Bug 311020

Summary: Crash due to nullptr deref in WebLocalFrameLoaderClient::dispatchDidChangeProvisionalURL()
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: Page LoadingAssignee: David Kilzer (:ddkilzer) <ddkilzer>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=199123
https://bugs.webkit.org/show_bug.cgi?id=203837

David Kilzer (:ddkilzer)
Reported 2026-03-29 04:41:31 PDT
`WebLocalFrameLoaderClient::dispatchDidChangeProvisionalURL()` unconditionally dereferences the return value of `provisionalDocumentLoader()` via `Ref documentLoader { *m_localFrame->loader().provisionalDocumentLoader() }`. When `provisionalDocumentLoader()` returns nullptr during redirect processing, the `Ref` constructor reads the reference count at offset 0x18, crashing with `EXC_BAD_ACCESS (SIGSEGV)`. The caller `DocumentLoader::setRequest()` already checks for and logs this nullptr condition (added in Bug 203837, 217227@main) but proceeds to call `dispatchDidChangeProvisionalURL()` unconditionally. The adjacent function `dispatchDidReceiveServerRedirectForProvisionalLoad()` correctly handles this case using `RefPtr` with a null check and early return (added in Bug 199123, 213141@main). Crash stack: ``` 0 WebKit: WTF::RefCountedBase::ref() const 1 WebKit: WebCore::DocumentLoader::ref() const 2 WebKit: WTF::Ref<WebCore::DocumentLoader>::Ref(WebCore::DocumentLoader&) 3 WebKit: WebKit::WebLocalFrameLoaderClient::dispatchDidChangeProvisionalURL() 4 WebCore: WebCore::DocumentLoader::setRequest(WebCore::ResourceRequest&&) 5 WebCore: WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&&, ...) 6 WebCore: WebCore::DocumentLoader::redirectReceived(...) 7 WebCore: WebCore::CachedRawResource::redirectReceived(...) 8 WebCore: WebCore::SubresourceLoader::willSendRequestInternal(...) 9 WebKit: WebKit::WebResourceLoader::willSendRequest(...) [...] ``` <rdar://112727550>
Attachments
Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2026-03-29 08:15:44 PDT
Pull request: https://github.com/WebKit/WebKit/pull/61625
EWS
Comment 2 2026-03-30 20:18:57 PDT
Committed 310279@main (682966d153bc): <https://commits.webkit.org/310279@main> Reviewed commits have been landed. Closing PR #61625 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.