Bug 277294

Summary:	Crash under BackForwardCache::get(HistoryItem&, Page*)
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	Page Loading	Assignee:	Chris Dumez <cdumez>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	beidson, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Chris Dumez

Reported 2024-07-29 16:24:34 PDT

Crash under BackForwardCache::get(HistoryItem&, Page*) when disabling caches via Web Inspector: ``` * frame #0: 0x000000030000357c WebCore`WTFCrashWithInfo(line=286, file="/usr/local/include/wtf/CheckedRef.h", function="void WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::decrementPtrCount() const [StorageType = WTF::SingleThreadIntegralWrapper<unsigned int>, PtrCounterType = unsigned int]", counter=432) at Assertions.h:835:5 frame #1: 0x0000000303d1e8bc WebCore`WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::decrementPtrCount(this=0x000000013905dad0) const at CheckedRef.h:286:9 frame #2: 0x0000000304b8c430 WebCore`WTF::CheckedPtr<WebCore::CachedPage, WTF::RawPtrTraits<WebCore::CachedPage>>::derefIfNotNull(this=0x000000016ba91348) at CheckedPtr.h:185:18 frame #3: 0x0000000304b8c3e0 WebCore`WTF::CheckedPtr<WebCore::CachedPage, WTF::RawPtrTraits<WebCore::CachedPage>>::~CheckedPtr(this=0x000000016ba91348) at CheckedPtr.h:72:9 frame #4: 0x0000000304b79798 WebCore`WTF::CheckedPtr<WebCore::CachedPage, WTF::RawPtrTraits<WebCore::CachedPage>>::~CheckedPtr(this=0x000000016ba91348) at CheckedPtr.h:71:5 frame #5: 0x0000000304b794f0 WebCore`WebCore::BackForwardCache::get(this=0x0000000309998e38, item=0x00000001390fc680, page=0x000000013904e500) at BackForwardCache.cpp:590:1 frame #6: 0x00000003054f8a94 WebCore`WebCore::FrameLoader::loadDifferentDocumentItem(this=0x0000000139045ef0, item=0x00000001390fc680, fromItem=0x00000001390e4b60, loadType=Back, cacheLoadPolicy=MayAttemptCacheOnlyLoadForFormSubmissionItem, shouldTreatAsContinuingLoad=No) at FrameLoader.cpp:4279:63 frame #7: 0x000000030550fcf0 WebCore`WebCore::FrameLoader::loadItem(this=0x0000000139045ef0, item=0x00000001390fc680, fromItem=0x00000001390e4b60, loadType=Back, shouldTreatAsContinuingLoad=No) at FrameLoader.cpp:4409:9 frame #8: 0x0000000305571124 WebCore`WebCore::HistoryController::recursiveGoToItem(this=0x000000013907c630, item=0x00000001390fc680, fromItem=0x00000001390e4b60, type=Back, shouldTreatAsContinuingLoad=No) at HistoryController.cpp:813:37 frame #9: 0x0000000305570e14 WebCore`WebCore::HistoryController::goToItem(this=0x000000013907c630, targetItem=0x00000001390fc680, type=Back, shouldTreatAsContinuingLoad=No) at HistoryController.cpp:348:5 frame #10: 0x00000003058b0e78 WebCore`WebCore::Page::goToItem(this=0x000000013904e500, mainFrame=0x000000013906ca00, item=0x00000001390fc680, type=Back, shouldTreatAsContinuingLoad=No) at Page.cpp:793:33 frame #11: 0x000000011cec8bc4 WebKit`WebKit::WebPage::goToBackForwardItem(this=0x0000000137811c08, parameters=0x000000016ba93370) at WebPage.cpp:2268:17 frame #12: 0x000000011cfc9c64 WebKit`auto void IPC::callMemberFunction<WebKit::WebPage, WebKit::WebPage, void (WebKit::GoToBackForwardItemParameters&&), std::__1::tuple<WebKit::GoToBackForwardItemParameters>>(this=0x000000016ba932c0, args=0x000000016ba93370)(WebKit::GoToBackForwardItemParameters&&), std::__1::tuple<WebKit::GoToBackForwardItemParameters>&&)::'lambda'(auto&&...)::operator()<WebKit::GoToBackForwardItemParameters>(auto&&...) const at HandleMessage.h:135:13 ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2024-07-29 16:24:43 PDT

<rdar://132704152>

Chris Dumez

Comment 2 2024-07-29 16:32:36 PDT

Pull request: https://github.com/WebKit/WebKit/pull/31422

EWS

Comment 3 2024-07-29 19:04:30 PDT

Committed 281540@main (cd835520f77a): <https://commits.webkit.org/281540@main> Reviewed commits have been landed. Closing PR #31422 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.