Bug 296698

Summary: REGRESSION (iOS 26 beta): Web page with script element is terminated with custom WKURLSchemeHandler
Product: WebKit Reporter: igor.palaguta
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Blocker CC: achristensen, ap, beidson, cdumez, igor.palaguta, karlcow, richard_robinson2, webkit-bug-importer
Priority: P1 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: iPhone / iPad   
OS: iOS 26   
Attachments:
Description Flags
Crash report of WebKit none

igor.palaguta
Reported 2025-07-30 06:32:28 PDT
Something has changed in iOS 26 and now if custom scheme is used and web page contains script elements WebKit is terminated with following log: 0x1130bc170 - [PID=47858] WebProcessProxy::didClose: (web process 0 crash) 0x1130bc170 - [PID=47858] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=Crash Sample code (full example can be downloaded here https://github.com/Igor-Palaguta/iOS26URLSchemeTermination): final class CustomSchemeViewController: UIViewController { override func viewDidLoad() { super.viewDidLoad() let sampleConfiguration = WKWebViewConfiguration() sampleConfiguration.setURLSchemeHandler( SampleURLSchemeHandler(), forURLScheme: "sample" ) let webView = WKWebView(frame: view.bounds, configuration: sampleConfiguration) webView.autoresizingMask = [.flexibleWidth, .flexibleHeight] view.addSubview(webView) webView.navigationDelegate = self webView.load(URLRequest(url: URL(string: "sample://pages/sample.html")!)) } } extension CustomSchemeViewController: WKNavigationDelegate { func webViewWebContentProcessDidTerminate(_ webView: WKWebView) { print("webViewWebContentProcessDidTerminate") } } final class SampleURLSchemeHandler: NSObject, WKURLSchemeHandler { private func post(_ body: String, mimeType: String, urlSchemeTask: WKURLSchemeTask) { let body = Data(body.utf8) let response = URLResponse( url: urlSchemeTask.request.url!, mimeType: mimeType, expectedContentLength: body.count, textEncodingName: nil ) urlSchemeTask.didReceive(response) urlSchemeTask.didReceive(body) urlSchemeTask.didFinish() } func webView(_ webView: WKWebView, start urlSchemeTask: WKURLSchemeTask) { switch urlSchemeTask.request.url?.lastPathComponent { case "sample.html": post(""" <?xml version="1.0" encoding="UTF-8"?><html xmlns="http://www.w3.org/1999/xhtml"> <head> <script src="/scripts/sample.js"></script> </head> <body> <p>Sample</p> </body> </html> """, mimeType: "application/xhtml+xml", urlSchemeTask: urlSchemeTask ) case "sample.js": post("console.log('Hello from JS File')", mimeType: "text/javascript", urlSchemeTask: urlSchemeTask ) default: assertionFailure() } } func webView(_ webView: WKWebView, stop urlSchemeTask: WKURLSchemeTask) { print("webView(_ webView: WKWebView, stop urlSchemeTask: WKURLSchemeTask)") } } It works fine with css file included, without script tag or with async attribute
Attachments
Crash report of WebKit (21.04 KB, text/plain)
2025-07-30 13:11 PDT, igor.palaguta 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2025-07-30 10:49:25 PDT
Thank you for the report! Could you please attach the crash log? I understand that we could try to reproduce with the source code, but initial routing will happen faster if it's not blocked on that.
Radar WebKit Bug Importer
Comment 2 2025-07-30 10:49:33 PDT
<rdar://problem/157131072>
igor.palaguta
Comment 3 2025-07-30 11:29:05 PDT
This is not a crash, but WKWebView is blank. Here is full log: Failed to resolve host network app id to config: bundleID: com.apple.WebKit.Networking instance ID: Optional([_EXExtensionInstanceIdentifier: 12B3FA6D-78A9-43F9-B240-DB67B612029D]) WebContent[77467] Unable to hide query parameters from script (missing data) 0x1160c4170 - [PID=77467] WebProcessProxy::didClose: (web process 0 crash) 0x1160c4170 - [PID=77467] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=Crash Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "((target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.rendering AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.networking AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.webcontent))" UserInfo={NSLocalizedFailureReason=((target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.rendering AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.networking AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.webcontent))}> 0x116160300 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'XPCConnectionTerminationWatchdog' for process with PID=77467, error: (null) 0x106842e18 - [pageProxyID=6, webPageID=7, PID=77467] WebPageProxy::processDidTerminate: (pid 77467), reason=Crash 0x106842e18 - [pageProxyID=6, webPageID=7, PID=77467] WebPageProxy::dispatchProcessDidTerminate: reason=Crash webViewWebContentProcessDidTerminate
igor.palaguta
Comment 4 2025-07-30 11:30:26 PDT
Or do you mean to search for a WebKit crash report?
Alexey Proskuryakov
Comment 5 2025-07-30 12:47:53 PDT
Yes, there will be a com.apple.WebKit.WebContent process crash log, hopefully.
igor.palaguta
Comment 6 2025-07-30 13:11:25 PDT
Created attachment 476228 [details] Crash report of WebKit
igor.palaguta
Comment 7 2025-07-30 13:23:55 PDT
Looks like in iOS 26 this xhtml is not a valid xml anymore. Changing mime type from application/xhtml+xml to text/html fixes issue. But is it really invalid?
Alexey Proskuryakov
Comment 8 2025-07-30 14:53:42 PDT
Thank you. I don't think that this has anything to do with validity, just seems like a bug for us to fix. Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x000000019166b48c Termination Reason: Namespace SIGNAL, Code 5, Trace/BPT trap: 5 Terminating Process: exc handler [89886] Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x19166b48c WebCore::xmlMallocHelper(unsigned long) + 16 1 com.apple.WebCore 0x19166b48c WebCore::XMLMalloc::malloc(unsigned long) + 16 2 com.apple.WebCore 0x19166b48c WTF::MallocSpan<unsigned char, WebCore::XMLMalloc>::malloc(unsigned long) + 16 3 com.apple.WebCore 0x19166b48c WebCore::PendingCallbacks::appendCharactersCallback(std::__1::span<unsigned char const, 18446744073709551615ul>) + 44 4 com.apple.WebCore 0x19166b48c WebCore::XMLDocumentParser::characters(std::__1::span<unsigned char const, 18446744073709551615ul>) + 364 5 libxml2.2.dylib 0x19c59448c xmlParseCharData + 2148 6 libxml2.2.dylib 0x19c59eca0 xmlParseTryOrFinish + 4376 7 libxml2.2.dylib 0x19c59d8e4 xmlParseChunk + 708 8 com.apple.WebCore 0x191668ec8 WebCore::XMLDocumentParser::doWrite(WTF::String const&) + 636 9 com.apple.WebCore 0x191665b78 WebCore::XMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>>&&) + 304 10 com.apple.WebCore 0x190105db0 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, std::__1::span<unsigned char const, 18446744073709551615ul>) + 268 11 com.apple.WebCore 0x190861c3c WebCore::DocumentWriter::addData(WebCore::SharedBuffer const&) + 8 12 com.apple.WebCore 0x190861c3c WebCore::DocumentLoader::commitData(WebCore::SharedBuffer const&) + 1488 13 com.apple.WebKit 0x18e07ca3c WebKit::WebLocalFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, WebCore::SharedBuffer const&) + 52 14 com.apple.WebCore 0x190869db4 WebCore::DocumentLoader::commitLoad(WebCore::SharedBuffer const&) + 228 15 com.apple.WebCore 0x1909521e4 WebCore::CachedRawResource::notifyClientsDataWasReceived(WebCore::SharedBuffer const&) + 268 16 com.apple.WebCore 0x190951cc4 WebCore::CachedRawResource::updateBuffer(WebCore::FragmentedSharedBuffer const&) + 544 17 com.apple.WebCore 0x190920f88 WebCore::SubresourceLoader::didReceiveBuffer(WebCore::FragmentedSharedBuffer const&, long long, WebCore::DataPayloadType) + 504 18 com.apple.WebKit 0x18e0ddee8 WebKit::WebURLSchemeTaskProxy::didReceiveData(WebCore::SharedBuffer const&) + 360 19 com.apple.WebKit 0x18e0de718 WTF::Function<void ()>::operator()() const + 16 20 com.apple.WebKit 0x18e0de718 WebKit::WebURLSchemeTaskProxy::processNextPendingTask() + 84 21 com.apple.WebCore 0x190883618 WTF::Function<void ()>::operator()() const + 16 22 com.apple.WebCore 0x190883618 WTF::CompletionHandler<void ()>::operator()() + 16 23 com.apple.WebCore 0x190883618 WebCore::SubresourceLoader::didReceiveResponsePolicy() + 32 24 com.apple.WebCore 0x190883618 WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse&&, WTF::CompletionHandler<void ()>&&)::$_0::operator()(WebCore::PolicyAction) + 44
Alexey Proskuryakov
Comment 9 2025-07-30 14:59:24 PDT
We made some custom scheme fixes recently, so with some luck, this is already fixed via bug 295741 and bug 295829. I cannot easily tell from the crash log which beta SDK you are using, given that this is in Simulator. Is it the latest one?
igor.palaguta
Comment 10 2025-07-30 15:07:01 PDT
Yes, this is the laters beta 4. Version 26.0 beta 4 (17A5285i)
igor.palaguta
Comment 11 2025-07-30 15:11:14 PDT
Thank you for a fast response. May we expect this fix to be added to the next iOS beta?
Alexey Proskuryakov
Comment 12 2025-07-30 15:12:46 PDT
I've been informed that this is unrelated to those issues. We'll take a look.
Brady Eidson
Comment 13 2025-07-31 17:26:54 PDT
Even invalid XML should obviously not cause a crash. But, I could not reproduce the crash. BUT I found out why - The cause of the crash was already fixed in https://bugs.webkit.org/show_bug.cgi?id=295946 No, that fix hasn't shipped in an iOS build yet. Which leaves the question: Is this valid XML or not? It's not. Our libxml2 parsing rejects it. Drop the `<?xml version="1.0" encoding="UTF-8"?>` and it parses out fine, calling for the script sub resource and loading successfully.
Brady Eidson
Comment 14 2025-07-31 17:27:14 PDT
*** This bug has been marked as a duplicate of bug 295946 ***
igor.palaguta
Comment 15 2025-07-31 17:52:06 PDT
Thank you for investigation. I have just checked and WebKit crashes no matter with or without <?xml version="1.0" encoding="UTF-8"?>. But if I remove attribute xmlns="http://www.w3.org/1999/xhtml" from html element issue is gone.
Brady Eidson
Comment 16 2025-07-31 19:41:49 PDT
Setting aside the "is valid XHTML?" question, the *crash* is due to heading down certain code paths in the XML parser. Removing "xmlns="http://www.w3.org/1999/xhtml"" almost certainly sends you down an HTML parser code path even with the xhtml+xml mime type, so that would avoid the crash.
igor.palaguta
Comment 17 2025-08-01 01:45:34 PDT
Could you please confirm whether this xhtml will now render properly after this fix? From what I see in the PR, the infinite recursion issue has been addressed, so WebKit should no longer crash. However, I’d like to clarify whether libxml2 will still consider this XHTML invalid and potentially fail again? Is this XML really invalid or is it a bug in libxml2? I checked it on different validators and all of them report that it is well formed. It also worked properly in all previous iOS versions. <?xml version="1.0" encoding="UTF-8"?> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <script src="/scripts/sample.js"></script> </head> <body> <p>Sample</p> </body> </html> Thanks in advance
igor.palaguta
Comment 18 2025-08-06 00:34:12 PDT
Fixed in iOS 26.0 beta 5. Thank you!
Note You need to log in before you can comment on or make changes to this bug.