145748 – WebContent crash in WebCore::Page::sessionID() const + 0 (Page.cpp:1660)

Bug 145748 - WebContent crash in WebCore::Page::sessionID() const + 0 (Page.cpp:1660)

Summary: WebContent crash in WebCore::Page::sessionID() const + 0 (Page.cpp:1660)

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2015-06-07 17:42 PDT by Chris Dumez
Modified:	2015-06-24 16:59 PDT (History)
CC List:	6 users (show)

See Also:	145422 146299

Attachments
Patch (31.54 KB, patch) 2015-06-07 21:58 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (31.58 KB, patch) 2015-06-08 15:56 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2015-06-07 17:42:19 PDT

WebContent crash in WebCore::Page::sessionID() const + 0 (Page.cpp:1660):
0   WebCore                       	0x0000000101a9d368 WebCore::Page::sessionID() const + 0
1   WebCore                       	0x00000001010b2d18 WebCore::DocumentLoader::stopLoading() + 452
2   WebCore                       	0x00000001010c26b8 WebCore::DocumentLoader::detachFromFrame() + 60
3   WebCore                       	0x0000000101149948 WebCore::FrameLoader::detachViewsAndDocumentLoader() + 84
4   WebCore                       	0x0000000101142e0c WebCore::CachedFrame::destroy() + 56
5   WebCore                       	0x0000000101142e3c WebCore::CachedFrame::destroy() + 104
6   WebCore                       	0x0000000101142da4 WebCore::CachedPage::~CachedPage() + 24
7   WebCore                       	0x0000000101a9e478 WebCore::PageCache::prune(WebCore::PruningReason) + 72
8   WebCore                       	0x0000000101a9e41c WebCore::PageCache::pruneToSizeNow(unsigned int, WebCore::PruningReason) + 28

This happens because we are not supposed to exercise this code path when destroying a PageCache entry. Pages in the PageCache are not supposed to have DocumentLoaders that are loading. r185017 made sure we don't insert into the PageCache pages that are still loading. However, nothing currently prevents content from starting new loads in their 'pagehide' event handlers, *after* being inserted in the PageCache.

Radar: <rdar://problem/21226577>

Comment 1 Chris Dumez 2015-06-07 21:58:27 PDT

Created attachment 254474 [details]
Patch

Comment 2 Brady Eidson 2015-06-08 14:21:02 PDT

Comment on attachment 254474 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=254474&action=review

> Source/WebCore/ChangeLog:11
> +        We would sometimes crash when pruning the PageCache because it was
> +        possible for frames to still be loading while in the PageCache and
> +        we would try to stop the load when the CachedFrame. This code path

when the CachedFrame... what? Is constructed?

> Source/WebCore/page/Page.h:160
> +    enum DismissalType {
> +        NoDismissal,
> +        BeforeUnloadDismissal,
> +        PageHideDismissal,
> +        UnloadDismissal
> +    };

enum class, please!  With updated names:

enum class DismissalType {
  None,
  BeforeUnload,
  PageHide,
  Unload
}

Comment 3 Chris Dumez 2015-06-08 15:56:39 PDT

Created attachment 254518 [details]
Patch

Comment 4 WebKit Commit Bot 2015-06-08 16:45:00 PDT

Comment on attachment 254518 [details]
Patch

Clearing flags on attachment: 254518

Committed r185337: <http://trac.webkit.org/changeset/185337>

Comment 5 WebKit Commit Bot 2015-06-08 16:45:05 PDT

All reviewed patches have been landed.  Closing bug.