RESOLVED WORKSFORME 133846
ASSERTION FAILED: url.containsOnlyASCII() in WebCore::checkEncodedString 
https://bugs.webkit.org/show_bug.cgi?id=133846
Summary ASSERTION FAILED: url.containsOnlyASCII() in WebCore::checkEncodedString
Renata Hodovan
Reported 2014-06-13 04:32:45 PDT
Created attachment 233040 [details] Test case This issue is similar to https://bugs.webkit.org/show_bug.cgi?id=130894. We trigger the same assertion here but with a different call stack. The test: <head> <script> function dom_manipulation() { document.getElementsByTagName("iframe")[0].src="dict:&#208"; } </script> </head> <body onload='dom_manipulation()'> <iframe src="http://&#379"></iframe> Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff97127700 (LWP 26977)] 0x00007ffff30a4886 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff30a4886 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff3be107e in WebCore::checkEncodedString (url=...) at ../../Source/WebCore/platform/URL.cpp:303 #2 0x00007ffff3be3f52 in WebCore::URL::parse (this=0x7fffffffcaf0, string=...) at ../../Source/WebCore/platform/URL.cpp:982 #3 0x00007ffff3be11a0 in WebCore::URL::URL (this=0x7fffffffcaf0, url=...) at ../../Source/WebCore/platform/URL.cpp:330 #4 0x00007ffff3787279 in WebCore::HistoryItem::originalURL (this=0x9c27e0) at ../../Source/WebCore/history/HistoryItem.cpp:249 #5 0x00007ffff3a2874b in WebCore::FrameLoader::shouldTreatURLAsSameAsCurrent (this=0x72ead8, url=...) at ../../Source/WebCore/loader/FrameLoader.cpp:3103 #6 0x00007ffff3a201c5 in WebCore::FrameLoader::loadURL (this=0x72ead8, newURL=..., referrer=..., frameName=..., lockHistory=WebCore::No, newLoadType=WebCore::FrameLoadTypeRedirectWithLockedBackForwardList, event=..., prpFormState=...) at ../../Source/WebCore/loader/FrameLoader.cpp:1294 #7 0x00007ffff3a1faf4 in WebCore::FrameLoader::loadFrameRequest (this=0x72ead8, request=..., lockHistory=WebCore::No, lockBackForwardList=WebCore::Yes, event=..., formState=..., shouldSendReferrer=WebCore::MaybeSendReferrer) at ../../Source/WebCore/loader/FrameLoader.cpp:1234 #8 0x00007ffff3a1bf52 in WebCore::FrameLoader::urlSelected (this=0x72ead8, passedRequest=..., triggeringEvent=..., lockHistory=WebCore::No, lockBackForwardList=WebCore::Yes, shouldSendReferrer=WebCore::MaybeSendReferrer, shouldReplaceDocumentIfJavaScriptURL=WebCore::ReplaceDocumentIfJavaScriptURL) at ../../Source/WebCore/loader/FrameLoader.cpp:351 #9 0x00007ffff3a1bc0e in WebCore::FrameLoader::changeLocation (this=0x72ead8, securityOrigin=0x8f12a0, url=..., referrer=..., lockHistory=WebCore::No, lockBackForwardList=WebCore::Yes, refresh=false) at ../../Source/WebCore/loader/FrameLoader.cpp:323 #10 0x00007ffff3a3f07c in WebCore::ScheduledURLNavigation::fire (this=0x799290, frame=...) at ../../Source/WebCore/loader/NavigationScheduler.cpp:112 #11 0x00007ffff3a3e884 in WebCore::NavigationScheduler::timerFired (this=0x72ec98) at ../../Source/WebCore/loader/NavigationScheduler.cpp:440 #12 0x00007ffff3a42cf9 in std::_Mem_fn<void (WebCore::NavigationScheduler::*)(WebCore::Timer<WebCore::NavigationScheduler>&)>::operator()<WebCore::Timer<WebCore::NavigationScheduler>&, void> (this=0x72f110, __object=0x72ec98) at /usr/include/c++/4.8/functional:601 #13 0x00007ffff3a42c27 in std::_Bind<std::_Mem_fn<void (WebCore::NavigationScheduler::*)(WebCore::Timer<WebCore::NavigationScheduler>&)> (WebCore::NavigationScheduler*, std::reference_wrapper<WebCore::Timer<WebCore::NavigationScheduler> >)>::__call<void, , 0ul, 1ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul>) (this=0x72f110, __args=<unknown type in /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25, CU 0x1afca6d5, DIE 0x1b0ae539>) at /usr/include/c++/4.8/functional:1296 #14 0x00007ffff3a429ac in std::_Bind<std::_Mem_fn<void (WebCore::NavigationScheduler::*)(WebCore::Timer<WebCore::NavigationScheduler>&)> (WebCore::NavigationScheduler*, std::reference_wrapper<WebCore::Timer<WebCore::NavigationScheduler> >)>::operator()<, void>() (this=0x72f110) at /usr/include/c++/4.8/functional:1355 #15 0x00007ffff3a4255d in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (WebCore::NavigationScheduler::*)(WebCore::Timer<WebCore::NavigationScheduler>&)> (WebCore::NavigationScheduler*, std::reference_wrapper<WebCore::Timer<WebCore::NavigationScheduler> >)> >::_M_invoke(std::_Any_data const&) (__functor=...) at /usr/include/c++/4.8/functional:2071 #16 0x00007ffff2c8b7ce in std::function<void ()>::operator()() const (this=0x72ecd8) at /usr/include/c++/4.8/functional:2464 #17 0x00007ffff3a42da6 in WebCore::Timer<WebCore::NavigationScheduler>::fired (this=0x72eca0) at ../../Source/WebCore/platform/Timer.h:133 #18 0x00007ffff3c0cf33 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x8787a0) at ../../Source/WebCore/platform/ThreadTimers.cpp:132 #19 0x00007ffff3c0cde1 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:107 #20 0x00007ffff30f5401 in std::_Function_handler<void (), void (*)()>::_M_invoke(std::_Any_data const&) (__functor=...) at /usr/include/c++/4.8/functional:2071 #21 0x00007ffff2c8b7ce in std::function<void ()>::operator()() const (this=0x7ffff7dd9078 <WebCore::gSharedTimer+24>) at /usr/include/c++/4.8/functional:2464 #22 0x00007ffff30f44a7 in WTF::GMainLoopSource::voidCallback (this=0x7ffff7dd9060 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:195 #23 0x00007ffff30f481e in WTF::GMainLoopSource::voidSourceCallback (source=0x7ffff7dd9060 <WebCore::gSharedTimer>, source@entry=<error reading variable: value has been optimized out>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:255 #24 0x00007fffeb520e43 in g_timeout_dispatch (source=source@entry=0x81e690, callback=<optimized out>, user_data=<optimized out>) at gmain.c:4450 #25 0x00007fffeb5202e6 in g_main_dispatch (context=0x677bb0) at gmain.c:3065 #26 g_main_context_dispatch (context=context@entry=0x677bb0) at gmain.c:3641 #27 0x00007fffeb520638 in g_main_context_iterate (context=0x677bb0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712 #28 0x00007fffeb520a3a in g_main_loop_run (loop=0x913eb0) at gmain.c:3906 #29 0x00007ffff30f589a in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #30 0x00007ffff3032112 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #31 0x00007ffff3031f77 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 ---Type <return> to continue, or q <return> to quit--- #32 0x000000000040085d in main (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32
Attachments
Test case (219 bytes, text/html)
2014-06-13 04:32 PDT, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2014-06-21 07:39:04 PDT
The HistoryItem class assumes that both m_urlString and m_originalURLString are already-parsed URL strings. But I don’t see how that invariant is enforced.
Darin Adler
Comment 2 2014-06-21 07:39:37 PDT
Not every caller of setURLString and setOriginalURLString is taking the string out of a URL.
Brent Fulgham
Comment 3 2016-08-03 14:24:27 PDT
This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case.
Note You need to log in before you can comment on or make changes to this bug.