Bug 196479

Summary:

Nullptr crash in Document::open after calling policyChecker().stopCheck()

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

DOM

Assignee:

Ryosuke Niwa <rniwa>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, cdumez, esprehn+autocc, ews-watchlist, kangil.han, koivisto

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Fixes the bug	koivisto: review+

Ryosuke Niwa

Reported 2019-04-01 20:25:22 PDT

WebCore`WebCore::Document::open(WebCore::Document*) + 210 at Document.cpp:2647 2643 } 2644 2645 if (m_frame->loader().policyChecker().delegateIsDecidingNavigationPolicy()) 2646 m_frame->loader().policyChecker().stopCheck(); -> 2647 if (m_frame->loader().state() == FrameStateProvisional) 2648 m_frame->loader().stopAllLoaders(); 2649 } 2650 2651 removeAllEventListeners(); We can hit a nullptr crash here because m_frame->loader().policyChecker().stopCheck() invokes m_willSubmitFormCompletionHandlers, and that could clear the frame, etc... <rdar://problem/48883397>

Attachments
Fixes the bug (1.50 KB, patch) 2019-04-01 20:27 PDT, Ryosuke Niwa	koivisto: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2019-04-01 20:27:37 PDT

Created attachment 366464 [details] Fixes the bug

Ryosuke Niwa

Comment 2 2019-04-01 23:44:47 PDT

Committed r243738: <https://trac.webkit.org/changeset/243738>

Note You need to log in before you can comment on or make changes to this bug.