183290 – fast/events/before-unload-remove-itself.html crashes with async policy delegates

Bug 183290 - fast/events/before-unload-remove-itself.html crashes with async policy delegates

Summary: fast/events/before-unload-remove-itself.html crashes with async policy delegates

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:	180568
	Show dependency tree / graph

Reported:	2018-03-02 08:27 PST by Chris Dumez
Modified:	2018-03-02 09:52 PST (History)
CC List:	11 users (show)

See Also:

Attachments
Patch (7.56 KB, patch) 2018-03-02 08:55 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2018-03-02 08:27:26 PST

fast/events/before-unload-remove-itself.html crashes with async policy delegates:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000080
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

VM Regions Near 0x80:
--> 
    __TEXT                 0000000100619000-000000010061b000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
CRASHING TEST: fast/events/before-unload-remove-itself.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000015a504e9c WebCore::PolicyChecker::loadType() const + 12 (PolicyChecker.h:70)
1   com.apple.WebCore             	0x000000015a505231 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) + 705 (FrameLoader.cpp:3178)
2   com.apple.WebCore             	0x000000015a520b88 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL)::$_5::operator()(WebCore::ResourceRequest const&, WebCore::FormState*, bool) const + 72 (FrameLoader.cpp:1537)
3   com.apple.WebCore             	0x000000015a520b12 WTF::Function<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL)::$_5>::call(WebCore::ResourceRequest&&, WebCore::FormState*, bool) + 98 (Function.h:101)
4   com.apple.WebCore             	0x000000015a550f2d WTF::Function<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>::operator()(WebCore::ResourceRequest&&, WebCore::FormState*, bool) const + 221 (Function.h:56)
5   com.apple.WebCore             	0x000000015a5439e9 WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>::operator()(WebCore::ResourceRequest&&, WebCore::FormState*, bool) const + 185 (CompletionHandler.h:60)
6   com.apple.WebCore             	0x000000015a553486 WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, bool, WebCore::DocumentLoader*, WebCore::FormState*, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>&&)::$_6::operator()(WebCore::PolicyAction) + 662 (PolicyChecker.cpp:165)
7   com.apple.WebCore             	0x000000015a55306a WTF::Function<void (WebCore::PolicyAction)>::CallableWrapper<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, bool, WebCore::DocumentLoader*, WebCore::FormState*, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>&&)::$_6>::call(WebCore::PolicyAction) + 42 (Function.h:101)
8   com.apple.WebKit              	0x00000001007b73b1 WTF::Function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const + 177 (Function.h:56)
9   com.apple.WebKit              	0x0000000100f4dff7 WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData>&&) + 423 (WebFrame.cpp:282)
10  com.apple.WebKit              	0x000000010107a6fc WebKit::WebPage::didReceivePolicyDecision(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&) + 156 (WebPage.cpp:2829)
11  com.apple.WebKit              	0x000000010110fd97 void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&), std::__1::tuple<unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData> >, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&), std::__1::tuple<unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData> >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>) + 439 (HandleMessage.h:41)
12  com.apple.WebKit              	0x000000010110ee00 void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&), std::__1::tuple<unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData> >, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul> >(std::__1::tuple<unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData> >&&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&)) + 96 (HandleMessage.h:47)
13  com.apple.WebKit              	0x00000001010fd21f void IPC::handleMessage<Messages::WebPage::DidReceivePolicyDecision, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&)) + 383 (HandleMessage.h:127)
14  com.apple.WebKit              	0x00000001010f4c12 WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) + 5058 (WebPageMessageReceiver.cpp:673)
15  com.apple.WebKit              	0x00000001010804ce WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 510 (WebPage.cpp:3938)
16  com.apple.WebKit              	0x0000000101080514 non-virtual thunk to WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 52
17  com.apple.WebKit              	0x0000000100885558 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 456 (MessageReceiverMap.cpp:124)
18  com.apple.WebKit              	0x00000001012c7b6d WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 61 (WebProcess.cpp:638)
19  com.apple.WebKit              	0x00000001007787c3 IPC::Connection::dispatchMessage(IPC::Decoder&) + 51 (Connection.cpp:908)
20  com.apple.WebKit              	0x000000010076dda8 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 712
21  com.apple.WebKit              	0x0000000100778dca IPC::Connection::dispatchOneMessage() + 1530 (Connection.cpp:965)
22  com.apple.WebKit              	0x000000010079128d IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() + 29 (Connection.cpp:902)
23  com.apple.WebKit              	0x00000001007911e9 WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() + 25 (Function.h:101)
24  com.apple.JavaScriptCore      	0x0000000168a7cb1b WTF::Function<void ()>::operator()() const + 139 (Function.h:56)
25  com.apple.JavaScriptCore      	0x0000000168ac19e3 WTF::RunLoop::performWork() + 211 (RunLoop.cpp:107)
26  com.apple.JavaScriptCore      	0x0000000168ac2284 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38)
27  com.apple.CoreFoundation      	0x00007fff4e1f2ca1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
28  com.apple.CoreFoundation      	0x00007fff4e2ac69c __CFRunLoopDoSource0 + 108
29  com.apple.CoreFoundation      	0x00007fff4e1d57e0 __CFRunLoopDoSources0 + 208
30  com.apple.CoreFoundation      	0x00007fff4e1d4c5d __CFRunLoopRun + 1293
31  com.apple.CoreFoundation      	0x00007fff4e1d44c3 CFRunLoopRunSpecific + 483
32  com.apple.HIToolbox           	0x00007fff4d4bfd86 RunCurrentEventLoopInMode + 286
33  com.apple.HIToolbox           	0x00007fff4d4bfaf6 ReceiveNextEventCommon + 613
34  com.apple.HIToolbox           	0x00007fff4d4bf874 _BlockUntilNextEventMatchingListInModeWithFilter + 64
35  com.apple.AppKit              	0x00007fff4b745c17 _DPSNextEvent + 2085
36  com.apple.AppKit              	0x00007fff4bedbf04 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
37  com.apple.AppKit              	0x00007fff4b73aa29 -[NSApplication run] + 764
38  com.apple.AppKit              	0x00007fff4b709c02 NSApplicationMain + 804
39  libxpc.dylib                  	0x00007fff76ea9f93 _xpc_objc_main + 580
40  libxpc.dylib                  	0x00007fff76ea8be6 xpc_main + 417
41  com.apple.WebKit.WebContent   	0x000000010061a13b main + 1195 (XPCServiceMain.mm:148)
42  libdyld.dylib                 	0x00007fff76b5a015 start + 1

Comment 1 Radar WebKit Bug Importer 2018-03-02 08:28:18 PST

<rdar://problem/38069045>

Comment 2 Chris Dumez 2018-03-02 08:55:03 PST

Created attachment 334899 [details]
Patch

Comment 3 WebKit Commit Bot 2018-03-02 09:52:22 PST

Comment on attachment 334899 [details]
Patch

Clearing flags on attachment: 334899

Committed r229179: <https://trac.webkit.org/changeset/229179>

Comment 4 WebKit Commit Bot 2018-03-02 09:52:24 PST

All reviewed patches have been landed.  Closing bug.