Bug 193779

Summary: Regression(PSON?) Crash under NavigationState::NavigationClient::decidePolicyForNavigationAction()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, commit-queue, ews-watchlist, ggaren, johnt519, koivisto, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Chris Dumez 2019-01-24 14:01:37 PST 
Crash under NavigationState::NavigationClient::decidePolicyForNavigationAction():
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000020)
[  0] 0x00007fff4a23502e WebKit`WebKit::NavigationState::NavigationClient::decidePolicyForNavigationAction(WebKit::WebPageProxy&, WTF::Ref<API::NavigationAction, WTF::DumbPtrTraits<API::NavigationAction> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::DumbPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) [inlined] WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::RefPtr(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > const&) at RefPtr.h:58:53

     0x00007fff4a23501e:     movq %rdx, %r15
     0x00007fff4a235021:     movq %rsi, %rbx
     0x00007fff4a235024:     movq %rdi, %r12
     0x00007fff4a235027:     movq 0x138(%rsi), %rax
 ->  0x00007fff4a23502e:     movq 0x20(%rax), %r13
     0x00007fff4a235032:    testq %r13, %r13
     0x00007fff4a235035:       je 0x1c603c             ; <+50> [inlined] WTF::DumbPtrTraits<API::NavigationAction>::unwrap(API::NavigationAction* const&) at Ref.h:119
     0x00007fff4a235037:     addl $0x2, (%r13)
     0x00007fff4a23503c:     movq (%r15), %rax

[  0] 0x00007fff4a23502e WebKit`WebKit::NavigationState::NavigationClient::decidePolicyForNavigationAction(WebKit::WebPageProxy&, WTF::Ref<API::NavigationAction, WTF::DumbPtrTraits<API::NavigationAction> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::DumbPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) [inlined] WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::RefPtr(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > const&) at RefPtr.h:58
[  0] 0x00007fff4a23502e WebKit`WebKit::NavigationState::NavigationClient::decidePolicyForNavigationAction(WebKit::WebPageProxy&, WTF::Ref<API::NavigationAction, WTF::DumbPtrTraits<API::NavigationAction> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::DumbPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) [inlined] WTF::String::String(WTF::String const&) at WTFString.h:129
[  0] 0x00007fff4a23502e WebKit`WebKit::NavigationState::NavigationClient::decidePolicyForNavigationAction(WebKit::WebPageProxy&, WTF::Ref<API::NavigationAction, WTF::DumbPtrTraits<API::NavigationAction> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::DumbPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) [inlined] WTF::String::String(WTF::String const&) at WTFString.h:129
[  0] 0x00007fff4a23502e WebKit`WebKit::NavigationState::NavigationClient::decidePolicyForNavigationAction(WebKit::WebPageProxy&, WTF::Ref<API::NavigationAction, WTF::DumbPtrTraits<API::NavigationAction> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::DumbPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) + 36 at NavigationState.mm:490
       486 	
       487 	void NavigationState::NavigationClient::decidePolicyForNavigationAction(WebPageProxy& webPageProxy, Ref<API::NavigationAction>&& navigationAction, Ref<WebFramePolicyListenerProxy>&& listener, API::Object* userInfo)
       488 	{
       489 	    ASSERT(webPageProxy.mainFrame());
    -> 490 	    String mainFrameURLString = webPageProxy.mainFrame()->url();
       491 	    bool subframeNavigation = navigationAction->targetFrame() && !navigationAction->targetFrame()->isMainFrame();
       492 	
       493 	    if (!m_navigationState.m_navigationDelegateMethods.webViewDecidePolicyForNavigationActionDecisionHandler
       494 	        && !m_navigationState.m_navigationDelegateMethods.webViewDecidePolicyForNavigationActionDecisionHandlerWebsitePolicies
    
[  1] 0x00007fff4a28ec10 WebKit`WebKit::WebPageProxy::decidePolicyForNavigationAction(WebKit::WebFrameProxy&, WebCore::SecurityOriginData&&, unsigned long long, WebKit::NavigationActionData&&, WebKit::FrameInfoData&&, unsigned long long, WebCore::ResourceRequest const&, WebCore::ResourceRequest&&, IPC::FormDataReference&&, WebCore::ResourceResponse&&, WebKit::UserData const&, WTF::Ref<WebKit::WebPageProxy::PolicyDecisionSender, WTF::DumbPtrTraits<WebKit::WebPageProxy::PolicyDecisionSender> >&&) + 3212 at WebPageProxy.cpp:4327:29
       4323	        bool shouldOpenAppLinks = !m_shouldSuppressAppLinksInNextNavigationPolicyDecision && destinationFrameInfo->isMainFrame() && !hostsAreEqual(URL({ }, m_mainFrame->url()), request.url()) && navigationActionData.navigationType != WebCore::NavigationType::BackForward;
       4324	
       4325	        auto navigationAction = API::NavigationAction::create(WTFMove(navigationActionData), sourceFrameInfo.get(), destinationFrameInfo.ptr(), std::nullopt, WTFMove(request), originalRequest.url(), shouldOpenAppLinks, WTFMove(userInitiatedActivity), mainFrameNavigation);
       4326	
    -> 4327	        m_navigationClient->decidePolicyForNavigationAction(*this, WTFMove(navigationAction), WTFMove(listener), m_process->transformHandlesToObjects(userData.object()).get());
       4328	    }
       4329	
       4330	    m_shouldSuppressAppLinksInNextNavigationPolicyDecision = false;
       4331	}
Comment 1 Chris Dumez 2019-01-24 14:01:53 PST 
<rdar://problem/46170903>
Comment 2 Chris Dumez 2019-01-24 14:05:55 PST 
Created attachment 360036 [details]
Patch
Comment 3 EWS Watchlist 2019-01-24 14:09:12 PST 
Attachment 360036 [details] did not pass style-queue:


ERROR: Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:2139:  Multi-line string ("...") found.  This lint script doesn't do well with such strings, and may give bogus warnings.  They're ugly and unnecessary, and you should use concatenation instead".  [readability/multiline_string] [5]
ERROR: Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:2146:  Semicolon defining empty statement for this loop. Use { } instead.  [whitespace/semicolon] [5]
ERROR: Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:2164:  Multi-line string ("...") found.  This lint script doesn't do well with such strings, and may give bogus warnings.  They're ugly and unnecessary, and you should use concatenation instead".  [readability/multiline_string] [5]
Total errors found: 3 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 4 Chris Dumez 2019-01-25 08:55:40 PST 
Comment on attachment 360036 [details]
Patch

ping review?
Comment 5 Antti Koivisto 2019-01-25 09:06:24 PST 
Comment on attachment 360036 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=360036&action=review

> Source/WebKit/ChangeLog:13
> +        We were crashing when trying to get the URL of the main frame, which was sad because we never
> +        ended up using the main frame URL. Therefore, this patch drops the code in question.

The best fix.
Comment 6 WebKit Commit Bot 2019-01-25 09:32:59 PST 
Comment on attachment 360036 [details]
Patch

Clearing flags on attachment: 360036

Committed r240477: <https://trac.webkit.org/changeset/240477>
Comment 7 WebKit Commit Bot 2019-01-25 09:33:00 PST 
All reviewed patches have been landed.  Closing bug.
Comment 8 Alexey Proskuryakov 2019-02-03 20:24:52 PST 
*** Bug 194018 has been marked as a duplicate of this bug. ***