRASHING TEST: fast/loader/javascript-url-iframe-remove-on-navigate.html
CoreSimulator 494.13.6 - Device: Managed 0 - Runtime: iOS 11.0 (15A372) - DeviceType: iPhone 5s

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010e0e7c04 WebCore::FrameLoaderStateMachine::creatingInitialEmptyDocument() const + 4 (FrameLoaderStateMachine.cpp:54)
1   com.apple.WebCore             	0x000000010e0d1fe4 WebCore::DocumentLoader::maybeLoadEmpty() + 388 (DocumentLoader.cpp:1629)
2   com.apple.WebCore             	0x000000010e0ce930 WebCore::DocumentLoader::loadMainResource(WebCore::ResourceRequest&&) + 1408 (DocumentLoader.cpp:1743)
3   com.apple.WebCore             	0x000000010e0cd7da WebCore::DocumentLoader::matchRegistration(WebCore::URL const&, WTF::CompletionHandler<void (std::optional<WebCore::ServiceWorkerRegistrationData>&&)>&&) + 474 (memory:2602)
4   com.apple.WebCore             	0x000000010e0dbe2c WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::DocumentLoader::startLoadingMainResource()::$_8>::call(WebCore::ResourceRequest&&) + 1212 (memory:2600)
5   com.apple.WebCore             	0x000000010e0cdfa8 WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 1784 (memory:2602)
6   com.apple.WebCore             	0x000000010e0d2600 WebCore::DocumentLoader::startLoadingMainResource() + 864 (memory:2600)
7   com.apple.WebCore             	0x000000010e0ed67b WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) + 779 (memory:2600)
8   com.apple.WebCore             	0x000000010e0f7f1a WTF::Function<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_9>::call(WebCore::ResourceRequest&&, WebCore::FormState*, bool) + 26 (memory:2593)
9   com.apple.WebCore             	0x000000010e10ebb5 WTF::Function<void (WebCore::PolicyAction)>::CallableWrapper<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, bool, WebCore::DocumentLoader*, WebCore::FormState*, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>&&)::$_6>::call(WebCore::PolicyAction) + 181 (memory:2602)
10  com.apple.WebKit              	0x0000000104b29adb WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData>&&) + 183 (memory:2397)
11  com.apple.WebKit              	0x0000000104b98f65 void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&), std::__1::tuple<unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData> >, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&), std::__1::tuple<unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData> >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>) + 58 (HandleMessage.h:41)
12  com.apple.WebKit              	0x0000000104b93afa void IPC::handleMessage<Messages::WebPage::DidReceivePolicyDecision, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&)) + 100 (Optional.h:470)
13  com.apple.WebKit              	0x00000001049f8baf IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 127
14  com.apple.WebKit              	0x0000000104c04e88 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 28 (WebProcess.cpp:639)
15  com.apple.WebKit              	0x00000001049c116f IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 119 (memory:2581)
16  com.apple.WebKit              	0x00000001049c3916 IPC::Connection::dispatchOneMessage() + 176 (Connection.cpp:964)
17  JavaScriptCore                	0x000000010c98e7ac WTF::RunLoop::performWork() + 236 (Function.h:56)
18  JavaScriptCore                	0x000000010c98ea42 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39)
19  com.apple.CoreFoundation      	0x0000000105e482b1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
20  com.apple.CoreFoundation      	0x0000000105ee7d31 __CFRunLoopDoSource0 + 81
21  com.apple.CoreFoundation      	0x0000000105e2cc19 __CFRunLoopDoSources0 + 185
22  com.apple.CoreFoundation      	0x0000000105e2c1ff __CFRunLoopRun + 1279
23  com.apple.CoreFoundation      	0x0000000105e2ba89 CFRunLoopRunSpecific + 409
24  com.apple.Foundation          	0x000000010437ce5e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 274
25  com.apple.Foundation          	0x000000010437cd39 -[NSRunLoop(NSRunLoop) run] + 76
26  libxpc.dylib                  	0x000000010793b0d9 _xpc_objc_main + 460
27  libxpc.dylib                  	0x000000010793d4cb xpc_main + 143
28  com.apple.WebKit.WebContent   	0x00000001042d21ee main + 408 (OSObjectPtr.h:65)
29  libdyld.dylib                 	0x00000001075e6d81 start + 1
Comment 1 Chris Dumez 2018-03-13 16:29:00 PDT
Created attachment 335744 [details]
Patch
Comment 2 youenn fablet 2018-03-13 16:39:34 PDT
Comment on attachment 335744 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=335744&action=review

> Source/WebCore/ChangeLog:9
> +        return null due to the load getting cancelled synchronously. If this load the parent frame's last

s/load/load is/

> Source/WebCore/ChangeLog:15
> +        which crashes flakily.

crashes/crashed

> Source/WebCore/loader/DocumentLoader.cpp:1725
> +            return;

I wonder whether some housekeeping would be good to do, hopefully not but hey...
For instance, is m_loadingMainResource false when returning early (hopefully yes)?

> Source/WebCore/loader/DocumentLoader.cpp:1728
>              RELEASE_LOG_IF_ALLOWED("startLoadingMainResource: Unable to load main resource, URL is invalid (frame = %p, main = %d)", m_frame, m_frame->isMainFrame());

I wonder whether we would still want to log this error case even in the case frame is null?
Comment 3 Chris Dumez 2018-03-13 16:49:46 PDT
Created attachment 335745 [details]
Patch
Comment 4 Chris Dumez 2018-03-13 16:50:17 PDT
Comment on attachment 335744 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=335744&action=review

>> Source/WebCore/loader/DocumentLoader.cpp:1725
>> +            return;
> 
> I wonder whether some housekeeping would be good to do, hopefully not but hey...
> For instance, is m_loadingMainResource false when returning early (hopefully yes)?

m_loadingMainResource is false. I checked.
Comment 5 WebKit Commit Bot 2018-03-13 18:02:25 PDT
Comment on attachment 335745 [details]
Patch

Clearing flags on attachment: 335745

Committed r229596: <https://trac.webkit.org/changeset/229596>
Comment 6 WebKit Commit Bot 2018-03-13 18:02:27 PDT
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2018-03-13 18:03:36 PDT
<rdar://problem/38440197>