RESOLVED FIXED 154563
REGRESSION (r196892): Crash in DocumentLoader::startLoadingMainResource() 
https://bugs.webkit.org/show_bug.cgi?id=154563
Summary REGRESSION (r196892): Crash in DocumentLoader::startLoadingMainResource()
Daniel Bates
Reported 2016-02-22 16:11:11 PST
Following <http://trac.webkit.org/changeset/196892> (bug #154520), the test LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html crashes the WebContent process when run with GuardMalloc. For convenience, the following is the run-webkit-test command I used to reproduce this crash with a debug build of WebKit: Tools/Scripts/run-webkit-tests --debug -g LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html
Attachments
Patch (2.00 KB, patch)
2016-02-22 16:32 PST, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-02-22 16:11:33 PST
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001050a66d4 WebCore::DocumentLoader::startLoadingMainResource() + 932 1 com.apple.WebKit 0x0000000103b770ce WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) + 192 2 com.apple.WebKit 0x0000000103bbc9d6 void IPC::handleMessage<Messages::WebPage::DidReceivePolicyDecision, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, unsigned int, unsigned long long, WebKit::DownloadID)>(IPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, unsigned int, unsigned long long, WebKit::DownloadID)) + 107 3 com.apple.WebKit 0x0000000103a887d1 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::MessageDecoder&) + 113 4 com.apple.WebKit 0x0000000103bfe36e WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 28 5 com.apple.WebKit 0x0000000103a4a52f IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 6 com.apple.WebKit 0x0000000103a4ce4a IPC::Connection::dispatchOneMessage() + 126 7 com.apple.JavaScriptCore 0x0000000104daa2f5 WTF::RunLoop::performWork() + 437 8 com.apple.JavaScriptCore 0x0000000104daa6a2 WTF::RunLoop::performWork(void*) + 34 9 com.apple.CoreFoundation 0x00007fff9149afe1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 10 com.apple.CoreFoundation 0x00007fff9147a71c __CFRunLoopDoSources0 + 556 11 com.apple.CoreFoundation 0x00007fff91479c3f __CFRunLoopRun + 927 12 com.apple.CoreFoundation 0x00007fff91479638 CFRunLoopRunSpecific + 296 13 com.apple.HIToolbox 0x00007fff8c62a935 RunCurrentEventLoopInMode + 235 14 com.apple.HIToolbox 0x00007fff8c62a76f ReceiveNextEventCommon + 432 15 com.apple.HIToolbox 0x00007fff8c62a5af _BlockUntilNextEventMatchingListInModeWithFilter + 71 16 com.apple.AppKit 0x00007fff94f10f3a _DPSNextEvent + 1067 17 com.apple.AppKit 0x00007fff94f1036a -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 18 com.apple.AppKit 0x00007fff94f04ec4 -[NSApplication run] + 682 19 com.apple.AppKit 0x00007fff94ece4ac NSApplicationMain + 1176 20 libxpc.dylib 0x00007fff9634a45e _xpc_objc_main + 793 21 libxpc.dylib 0x00007fff96348e8a xpc_main + 494 22 com.apple.WebKit.WebContent 0x000000010398e7df 0x10398d000 + 6111 23 libdyld.dylib 0x00007fff8f8a85ad start + 1
Radar WebKit Bug Importer
Comment 2 2016-02-22 16:12:22 PST
<rdar://problem/24780678>
Daniel Bates
Comment 3 2016-02-22 16:17:24 PST
This crash only seems to occur when using WebKit2 (why?). When the test is run using WebKitTestRunner (WebKit2) DocumentLoader::refCount() == 1 before calling DocumentLoader::willSendRequest() in DocumentLoader::startLoadingMainResource(). When run using DumpRenderTree (WebKit1) DocumentLoader::refCount() == 3 at the same position.
Daniel Bates
Comment 4 2016-02-22 16:18:39 PST
Regardless of the ref count differences, DocumentLoader::startLoadingMainResource() should hold a ref of itself because DocumentLoader::willSendRequest() may deref us if we are the provisional loader and the load is cancelled.
Daniel Bates
Comment 5 2016-02-22 16:32:41 PST
Created attachment 271966 [details] Patch
Daniel Bates
Comment 6 2016-02-22 16:48:42 PST
Comment on attachment 271966 [details] Patch Clearing flags on attachment: 271966 Committed r196965: <http://trac.webkit.org/changeset/196965>
Daniel Bates
Comment 7 2016-02-22 16:48:47 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.