Bug 198006

Summary:

[PSON] Assertion hit when navigating back after a process swap forced by the client

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

WebKit2

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, beidson, commit-queue, ggaren, koivisto, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Chris Dumez 2019-05-17 16:10:39 PDT

Assertion hit when navigating back after a process swap forced by the client:

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [62330]

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010ff09dee WTFCrash + 14 (Assertions.cpp:305)
1   com.apple.WebKit              	0x000000011d25a2ab WTFCrashWithInfo(int, char const*, char const*, int) + 27
2   com.apple.WebKit              	0x000000011db047fc WebKit::ProvisionalPageProxy::didCreateMainFrame(unsigned long long) + 332 (ProvisionalPageProxy.cpp:199)
3   com.apple.WebKit              	0x000000011db2f18a void IPC::callMemberFunctionImpl<WebKit::ProvisionalPageProxy, void (WebKit::ProvisionalPageProxy::*)(unsigned long long), std::__1::tuple<unsigned long long>, 0ul>(WebKit::ProvisionalPageProxy*, void (WebKit::ProvisionalPageProxy::*)(unsigned long long), std::__1::tuple<unsigned long long>&&, std::__1::integer_sequence<unsigned long, 0ul>) + 154 (HandleMessage.h:42)
4   com.apple.WebKit              	0x000000011db2f0e0 void IPC::callMemberFunction<WebKit::ProvisionalPageProxy, void (WebKit::ProvisionalPageProxy::*)(unsigned long long), std::__1::tuple<unsigned long long>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<unsigned long long>&&, WebKit::ProvisionalPageProxy*, void (WebKit::ProvisionalPageProxy::*)(unsigned long long)) + 112 (HandleMessage.h:48)
5   com.apple.WebKit              	0x000000011db079ae void IPC::handleMessage<Messages::WebPageProxy::DidCreateMainFrame, WebKit::ProvisionalPageProxy, void (WebKit::ProvisionalPageProxy::*)(unsigned long long)>(IPC::Decoder&, WebKit::ProvisionalPageProxy*, void (WebKit::ProvisionalPageProxy::*)(unsigned long long)) + 238 (HandleMessage.h:121)
6   com.apple.WebKit              	0x000000011db06915 WebKit::ProvisionalPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 2021 (ProvisionalPageProxy.cpp:439)
7   com.apple.WebKit              	0x000000011d330869 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 313 (MessageReceiverMap.cpp:124)
8   com.apple.WebKit              	0x000000011dadf804 WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 52 (AuxiliaryProcessProxy.cpp:155)
9   com.apple.WebKit              	0x000000011dd9381a WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 58 (WebProcessProxy.cpp:629)
10  com.apple.WebKit              	0x000000011d2b4679 IPC::Connection::dispatchMessage(IPC::Decoder&) + 473 (Connection.cpp:984)
11  com.apple.WebKit              	0x000000011d2ac932 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 370
12  com.apple.WebKit              	0x000000011d2b344b IPC::Connection::dispatchIncomingMessages() + 1067 (Connection.cpp:1114)
13  com.apple.WebKit              	0x000000011d2d67e5 IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() + 69 (Connection.cpp:959)
14  com.apple.WebKit              	0x000000011d2d6719 WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14, void>::call() + 25 (Function.h:52)
15  com.apple.JavaScriptCore      	0x000000010ff3456a WTF::Function<void ()>::operator()() const + 138 (Function.h:79)
16  com.apple.JavaScriptCore      	0x000000010ff96fa3 WTF::RunLoop::performWork() + 211 (RunLoop.cpp:107)
17  com.apple.JavaScriptCore      	0x000000010ff978fe WTF::RunLoop::performWork(void*) + 30 (RunLoopCF.cpp:39)
18  com.apple.CoreFoundation      	0x00007fff34294752 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
19  com.apple.CoreFoundation      	0x00007fff342946e2 __CFRunLoopDoSource0 + 112
20  com.apple.CoreFoundation      	0x00007fff34277f1b __CFRunLoopDoSources0 + 209
21  com.apple.CoreFoundation      	0x00007fff3427751e __CFRunLoopRun + 1272
22  com.apple.CoreFoundation      	0x00007fff34276da1 CFRunLoopRunSpecific + 499
23  com.apple.HIToolbox           	0x00007fff32ec726d RunCurrentEventLoopInMode + 292
24  com.apple.HIToolbox           	0x00007fff32ec6fae ReceiveNextEventCommon + 600
25  com.apple.HIToolbox           	0x00007fff32ec6d38 _BlockUntilNextEventMatchingListInModeWithFilter + 64
26  com.apple.AppKit              	0x00007fff315569a8 _DPSNextEvent + 990
27  com.apple.AppKit              	0x00007fff31555710 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1325

Comment 1 Chris Dumez 2019-05-21 15:27:37 PDT

Created attachment 370347 [details]
Patch

Comment 2 WebKit Commit Bot 2019-05-21 16:44:22 PDT

Comment on attachment 370347 [details]
Patch

Clearing flags on attachment: 370347

Committed r245601: <https://trac.webkit.org/changeset/245601>

Comment 3 WebKit Commit Bot 2019-05-21 16:44:23 PDT

All reviewed patches have been landed.  Closing bug.

Comment 4 Radar WebKit Bug Importer 2019-05-21 16:45:22 PDT

<rdar://problem/51006852>