Bug 205506

Summary: [iOS Debug] imported/w3c/web-platform-tests/html/dom/usvstring-reflection.https.html is crashing
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Page LoadingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, commit-queue, darin, dbates, ews-watchlist, ggaren, japhet, thorton, tsavell, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2019-12-20 09:16:53 PST
imported/w3c/web-platform-tests/html/dom/usvstring-reflection.https.html is crashing in iOS debug since it was imported in r253791: ASSERTION FAILED: !m_uncommittedState.url.isEmpty() /Volumes/Data/slave/ios-simulator-13-debug/build/Source/WebKit/UIProcess/PageLoadState.cpp(339) : void WebKit::PageLoadState::didSameDocumentNavigation(const Transaction::Token &, const WTF::String &) 1 0x110955d59 WTFCrash 2 0x117b0e83b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x11843f976 WebKit::PageLoadState::didSameDocumentNavigation(WebKit::PageLoadState::Transaction::Token const&, WTF::String const&) 4 0x1185ba2a1 WebKit::WebPageProxy::didSameDocumentNavigationForFrame(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL&&, WebKit::UserData const&) 5 0x11907ab17 void IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL&&, WebKit::UserData const&), std::__1::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL, WebKit::UserData>, 0ul, 1ul, 2ul, 3ul, 4ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL&&, WebKit::UserData const&), std::__1::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL, WebKit::UserData>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul>) 6 0x119078890 void IPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL&&, WebKit::UserData const&), std::__1::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL, WebKit::UserData>, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul> >(std::__1::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL, WebKit::UserData>&&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL&&, WebKit::UserData const&)) 7 0x1190442ff void IPC::handleMessage<Messages::WebPageProxy::DidSameDocumentNavigationForFrame, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL&&, WebKit::UserData const&)>(IPC::Decoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, unsigned long long, unsigned int, WTF::URL&&, WebKit::UserData const&)) 8 0x119039680 WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 9 0x117bea259 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 10 0x1183f3914 WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&) 11 0x1186b6eaa WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 12 0x117b7d879 IPC::Connection::dispatchMessage(IPC::Decoder&) 13 0x117b7e1e1 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 14 0x117b7c8eb IPC::Connection::dispatchIncomingMessages() 15 0x117b9b225 IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_7::operator()() 16 0x117b9b159 WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_7, void>::call() 17 0x11097ffea WTF::Function<void ()>::operator()() const 18 0x1109eed93 WTF::RunLoop::performWork() 19 0x1109f04be WTF::RunLoop::performWork(void*) 20 0x7fff23b0d271 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 21 0x7fff23b0d19c __CFRunLoopDoSource0 22 0x7fff23b0c974 __CFRunLoopDoSources0 23 0x7fff23b0767f __CFRunLoopRun 24 0x7fff23b06e66 CFRunLoopRunSpecific 25 0x7fff2569694f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 26 0x10faee380 WTR::TestController::platformRunUntil(bool&, WTF::Seconds) 27 0x10faaddcf WTR::TestController::runUntil(bool&, WTF::Seconds) 28 0x10faf2eec WTR::TestInvocation::invoke() 29 0x10fab7858 WTR::TestController::runTest(char const*) 30 0x10fab8296 WTR::TestController::runTestingServerLoop() 31 0x10faae807 WTR::TestController::run()
Attachments
Patch (6.94 KB, patch)
2019-12-20 12:04 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2019-12-20 10:13:19 PST
Committed r253828: <https://trac.webkit.org/changeset/253828>
Radar WebKit Bug Importer
Comment 2 2019-12-20 10:14:21 PST
<rdar://problem/58118091>
Chris Dumez
Comment 3 2019-12-20 10:15:23 PST
Reopening since I merely updated TestExpectations.
Chris Dumez
Comment 4 2019-12-20 10:32:48 PST
It is this particular subtest that is crashing in iOS debug: test(() => { var w = document.open("about:blank#\uD800", "", ""); assert_equals(w.location.hash, '#%EF%BF%BD'); }, "document.open : unpaired surrogate codepoint should be replaced with U+FFFD");
Chris Dumez
Comment 5 2019-12-20 10:42:50 PST
Actually, this one is crashing: test(() => { location.hash = '\uD999'; assert_equals(location.hash, '#%EF%BF%BD'); }, "location.hash : unpaired surrogate codepoint should be replaced with U+FFFD"); 0x7fb4f30188c0 - didStartProvisionalLoad(about:blank) 0x7fb4f30188c0 - didCommitLoad() m_uncommittedState.provisionalURL is about:blank 0x7fb4f30188c0 - didStartProvisionalLoad(https://localhost:9443/html/dom/usvstring-reflection.https.html) 0x7fb4f30188c0 - didCommitLoad() m_uncommittedState.provisionalURL is https://localhost:9443/html/dom/usvstring-reflection.https.html 0x7fb4f402a2c0 - didSameDocumentNavigation(about:blank#%EF%BF%BD) m_uncommittedState.url is
Chris Dumez
Comment 6 2019-12-20 10:47:42 PST
So on macOS I see: 0x7fd59a826868 - didStartProvisionalLoad(about:blank#%EF%BF%BD) 0x7fd59a826868 - didCommitLoad() m_uncommittedState.provisionalURL is about:blank#%EF%BF%BD on iOS I see: 0x7fce5d815ec0 - didSameDocumentNavigation(about:blank#%EF%BF%BD) m_uncommittedState.url is
Chris Dumez
Comment 7 2019-12-20 10:55:56 PST
Appears to be caused by this IOS_FAMILY specific code: #if PLATFORM(IOS_FAMILY) if (m_frame.document()->url().isEmpty()) { // We need to update the document URL of a PDF document to be non-empty so that both back/forward history navigation // between PDF pages and fragment navigation works. See <rdar://problem/9544769> for more details. // FIXME: Is there a better place for this code, say DocumentLoader? Also, we should explicitly only update the URL // of the document when it's a PDFDocument object instead of assuming that a Document object with an empty URL is a PDFDocument. // FIXME: This code is incorrect for a synthesized document (which also has an empty URL). The URL for a synthesized // document should be the URL specified to FrameLoader::initForSynthesizedDocument(). m_frame.document()->setURL(activeDocumentLoader()->documentURL()); } #endif in FrameLoader::checkCompleted().
Chris Dumez
Comment 8 2019-12-20 12:04:11 PST
Created attachment 386235 [details] Patch
WebKit Commit Bot
Comment 9 2019-12-20 17:14:01 PST
Comment on attachment 386235 [details] Patch Clearing flags on attachment: 386235 Committed r253856: <https://trac.webkit.org/changeset/253856>
WebKit Commit Bot
Comment 10 2019-12-20 17:14:03 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.