Bug 25136

Summary:

CRASH in DocumentLoader::removeSubresourceLoader due to null m_frame

Product:

WebKit

Reporter:

Darin Fisher (:fishd, Google) <fishd>

Component:

Page Loading

Assignee:

Darin Fisher (:fishd, Google) <fishd>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

darin

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
testcase - frame.html	none
testcase - careful, this may crash your browser	none
patch v1 - simplistic null check	darin: review+
patch v1 + layout test	none
patch v1 + layout test	darin: review+

Darin Fisher (:fishd, Google)

Reported 2009-04-10 16:16:59 PDT

CRASH in DocumentLoader::removeSubresourceLoader due to null m_frame This started appearing as a top-crash in a recent Chrome dev channel build: http://code.google.com/p/chromium/issues/detail?id=9944 Sample crash stack: [chrome.dll - frameloader.cpp:2670] WebCore::FrameLoader::activeDocumentLoader() [chrome.dll - frameloader.cpp:2677] WebCore::FrameLoader::isLoading() [chrome.dll - documentloader.cpp:768] WebCore::DocumentLoader::removeSubresourceLoader(WebCore::ResourceLoader *) [chrome.dll - subresourceloader.cpp:225] WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const &) [chrome.dll - resourceloader.cpp:359] WebCore::ResourceLoader::cancel(WebCore::ResourceError const &) [chrome.dll - resourceloader.cpp:349] WebCore::ResourceLoader::cancel() [chrome.dll - documentthreadableloader.cpp:109] WebCore::DocumentThreadableLoader::cancel() [chrome.dll - xmlhttprequest.cpp:709] WebCore::XMLHttpRequest::internalAbort() [chrome.dll - xmlhttprequest.cpp:1182] WebCore::XMLHttpRequest::stop() [chrome.dll - scriptexecutioncontext.cpp:156] WebCore::ScriptExecutionContext::stopActiveDOMObjects() [chrome.dll - document.cpp:1310] WebCore::Document::detach() [chrome.dll - frame.cpp:232] WebCore::Frame::setView(WebCore::FrameView *) [chrome.dll - frameloader.cpp:3434] WebCore::FrameLoader::closeAndRemoveChild(WebCore::Frame *) [chrome.dll - frameloader.cpp:3516] WebCore::FrameLoader::detachFromParent() [chrome.dll - frameloader.cpp:3426] WebCore::FrameLoader::detachChildren() It appears that this crash is only possible if a ResourceLoader starts after FrameLoader::stopAllLoaders has been called. I found a way to do that via an XMLHttpRequest onabort handler. Test case coming up...

Attachments
testcase - frame.html (215 bytes, text/html) 2009-04-10 16:18 PDT, Darin Fisher (:fishd, Google)	no flags	Details
testcase - careful, this may crash your browser (89 bytes, text/html) 2009-04-10 16:19 PDT, Darin Fisher (:fishd, Google)	no flags	Details
patch v1 - simplistic null check (1.01 KB, patch) 2009-04-10 17:09 PDT, Darin Fisher (:fishd, Google)	darin: review+	Details Formatted Diff Diff
patch v1 + layout test (5.47 KB, patch) 2009-04-13 10:35 PDT, Darin Fisher (:fishd, Google)	no flags	Details Formatted Diff Diff
patch v1 + layout test (5.13 KB, patch) 2009-04-13 10:37 PDT, Darin Fisher (:fishd, Google)	darin: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Darin Fisher (:fishd, Google)

Comment 1 2009-04-10 16:18:57 PDT

Created attachment 29406 [details] testcase - frame.html

Darin Fisher (:fishd, Google)

Comment 2 2009-04-10 16:19:57 PDT

Created attachment 29407 [details] testcase - careful, this may crash your browser

Darin Fisher (:fishd, Google)

Comment 3 2009-04-10 17:09:10 PDT

Created attachment 29412 [details] patch v1 - simplistic null check This is a very simple minded solution to the crash. Other parts of DocumentLoader are fairly careful to null test m_frame before using it, and indeed removeSubresourceLoader null checks m_frame before using it (except in the case here where it calls updateLoading). I have been struggling to get a good layout test for this. For some reason my layout test appears to be rather flakey so I don't want to submit it just yet. I'll keep working on it. I just wanted to share this patch for feedback.

Darin Adler

Comment 4 2009-04-10 17:12:39 PDT

Comment on attachment 29412 [details] patch v1 - simplistic null check r=me If you can figure out how to do a regression test, that would be a great addition. Also, it's much better when there are per-function comments, even for a simple function like this one.

Darin Adler

Comment 5 2009-04-10 17:13:55 PDT

(In reply to comment #4) > Also, it's much better when there are per-function comments, even for > a simple function like this one. Per-function comment in the ChangeLog I mean.

Darin Fisher (:fishd, Google)

Comment 6 2009-04-10 19:29:08 PDT

> Per-function comment in the ChangeLog I mean. Will do. I think I figured out how to write a stable test :)

Darin Fisher (:fishd, Google)

Comment 7 2009-04-13 10:35:47 PDT

Created attachment 29429 [details] patch v1 + layout test This is the same patch as before but now with a layout test. The test requires subframes, so there are a couple resource files included.

Darin Fisher (:fishd, Google)

Comment 8 2009-04-13 10:37:49 PDT

Created attachment 29430 [details] patch v1 + layout test Take 2. This time with commented out code snippets removed.

Darin Adler

Comment 9 2009-04-13 10:40:21 PDT

Comment on attachment 29430 [details] patch v1 + layout test r=me

Darin Fisher (:fishd, Google)

Comment 10 2009-04-13 10:48:25 PDT

Landed as: http://trac.webkit.org/changeset/42442

David Harrison

Comment 11 2009-04-21 07:19:51 PDT

fwiw this is also rdar://6748719

Note You need to log in before you can comment on or make changes to this bug.