Bug 204459

Summary: Crash in com.apple.WebKit.WebContent at WebKit: WebKit::StorageAreaMap::loadValuesIfNeeded
Product: WebKit Reporter: Sihui Liu <sihui_liu>
Component: New BugsAssignee: Sihui Liu <sihui_liu>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ggaren, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Description Sihui Liu 2019-11-21 10:28:34 PST
0   WebKit                        	0x00000001abdaa0bc WebKit::StorageAreaMap::loadValuesIfNeeded() + 276 (Optional.h:529)
1   WebKit                        	0x00000001abda9ff0 WebKit::StorageAreaMap::loadValuesIfNeeded() + 72 (StorageAreaMap.cpp:168)
2   WebKit                        	0x00000001abda97cc WebKit::StorageAreaImpl::item(WTF::String const&) + 48 (StorageAreaMap.cpp:88)
3   WebCore                       	0x00000001ac64df8c WebCore::JSStorage::getOwnPropertySlot(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) + 112 (JSStorage.cpp:167)
4   JavaScriptCore                	0x00000001b424b300 llint_slow_path_get_by_id + 3988 (JSObjectInlines.h:160)
5   JavaScriptCore                	0x00000001b3bfa254 llint_entry + 41460
6   JavaScriptCore                	0x00000001b3c0e2d8 llint_entry + 123512
7   JavaScriptCore                	0x00000001b3c0e2d8 llint_entry + 123512
8   JavaScriptCore                	0x00000001b3c0e2d8 llint_entry + 123512
9   JavaScriptCore                	0x00000001b3c0e2d8 llint_entry + 123512
10  JavaScriptCore                	0x00000001b3befe18 vmEntryToJavaScript + 248
11  JavaScriptCore                	0x00000001b418ac5c JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 428 (JITCodeInlines.h:38)
12  JavaScriptCore                	0x00000001b43779b0 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 184 (CallData.cpp:59)
13  WebCore                       	0x00000001acba754c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1280 (JSExecState.h:73)
Comment 1 Sihui Liu 2019-11-21 10:30:56 PST
Created attachment 384066 [details]
Patch
Comment 2 Sihui Liu 2019-11-21 10:32:26 PST
<rdar://problem/57383446>
Comment 3 Geoffrey Garen 2019-11-21 10:47:18 PST
Comment on attachment 384066 [details]
Patch

r=me

Perhaps we should null check m_storageMapID in other functions too. That said, there's no obviously correct behavior in this surprising situation.
Comment 4 Sihui Liu 2019-11-21 16:47:04 PST
Created attachment 384105 [details]
Patch for landing
Comment 5 WebKit Commit Bot 2019-11-21 17:32:45 PST
Comment on attachment 384105 [details]
Patch for landing

Clearing flags on attachment: 384105

Committed r252757: <https://trac.webkit.org/changeset/252757>
Comment 6 WebKit Commit Bot 2019-11-21 17:32:46 PST
All reviewed patches have been landed.  Closing bug.