159640 – Potential null dereference under DocumentLoader::mainReceivedError()

RESOLVED FIXED159640

Potential null dereference under DocumentLoader::mainReceivedError()

https://bugs.webkit.org/show_bug.cgi?id=159640

Summary Potential null dereference under DocumentLoader::mainReceivedError()

Chris Dumez

Reported 2016-07-11 12:57:23 PDT

Potential null dereference under DocumentLoader::mainReceivedError(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000008) [ 0] 0x0000000108e9128e WebCore`WebCore::DocumentLoader::mainReceivedError(WebCore::ResourceError const&) [inlined] WebCore::FrameLoader::client() const at FrameLoader.h:205:48 201 202 static void addHTTPOriginIfNeeded(ResourceRequest&, const String& origin); 203 static void addHTTPUpgradeInsecureRequestsIfNeeded(ResourceRequest&); 204 -> 205 FrameLoaderClient& client() const { return m_client; } 206 207 void setDefersLoading(bool); 208 209 void didExplicitOpen(); 0x0000000108e9127c: movq 0x10(%rbx), %rax 0x0000000108e91280: leaq 0x90(%rax), %rcx 0x0000000108e91287: testq %rax, %rax 0x0000000108e9128a: cmoveq %rax, %rcx -> 0x0000000108e9128e: movq 0x8(%rcx), %rdi 0x0000000108e91292: movq (%rdi), %rax 0x0000000108e91295: movq %rbx, %rsi 0x0000000108e91298: movq %r14, %rcx 0x0000000108e9129b: callq *0x90(%rax) [ 0] 0x0000000108e9128e WebCore`WebCore::DocumentLoader::mainReceivedError(WebCore::ResourceError const&) + 46 at DocumentLoader.cpp:255 251 ASSERT(!error.isNull()); 252 253 if (m_identifierForLoadWithoutResourceLoader) { 254 ASSERT(!mainResourceLoader()); -> 255 frameLoader()->client().dispatchDidFailLoading(this, m_identifierForLoadWithoutResourceLoader, error); 256 } 257 258 // There is a bug in CFNetwork where callbacks can be dispatched even when loads are deferred. 259 // See <rdar://problem/6304600> for more details. [ 1] 0x0000000108ed2238 WebCore`WebCore::DocumentLoader::cancelMainResourceLoad(WebCore::ResourceError const&) + 296 at DocumentLoader.cpp:1583:5 1579 mainResourceLoader()->cancel(error); 1580 1581 clearMainResource(); 1582 -> 1583 mainReceivedError(error); 1584 } 1585 1586 void DocumentLoader::clearMainResource() 1587 { [ 2] 0x0000000108fad1c2 WebCore`WebCore::DocumentLoader::stopLoadingForPolicyChange() + 82 at DocumentLoader.cpp:858:5 854 void DocumentLoader::stopLoadingForPolicyChange() 855 { 856 ResourceError error = interruptedForPolicyChangeError(); 857 error.setType(ResourceError::Type::Cancellation); -> 858 cancelMainResourceLoad(error); 859 } 860 861 void DocumentLoader::commitData(const char* bytes, size_t length) 862 { [ 3] 0x00000001091f0c5b WebCore`std::__1::__function::__func<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0, std::__1::allocator<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0>, void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) [inlined] WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const + 7 at DocumentLoader.cpp:587:9 [ 3] 0x00000001091f0c54 WebCore`std::__1::__function::__func<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0, std::__1::allocator<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0>, void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) [inlined] decltype(std::__1::forward<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0&>(fp)(std::__1::forward<WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(fp0))) std::__1::__invoke<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 16 at __functional_base:416 [ 3] 0x00000001091f0c44 WebCore`std::__1::__function::__func<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0, std::__1::allocator<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0>, void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) [inlined] void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) at __functional_base:468 [ 3] 0x00000001091f0c44 WebCore`std::__1::__function::__func<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0, std::__1::allocator<WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&)::$_0>, void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 4 at functional:1437 [ 4] 0x0000000108d867f5 WebCore`WebCore::PolicyCallback::call(bool) [inlined] std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const + 16 at functional:1817:12 [ 4] 0x0000000108d867e5 WebCore`WebCore::PolicyCallback::call(bool) + 53 at PolicyCallback.cpp:95 [ 5] 0x0000000108d8677b WebCore`WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) + 731 at PolicyChecker.cpp:222:5 [ 6] 0x0000000107861703 WebKit`WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) [inlined] std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const + 13 at functional:1817:12 [ 6] 0x00000001078616f6 WebKit`WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) + 178 at WebFrame.cpp:247 [ 7] 0x00000001078636d3 WebKit`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::PolicyAction)>) + 1559 at WebFrameLoaderClient.cpp:815:9 [ 8] 0x00000001099ea685 WebCore`WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) + 2485 at PolicyChecker.cpp:138:5 [ 9] 0x00000001099e9c56 WebCore`WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) + 150 at PolicyChecker.cpp:73:5 [ 10] 0x0000000108d88523 WebCore`WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&) + 1747 at DocumentLoader.cpp:586:5 [ 11] 0x00000001090761b4 WebCore`WebCore::CachedRawResource::redirectReceived(WebCore::ResourceRequest&, WebCore::ResourceResponse const&) + 244 at CachedRawResource.cpp:172:13 [ 12] 0x0000000109ca4d42 WebCore`WebCore::SubresourceLoader::willSendRequestInternal(WebCore::ResourceRequest&, WebCore::ResourceResponse const&) + 994 at SubresourceLoader.cpp:214:9 [ 13] 0x0000000109b5af35 WebCore`WebCore::ResourceLoader::willSendRequest(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, std::__1::function<void (WebCore::ResourceRequest&&)>&&) + 21 at ResourceLoader.cpp:389:5 [ 14] 0x000000010790fe73 WebKit`WebKit::WebResourceLoader::willSendRequest(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&) + 243 at WebResourceLoader.cpp:88:5 [ 15] 0x00000001079106bb WebKit`void IPC::handleMessage<Messages::WebResourceLoader::WillSendRequest, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)) [inlined] void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&), std::__1::tuple<WebCore::ResourceRequest, WebCore::ResourceResponse>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&), std::__1::tuple<WebCore::ResourceRequest, WebCore::ResourceResponse>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 2 at HandleMessage.h:16:5 [ 15] 0x00000001079106b9 WebKit`void IPC::handleMessage<Messages::WebResourceLoader::WillSendRequest, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)) [inlined] void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&), std::__1::tuple<WebCore::ResourceRequest, WebCore::ResourceResponse>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<WebCore::ResourceRequest, WebCore::ResourceResponse>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)) at HandleMessage.h:22 [ 15] 0x00000001079106b9 WebKit`void IPC::handleMessage<Messages::WebResourceLoader::WillSendRequest, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)) + 141 at HandleMessage.h:92 [ 16] 0x0000000107753a98 WebKit`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) [inlined] IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 12 at Connection.cpp:887:5

Attachments
Patch (1.85 KB, patch) 2016-07-11 13:00 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-07-11 12:58:17 PDT

<rdar://problem/27283372>

Chris Dumez

Comment 2 2016-07-11 13:00:53 PDT

Created attachment 283335 [details] Patch

Chris Dumez

Comment 3 2016-07-11 15:36:35 PDT

Comment on attachment 283335 [details] Patch Clearing flags on attachment: 283335 Committed r203088: <http://trac.webkit.org/changeset/203088>

Chris Dumez

Comment 4 2016-07-11 15:36:40 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Page Loading

Assignee

Chris Dumez

Reported

2016-07-11 12:57 PDT

Modified

2016-07-11 15:36 PDT History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks