Bug 83311

Summary: Crashes in WebProcess at WebCore::HistoryController::recursiveSetProvisionalItem when restoring previous session
Product: WebKit Reporter: Brady Eidson <beidson>
Component: Page LoadingAssignee: Brady Eidson <beidson>
Status: RESOLVED FIXED    
Severity: Normal CC: japhet, webkit.review.bot
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch v1 sam: review+

Brady Eidson
Reported 2012-04-05 13:58:04 PDT
Crashes in WebProcess at WebCore::HistoryController::recursiveSetProvisionalItem In WebKit2 we can have a WebProcess that is in the middle of restoring a session while the UIProcess closes the associated WKPage. As a result, when HistoryController::goToItem asks the back/forward controller for the current item, which then messages up to the UIProcess for that item, no item can be found. We then do some work that accesses the current item without null checking it first, leading to this crash. We have a couple of ASSERTS attesting to our expectation the current item is not null. Here's the backtrace of the ASSERT, which is pretty close to the backtrace of the crash itself: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000108de26bc WebCore::HistoryController::recursiveSetProvisionalItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 172 (HistoryController.cpp:688) 1 com.apple.WebCore 0x0000000108de2582 WebCore::HistoryController::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 450 (HistoryController.cpp:272) 2 com.apple.WebCore 0x00000001096c4419 WebCore::Page::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 201 (Page.cpp:342) 3 com.apple.WebKit2 0x0000000106e1aad7 WebKit::WebPage::goToBackForwardItem(unsigned long long) + 183 (WebPage.cpp:771) 4 com.apple.WebKit2 0x0000000106e1c91e WebKit::WebPage::restoreSessionAndNavigateToCurrentItem(WebKit::SessionState const&) + 78 (WebPage.cpp:1447) 5 com.apple.WebKit2 0x0000000106e4ed77 void CoreIPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::SessionState const&), WebKit::SessionState>(CoreIPC::Arguments1<WebKit::SessionState> const&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::SessionState const&)) + 135 (HandleMessage.h:20) 6 com.apple.WebKit2 0x0000000106e46b26 void CoreIPC::handleMessage<Messages::WebPage::RestoreSessionAndNavigateToCurrentItem, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::SessionState const&)>(CoreIPC::ArgumentDecoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::SessionState const&)) + 118 (HandleMessage.h:303) 7 com.apple.WebKit2 0x0000000106e440a6 WebKit::WebPage::didReceiveWebPageMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 1750 (WebPageMessageReceiver.cpp:182) 8 com.apple.WebKit2 0x0000000106e1f97d WebKit::WebPage::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 301 (WebPage.cpp:2507) 9 com.apple.WebKit2 0x0000000106ecdc8b WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 923 (WebProcess.cpp:669) 10 com.apple.WebKit2 0x0000000106d79b8e WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 350 (WebConnectionToUIProcess.cpp:88) In radar as <rdar://problem/9359029>
Attachments
Patch v1 (2.96 KB, patch)
2012-04-05 14:06 PDT, Brady Eidson 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brady Eidson
Comment 1 2012-04-05 14:06:31 PDT
Created attachment 135901 [details] Patch v1
Brady Eidson
Comment 2 2012-04-05 14:20:57 PDT
http://trac.webkit.org/changeset/113379
Note You need to log in before you can comment on or make changes to this bug.