Bug 223536

Summary:

Crash in DocumentLoader::urlForHistory

Product:

WebKit

Reporter:

Ali Juma <ajuma>

Component:

Page Loading

Assignee:

Rob Buis <rbuis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, beidson, bfulgham, cdumez, cgarcia, darin, ews-feeder, ews-watchlist, fred.wang, gpoo, japhet, rbuis, rniwa, rohitrao, svillar, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Minimal test case	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none

Ali Juma

Reported 2021-03-19 14:02:18 PDT

Created attachment 423773 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner. Stack: ================================================================= ==60651==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000160 (pc 0x0001cb35843d bp 0x7ffeec11d630 sp 0x7ffeec11d630 T0) ==60651==The signal is caused by a READ memory access. ==60651==Hint: address points to the zero page. #0 0x1cb35843c in WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::operator void (WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::*)() const() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x395043c) #1 0x1cb358268 in WebCore::SubstituteData::isValid() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3950268) #2 0x1cbc75bbe in WebCore::DocumentLoader::urlForHistory() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426dbbe) #3 0x1cbcff641 in WebCore::FrameLoader::HistoryController::updateForStandardLoad(WebCore::FrameLoader::HistoryController::HistoryUpdateType) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f7641) #4 0x1cbcfd4ff in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f54ff) #5 0x1cbcfbac2 in WebCore::FrameLoader::commitProvisionalLoad() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f3ac2) #6 0x1cbc68975 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4260975) #7 0x1cbc77354 in WebCore::DocumentLoader::maybeLoadEmpty() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426f354) #8 0x1cbc7769d in WebCore::DocumentLoader::startLoadingMainResource() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426f69d) #9 0x1cbd2d8eb in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43258eb) #10 0x1c7a97fee in WTF::CompletionHandler<void ()>::operator()() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8ffee) #11 0x1cbcf6e44 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42eee44) #12 0x1cbd2a595 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4322595) #13 0x1cbd58980 in WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4350980) #14 0x1cbd6b359 in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4363359) #15 0x1cbd698d8 in WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43618d8) #16 0x1ba25ebee in WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x225ebee) #17 0x1ba261467 in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::ResourceResponse const&, WebCore::FormState*, WebCore::PolicyDecisionMode, WebCore::PolicyCheckIdentifier, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2261467) #18 0x1cbd57d17 in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x434fd17) #19 0x1cbcf5774 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ed774) #20 0x1cbcee285 in WebCore::FrameLoader::load(WebCore::DocumentLoader&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42e6285) #21 0x1cbcf4062 in WebCore::FrameLoader::load(WebCore::FrameLoadRequest&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ec062) #22 0x1ba50f515 in WebKit::WebPage::loadRequest(WebKit::LoadParameters&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x250f515) #23 0x1ba59bb69 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters&&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters&&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x259bb69) #24 0x1ba595542 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2595542) #25 0x1b85b6d3a in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b6d3a) #26 0x1b9d94ab5 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1d94ab5) #27 0x1b808c399 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8c399) #28 0x1b808cdf6 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8cdf6) #29 0x1b808d9bb in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8d9bb) #30 0x1e59062ec in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xce2ec) #31 0x1e5909995 in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1995) #32 0x7fff2dfce883 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84883) #33 0x7fff2dfce822 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84822) #34 0x7fff2dfce63c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8463c) #35 0x7fff2dfcd358 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x83358) #36 0x7fff2dfcc952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952) #37 0x7fff3068a1c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7) #38 0x7fff3073cc6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e) #39 0x7fff681a94e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9) #40 0x7fff681a942f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f) #41 0x7fff681a8f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62) #42 0x1b8ef6923 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0xef6923) #43 0x7fff67f57cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8) ==60651==Register values: rax = 0x000000000000002c rbx = 0x0000000000000000 rcx = 0x000010000000002c rdx = 0x00001c2400006dcc rdi = 0x0000000000000160 rsi = 0x0000000000000000 rbp = 0x00007ffeec11d630 rsp = 0x00007ffeec11d630 r8 = 0x000000000000000f r9 = 0x0000000000000001 r10 = 0x0000000000000030 r11 = 0x00000000000a0006 r12 = 0x00001fffdd823ad0 r13 = 0x00007ffeec11d6a0 r14 = 0x00007ffeec11d6a0 r15 = 0x0000000000000160 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x395043c) in WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::operator void (WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::*)() const() const

Attachments
Minimal test case (1.89 KB, text/html) 2021-03-19 14:02 PDT, Ali Juma	no flags	Details
Patch (4.90 KB, patch) 2021-04-09 13:02 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Patch (4.89 KB, patch) 2021-04-09 13:15 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Patch (5.60 KB, patch) 2021-04-10 00:56 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Patch (1.28 KB, patch) 2021-04-14 02:27 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Patch (3.26 KB, patch) 2021-04-14 08:33 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.66 KB, patch) 2021-04-16 06:46 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.71 KB, patch) 2021-04-17 12:31 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.63 KB, patch) 2022-01-31 02:04 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.58 KB, patch) 2022-01-31 03:25 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.58 KB, patch) 2022-01-31 06:30 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.63 KB, patch) 2022-01-31 07:15 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.73 KB, patch) 2022-01-31 09:01 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.74 KB, patch) 2022-02-01 04:43 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (4.67 KB, patch) 2022-02-04 08:28 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (1.81 KB, patch) 2022-02-10 09:01 PST, Rob Buis	no flags	Details Formatted Diff Diff
Show Obsolete (14) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-03-19 14:02:28 PDT

<rdar://problem/75635444>

Rob Buis

Comment 2 2021-04-08 12:51:16 PDT

Reduced test: <script id="script"> function jsfuzzer() { document.createElement("audio").load(); window.stop(); } function eventhandler() { script.appendChild(iframe); document.onreadystatechange = eventhandler; } </script> <body onload=jsfuzzer()> <iframe id="iframe" onload="eventhandler()" srcdoc="foo"></iframe> </body>

Rob Buis

Comment 3 2021-04-09 13:02:59 PDT

Created attachment 425643 [details] Patch

Chris Dumez

Comment 4 2021-04-09 13:06:08 PDT

Comment on attachment 425643 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425643&action=review > Source/WebCore/loader/HistoryController.cpp:386 > + auto historyURL = frameLoader.documentLoader() ? m_frame.loader().documentLoader()->urlForHistory() : URL { }; m_frame.loader() -> frameLoader

Rob Buis

Comment 5 2021-04-09 13:15:14 PDT

Created attachment 425645 [details] Patch

Ryosuke Niwa

Comment 6 2021-04-09 16:47:03 PDT

Comment on attachment 425645 [details] Patch Hm... new assertion failure in fast/loader/crash-replacing-location-before-load.html seems like a real regression.

Rob Buis

Comment 7 2021-04-10 00:56:58 PDT

Created attachment 425679 [details] Patch

Ryosuke Niwa

Comment 8 2021-04-10 21:30:07 PDT

Comment on attachment 425679 [details] Patch New test is hitting this assertion: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010f96e39e WTFCrash + 14 (Assertions.cpp:305) 1 com.apple.WebKitLegacy 0x000000014b15f0eb WTFCrashWithInfo(int, char const*, char const*, int) + 27 2 com.apple.WebKitLegacy 0x000000014b341898 -[WebHTMLView setDataSource:] + 104 (WebHTMLView.mm:4669) 3 com.apple.WebKitLegacy 0x000000014b2fa436 WebFrameLoaderClient::transitionToCommittedForNewPage() + 1526 (WebFrameLoaderClient.mm:1474) 4 com.apple.WebCore 0x0000000134cf0f8e WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 1982 5 com.apple.WebCore 0x0000000134cefc37 WebCore::FrameLoader::commitProvisionalLoad() + 1191 6 com.apple.WebCore 0x0000000134c625bc WebCore::DocumentLoader::commitIfReady() + 60 (DocumentLoader.cpp:400) 7 com.apple.WebCore 0x0000000134c62d80 WebCore::DocumentLoader::finishedLoading() + 304 (DocumentLoader.cpp:465) 8 com.apple.WebCore 0x0000000134c6e901 WebCore::DocumentLoader::maybeLoadEmpty() + 1073 (DocumentLoader.cpp:1891) 9 com.apple.WebCore 0x0000000134c6ea85 WebCore::DocumentLoader::startLoadingMainResource() + 357 (DocumentLoader.cpp:1904) 10 com.apple.WebCore 0x0000000134d1e96c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() + 1612

Rob Buis

Comment 9 2021-04-14 02:27:59 PDT

Created attachment 425962 [details] Patch

Rob Buis

Comment 10 2021-04-14 08:33:17 PDT

Created attachment 425986 [details] Patch

Alex Christensen

Comment 11 2021-04-14 15:30:51 PDT

Comment on attachment 425986 [details] Patch This seems fine.

Rob Buis

Comment 12 2021-04-16 06:46:31 PDT

Created attachment 426219 [details] Patch

Rob Buis

Comment 13 2021-04-17 12:31:20 PDT

Created attachment 426341 [details] Patch

Ryosuke Niwa

Comment 14 2021-04-24 16:12:41 PDT

Looks like fast/loader/commit-provisional-load-crash.html is timing out on Windows?

Rob Buis

Comment 15 2021-08-24 05:34:42 PDT

(In reply to Ryosuke Niwa from comment #14) > Looks like fast/loader/commit-provisional-load-crash.html is timing out on > Windows? This is probably better checked by someone at Apple, I don't have much windows expertise. OTOH there was a windows specific bug that destabilized many network related tests, so if people think this is one of those cases, I could add the test as skipped on Win? Of course this supposed the approach taken by the patch is okay.

Rob Buis

Comment 16 2022-01-31 02:04:17 PST

Created attachment 450389 [details] Patch

Rob Buis

Comment 17 2022-01-31 03:25:36 PST

Created attachment 450398 [details] Patch

Rob Buis

Comment 18 2022-01-31 06:30:03 PST

Created attachment 450406 [details] Patch

Rob Buis

Comment 19 2022-01-31 07:15:46 PST

Created attachment 450408 [details] Patch

Rob Buis

Comment 20 2022-01-31 09:01:51 PST

Created attachment 450412 [details] Patch

Rob Buis

Comment 21 2022-02-01 04:43:53 PST

Created attachment 450517 [details] Patch

Brent Fulgham

Comment 22 2022-02-01 09:08:07 PST

Comment on attachment 450517 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450517&action=review > Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:542 > +{ It seems like this should send a WebPageProxy message so that the UIProcess can clear m_provisionalURL, like you do in WebKitLegacy. Or is that not needed for some reason?

Darin Adler

Comment 23 2022-02-03 04:12:03 PST

Comment on attachment 450517 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450517&action=review > Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:678 > + m_webFrame->_private->provisionalURL = nullptr; Related to Brent’s question: How is this tested? What test will fail if we remove this line of code?

Rob Buis

Comment 24 2022-02-04 08:28:13 PST

Created attachment 450901 [details] Patch

Darin Adler

Comment 25 2022-02-04 09:01:37 PST

Comment on attachment 450901 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450901&action=review > Source/WebCore/loader/FrameLoader.cpp:1830 > + m_inStopForBackForwardCache = true; Can this function be re-re-entered? Should we add an assertion or early return for that case?

EWS

Comment 26 2022-02-07 03:14:09 PST

Committed r289203 (246889@main): <https://commits.webkit.org/246889@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450901 [details].

Rob Buis

Comment 27 2022-02-07 14:33:00 PST

Comment on attachment 450901 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450901&action=review >> Source/WebCore/loader/FrameLoader.cpp:1830 >> + m_inStopForBackForwardCache = true; > > Can this function be re-re-entered? Should we add an assertion or early return for that case? Ah I missed this, will have a look tomorrow.

Rob Buis

Comment 28 2022-02-10 09:01:09 PST

Reopening to attach new patch.

Rob Buis

Comment 29 2022-02-10 09:01:13 PST

Created attachment 451548 [details] Patch

Rob Buis

Comment 30 2022-03-25 09:50:11 PDT

ping for review :)

EWS

Comment 31 2022-03-28 15:54:00 PDT

Committed r292002 (248953@main): <https://commits.webkit.org/248953@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 451548 [details].

Note You need to log in before you can comment on or make changes to this bug.