| Summary: | Crash in DocumentLoader::urlForHistory | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Ali Juma <ajuma> | ||||||||||||||||||||||||||||||||||
| Component: | Page Loading | Assignee: | Rob Buis <rbuis> | ||||||||||||||||||||||||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||||||||||||||||||||||||
| Severity: | Normal | CC: | achristensen, beidson, bfulgham, cdumez, cgarcia, darin, ews-feeder, ews-watchlist, fred.wang, gpoo, japhet, rbuis, rniwa, rohitrao, svillar, webkit-bug-importer | ||||||||||||||||||||||||||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||||||||||||||||||||||||||
| Version: | WebKit Nightly Build | ||||||||||||||||||||||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||||||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||||||||||||||||
Reduced test:
<script id="script">
function jsfuzzer() {
document.createElement("audio").load();
window.stop();
}
function eventhandler() {
script.appendChild(iframe);
document.onreadystatechange = eventhandler;
}
</script>
<body onload=jsfuzzer()>
<iframe id="iframe" onload="eventhandler()" srcdoc="foo"></iframe>
</body>
Created attachment 425643 [details]
Patch
Comment on attachment 425643 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425643&action=review > Source/WebCore/loader/HistoryController.cpp:386 > + auto historyURL = frameLoader.documentLoader() ? m_frame.loader().documentLoader()->urlForHistory() : URL { }; m_frame.loader() -> frameLoader Created attachment 425645 [details]
Patch
Comment on attachment 425645 [details]
Patch
Hm... new assertion failure in fast/loader/crash-replacing-location-before-load.html seems like a real regression.
Created attachment 425679 [details]
Patch
Comment on attachment 425679 [details]
Patch
New test is hitting this assertion:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 com.apple.JavaScriptCore 0x000000010f96e39e WTFCrash + 14 (Assertions.cpp:305)
1 com.apple.WebKitLegacy 0x000000014b15f0eb WTFCrashWithInfo(int, char const*, char const*, int) + 27
2 com.apple.WebKitLegacy 0x000000014b341898 -[WebHTMLView setDataSource:] + 104 (WebHTMLView.mm:4669)
3 com.apple.WebKitLegacy 0x000000014b2fa436 WebFrameLoaderClient::transitionToCommittedForNewPage() + 1526 (WebFrameLoaderClient.mm:1474)
4 com.apple.WebCore 0x0000000134cf0f8e WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 1982
5 com.apple.WebCore 0x0000000134cefc37 WebCore::FrameLoader::commitProvisionalLoad() + 1191
6 com.apple.WebCore 0x0000000134c625bc WebCore::DocumentLoader::commitIfReady() + 60 (DocumentLoader.cpp:400)
7 com.apple.WebCore 0x0000000134c62d80 WebCore::DocumentLoader::finishedLoading() + 304 (DocumentLoader.cpp:465)
8 com.apple.WebCore 0x0000000134c6e901 WebCore::DocumentLoader::maybeLoadEmpty() + 1073 (DocumentLoader.cpp:1891)
9 com.apple.WebCore 0x0000000134c6ea85 WebCore::DocumentLoader::startLoadingMainResource() + 357 (DocumentLoader.cpp:1904)
10 com.apple.WebCore 0x0000000134d1e96c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() + 1612
Created attachment 425962 [details]
Patch
Created attachment 425986 [details]
Patch
Comment on attachment 425986 [details]
Patch
This seems fine.
Created attachment 426219 [details]
Patch
Created attachment 426341 [details]
Patch
Looks like fast/loader/commit-provisional-load-crash.html is timing out on Windows? (In reply to Ryosuke Niwa from comment #14) > Looks like fast/loader/commit-provisional-load-crash.html is timing out on > Windows? This is probably better checked by someone at Apple, I don't have much windows expertise. OTOH there was a windows specific bug that destabilized many network related tests, so if people think this is one of those cases, I could add the test as skipped on Win? Of course this supposed the approach taken by the patch is okay. Created attachment 450389 [details]
Patch
Created attachment 450398 [details]
Patch
Created attachment 450406 [details]
Patch
Created attachment 450408 [details]
Patch
Created attachment 450412 [details]
Patch
Created attachment 450517 [details]
Patch
Comment on attachment 450517 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450517&action=review > Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:542 > +{ It seems like this should send a WebPageProxy message so that the UIProcess can clear m_provisionalURL, like you do in WebKitLegacy. Or is that not needed for some reason? Comment on attachment 450517 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450517&action=review > Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:678 > + m_webFrame->_private->provisionalURL = nullptr; Related to Brent’s question: How is this tested? What test will fail if we remove this line of code? Created attachment 450901 [details]
Patch
Comment on attachment 450901 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450901&action=review > Source/WebCore/loader/FrameLoader.cpp:1830 > + m_inStopForBackForwardCache = true; Can this function be re-re-entered? Should we add an assertion or early return for that case? Committed r289203 (246889@main): <https://commits.webkit.org/246889@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450901 [details]. Comment on attachment 450901 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450901&action=review >> Source/WebCore/loader/FrameLoader.cpp:1830 >> + m_inStopForBackForwardCache = true; > > Can this function be re-re-entered? Should we add an assertion or early return for that case? Ah I missed this, will have a look tomorrow. Reopening to attach new patch. Created attachment 451548 [details]
Patch
ping for review :) Committed r292002 (248953@main): <https://commits.webkit.org/248953@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 451548 [details]. |
Created attachment 423773 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner. Stack: ================================================================= ==60651==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000160 (pc 0x0001cb35843d bp 0x7ffeec11d630 sp 0x7ffeec11d630 T0) ==60651==The signal is caused by a READ memory access. ==60651==Hint: address points to the zero page. #0 0x1cb35843c in WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::operator void (WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::*)() const() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x395043c) #1 0x1cb358268 in WebCore::SubstituteData::isValid() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3950268) #2 0x1cbc75bbe in WebCore::DocumentLoader::urlForHistory() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426dbbe) #3 0x1cbcff641 in WebCore::FrameLoader::HistoryController::updateForStandardLoad(WebCore::FrameLoader::HistoryController::HistoryUpdateType) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f7641) #4 0x1cbcfd4ff in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f54ff) #5 0x1cbcfbac2 in WebCore::FrameLoader::commitProvisionalLoad() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f3ac2) #6 0x1cbc68975 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4260975) #7 0x1cbc77354 in WebCore::DocumentLoader::maybeLoadEmpty() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426f354) #8 0x1cbc7769d in WebCore::DocumentLoader::startLoadingMainResource() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426f69d) #9 0x1cbd2d8eb in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43258eb) #10 0x1c7a97fee in WTF::CompletionHandler<void ()>::operator()() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8ffee) #11 0x1cbcf6e44 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42eee44) #12 0x1cbd2a595 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4322595) #13 0x1cbd58980 in WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4350980) #14 0x1cbd6b359 in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4363359) #15 0x1cbd698d8 in WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43618d8) #16 0x1ba25ebee in WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x225ebee) #17 0x1ba261467 in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::ResourceResponse const&, WebCore::FormState*, WebCore::PolicyDecisionMode, WebCore::PolicyCheckIdentifier, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2261467) #18 0x1cbd57d17 in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x434fd17) #19 0x1cbcf5774 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ed774) #20 0x1cbcee285 in WebCore::FrameLoader::load(WebCore::DocumentLoader&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42e6285) #21 0x1cbcf4062 in WebCore::FrameLoader::load(WebCore::FrameLoadRequest&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ec062) #22 0x1ba50f515 in WebKit::WebPage::loadRequest(WebKit::LoadParameters&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x250f515) #23 0x1ba59bb69 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters&&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters&&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x259bb69) #24 0x1ba595542 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2595542) #25 0x1b85b6d3a in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b6d3a) #26 0x1b9d94ab5 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1d94ab5) #27 0x1b808c399 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8c399) #28 0x1b808cdf6 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8cdf6) #29 0x1b808d9bb in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8d9bb) #30 0x1e59062ec in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xce2ec) #31 0x1e5909995 in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1995) #32 0x7fff2dfce883 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84883) #33 0x7fff2dfce822 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84822) #34 0x7fff2dfce63c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8463c) #35 0x7fff2dfcd358 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x83358) #36 0x7fff2dfcc952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952) #37 0x7fff3068a1c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7) #38 0x7fff3073cc6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e) #39 0x7fff681a94e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9) #40 0x7fff681a942f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f) #41 0x7fff681a8f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62) #42 0x1b8ef6923 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0xef6923) #43 0x7fff67f57cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8) ==60651==Register values: rax = 0x000000000000002c rbx = 0x0000000000000000 rcx = 0x000010000000002c rdx = 0x00001c2400006dcc rdi = 0x0000000000000160 rsi = 0x0000000000000000 rbp = 0x00007ffeec11d630 rsp = 0x00007ffeec11d630 r8 = 0x000000000000000f r9 = 0x0000000000000001 r10 = 0x0000000000000030 r11 = 0x00000000000a0006 r12 = 0x00001fffdd823ad0 r13 = 0x00007ffeec11d6a0 r14 = 0x00007ffeec11d6a0 r15 = 0x0000000000000160 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x395043c) in WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::operator void (WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::*)() const() const