Bug 196479

Summary: Nullptr crash in Document::open after calling policyChecker().stopCheck()
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, cdumez, esprehn+autocc, ews-watchlist, kangil.han, koivisto
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the bug koivisto: review+

Description Ryosuke Niwa 2019-04-01 20:25:22 PDT 
WebCore`WebCore::Document::open(WebCore::Document*) + 210 at Document.cpp:2647
       2643	        }
       2644	
       2645	        if (m_frame->loader().policyChecker().delegateIsDecidingNavigationPolicy())
       2646	            m_frame->loader().policyChecker().stopCheck();
    -> 2647	        if (m_frame->loader().state() == FrameStateProvisional)
       2648	            m_frame->loader().stopAllLoaders();
       2649	    }
       2650	
       2651	    removeAllEventListeners();

We can hit a nullptr crash here because m_frame->loader().policyChecker().stopCheck() invokes m_willSubmitFormCompletionHandlers, and that could clear the frame, etc...

<rdar://problem/48883397>
Comment 1 Ryosuke Niwa 2019-04-01 20:27:37 PDT 
Created attachment 366464 [details]
Fixes the bug
Comment 2 Ryosuke Niwa 2019-04-01 23:44:47 PDT 
Committed r243738: <https://trac.webkit.org/changeset/243738>