144975 – REGRESSION (r179958): Crash in WebCore::DocumentLoader::detachFromFrame when -[id<WebPolicyDelegate> decidePolicyForMIMEType:request:frame:decisionListener:] fails to call -[id<WebPolicyDecisionListener> download|ignore|use]

RESOLVED FIXED 144975

REGRESSION (r179958): Crash in WebCore::DocumentLoader::detachFromFrame when -[id<WebPolicyDelegate> decidePolicyForMIMEType:request:frame:decisionListener:] fails to call -[id<WebPolicyDecisionListener> download|ignore|use]

https://bugs.webkit.org/show_bug.cgi?id=144975

Summary REGRESSION (r179958): Crash in WebCore::DocumentLoader::detachFromFrame when ...

David Kilzer (:ddkilzer)

Reported 2015-05-13 17:26:06 PDT

If an app overrides -decidePolicyForMIMEType:request:frame:decisionListener: in their id<WebPolicyDelegate> object and doesn't call one of three methods on id<WebPolicyDecisionListener> (-download, -ignore or -use), then the app will crash due to a RELEASE_ASSERT() added in r179958. <http://trac.webkit.org/r179958> This was not the intention of these RELEASE_ASSERT() changes (they were to catch the cause of a different crash which we think we found the cause of), so we can change these back to Debug-only ASSERT() statements. Note that the app SHOULD be calling -download, -ignore or -use inside their -[id<WebPolicyDelegate> -decidePolicyForMIMEType:request:frame:decisionListener:] method, but it shouldn't cause a crash, and there's no easy way to fix this without further risk of compatibility issues (due to additional callbacks being made).

Attachments
Patch v1 (2.79 KB, patch) 2015-05-13 17:32 PDT, David Kilzer (:ddkilzer)	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

David Kilzer (:ddkilzer)

Comment 1 2015-05-13 17:26:21 PDT

<rdar://problem/20905401>

David Kilzer (:ddkilzer)

Comment 2 2015-05-13 17:32:57 PDT

Created attachment 253076 [details] Patch v1

WebKit Commit Bot

Comment 3 2015-05-13 18:22:32 PDT

Comment on attachment 253076 [details] Patch v1 Clearing flags on attachment: 253076 Committed r184323: <http://trac.webkit.org/changeset/184323>

WebKit Commit Bot

Comment 4 2015-05-13 18:22:37 PDT

All reviewed patches have been landed. Closing bug.

Chris Dumez

Comment 5 2015-05-13 18:28:44 PDT

Thanks for taking care of this!

Brady Eidson

Comment 6 2015-05-13 22:08:28 PDT

(In reply to comment #0) > Note that the app SHOULD be calling -download, -ignore or -use inside their > -[id<WebPolicyDelegate> > -decidePolicyForMIMEType:request:frame:decisionListener:] method, but it > shouldn't cause a crash, and there's no easy way to fix this without further > risk of compatibility issues (due to additional callbacks being made). This is not actually true - It's perfectly legal for an app to hang on to the decision listener and call one of the three methods later, asynchronously. That's why it's set up as a listener object instead of requiring a synchronous return value.

Brady Eidson

Comment 7 2015-05-13 22:12:13 PDT

Yah, these asserts are simply bogus in general. If the client hangs on to the policy listener object for "awhile", say maybe to ask the user what they want to do, and the document is torn down in the meantime... DocumentLoader should handle that gracefully, release build or not.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Page Loading

Assignee

David Kilzer (:ddkilzer)

Reported

2015-05-13 17:26 PDT

Modified

2015-05-13 22:12 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks