Bug 194820

Summary: REGRESSION(r240909): Release assertion in FrameLoader::loadPostRequest when opening new window
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Page LoadingAssignee: Ryosuke Niwa <rniwa>
Status: NEW ---    
Severity: Normal CC: achristensen, beidson, cdumez, dbates, ews-watchlist, ggaren, japhet
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the bug
none
Patch for safari-607 branch
none
Patch for safari-607 branch with release build fix
none
Patch for safari-607 branch with release build fix none

Description Ryosuke Niwa 2019-02-19 10:39:45 PST
e.g.

Thread[0] EXC_BREAKPOINT (SIGTRAP) (0x0000000000000002, 0x0000000000000000)
[  0] 0x00007fff5a1b0ca3 WebCore`WTFCrashWithInfo(int, char const*, char const*, int) + 19

     0x00007fff5a1b0c97:     movq %rsi, -0x18(%rbp)
     0x00007fff5a1b0c9b:     movq %rdx, -0x10(%rbp)
     0x00007fff5a1b0c9f:     movl %ecx, -0x4(%rbp)
     0x00007fff5a1b0ca2:     int3 
 ->  0x00007fff5a1b0ca3:      ud2 
     0x00007fff5a1b0ca5:     nopw %cs:(%rax,%rax)
     0x00007fff5a1b0caf:      nop 

[  1] 0x00007fff5b1293cb WebCore`WebCore::FrameLoader::loadPostRequest(WebCore::FrameLoadRequest&&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void ()>&&) + 1515 at FrameLoader.cpp:2999:9
       2995	            targetFrame->loader().loadWithNavigationAction(workingResourceRequest, WTFMove(action), lockHistory, loadType, WTFMove(formState), allowNavigationToInvalidURL, WTFMove(completionHandler));
       2996	            return;
       2997	        }
       2998	
    -> 2999	        RELEASE_ASSERT(!isBackForwardLoadType(policyChecker().loadType()));
       3000	        policyChecker().checkNewWindowPolicy(WTFMove(action), WTFMove(workingResourceRequest), WTFMove(formState), frameName, [this, allowNavigationToInvalidURL, openerPolicy, completionHandler = WTFMove(completionHandler)] (const ResourceRequest& request, WeakPtr<FormState>&& formState, const String& frameName, const NavigationAction& action, ShouldContinue shouldContinue) mutable {
       3001	            continueLoadAfterNewWindowPolicy(request, formState.get(), frameName, action, shouldContinue, allowNavigationToInvalidURL, openerPolicy);
       3002	            completionHandler();
       3003	        });
    
[  2] 0x00007fff5b1253a1 WebCore`WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest&&, WebCore::Event*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&) + 817 at FrameLoader.cpp:1289:9
       1285	        }
       1286	    };
       1287	
       1288	    if (request.resourceRequest().httpMethod() == "POST")
    -> 1289	        loadPostRequest(WTFMove(request), referrer, loadType, event, WTFMove(formState), WTFMove(completionHandler));
       1290	    else
       1291	        loadURL(WTFMove(request), referrer, loadType, event, WTFMove(formState), WTFMove(completionHandler));
       1292	}
       1293	
    
[  3] 0x00007fff5b140c95 WebCore`WebCore::ScheduledFormSubmission::fire(WebCore::Frame&) + 517 at NavigationScheduler.cpp:277:24
       273 	        if (!requestingDocument.canNavigate(&frame))
       274 	            return;
       275 	        FrameLoadRequest frameLoadRequest { requestingDocument, requestingDocument.securityOrigin(), { }, { }, lockHistory(), lockBackForwardList(), MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Allow, shouldOpenExternalURLs(), initiatedByMainFrame() };
       276 	        m_submission->populateFrameLoadRequest(frameLoadRequest);
    -> 277 	        frame.loader().loadFrameRequest(WTFMove(frameLoadRequest), m_submission->event(), m_submission->takeState());
       278 	    }
       279 	
       280 	    void didStartTimer(Frame& frame, Timer& timer) override
       281 	    {
    
[  4] 0x00007fff5b13c9a5 WebCore`WebCore::NavigationScheduler::timerFired() + 101 at NavigationScheduler.cpp:510:15
[  5] 0x00007fff59fcd707 WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 167 at ThreadTimers.cpp:129:23
[  6] 0x00007fff59fcd64e WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 30 at MainThreadSharedTimerCF.cpp:74:40

<rdar://problem/48187427>
Comment 1 Ryosuke Niwa 2019-02-19 10:47:25 PST
Created attachment 362393 [details]
Fixes the bug
Comment 2 Geoffrey Garen 2019-02-19 10:50:29 PST
Comment on attachment 362393 [details]
Fixes the bug

r=me
Comment 3 Ryosuke Niwa 2019-02-19 12:24:23 PST
Created attachment 362413 [details]
Patch for safari-607 branch
Comment 4 Ryosuke Niwa 2019-02-19 15:07:53 PST
Comment on attachment 362393 [details]
Fixes the bug

Clearing flags on attachment: 362393

Committed r241780: <https://trac.webkit.org/changeset/241780>
Comment 5 Ryosuke Niwa 2019-02-19 15:15:54 PST
Created attachment 362442 [details]
Patch for safari-607 branch with release build fix
Comment 6 Ryosuke Niwa 2019-02-19 18:21:31 PST
Created attachment 362467 [details]
Patch for safari-607 branch with release build fix