183610 – fast/loader/javascript-url-iframe-remove-on-navigate.html is a flaky crash on iOS with async delegates

RESOLVED FIXED 183610

fast/loader/javascript-url-iframe-remove-on-navigate.html is a flaky crash on iOS with async delegates

https://bugs.webkit.org/show_bug.cgi?id=183610

Summary fast/loader/javascript-url-iframe-remove-on-navigate.html is a flaky crash on...

Chris Dumez

Reported 2018-03-13 13:30:06 PDT

fast/loader/javascript-url-iframe-remove-on-navigate.html is a flaky crash on iOS with async delegates: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000030 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0x30: --> __TEXT 00000001042d1000-00000001042d3000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST: fast/loader/javascript-url-iframe-remove-on-navigate.html CoreSimulator 494.13.6 - Device: Managed 0 - Runtime: iOS 11.0 (15A372) - DeviceType: iPhone 5s Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010e0e7c04 WebCore::FrameLoaderStateMachine::creatingInitialEmptyDocument() const + 4 (FrameLoaderStateMachine.cpp:54) 1 com.apple.WebCore 0x000000010e0d1fe4 WebCore::DocumentLoader::maybeLoadEmpty() + 388 (DocumentLoader.cpp:1629) 2 com.apple.WebCore 0x000000010e0ce930 WebCore::DocumentLoader::loadMainResource(WebCore::ResourceRequest&&) + 1408 (DocumentLoader.cpp:1743) 3 com.apple.WebCore 0x000000010e0cd7da WebCore::DocumentLoader::matchRegistration(WebCore::URL const&, WTF::CompletionHandler<void (std::optional<WebCore::ServiceWorkerRegistrationData>&&)>&&) + 474 (memory:2602) 4 com.apple.WebCore 0x000000010e0dbe2c WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::DocumentLoader::startLoadingMainResource()::$_8>::call(WebCore::ResourceRequest&&) + 1212 (memory:2600) 5 com.apple.WebCore 0x000000010e0cdfa8 WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 1784 (memory:2602) 6 com.apple.WebCore 0x000000010e0d2600 WebCore::DocumentLoader::startLoadingMainResource() + 864 (memory:2600) 7 com.apple.WebCore 0x000000010e0ed67b WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) + 779 (memory:2600) 8 com.apple.WebCore 0x000000010e0f7f1a WTF::Function<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_9>::call(WebCore::ResourceRequest&&, WebCore::FormState*, bool) + 26 (memory:2593) 9 com.apple.WebCore 0x000000010e10ebb5 WTF::Function<void (WebCore::PolicyAction)>::CallableWrapper<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, bool, WebCore::DocumentLoader*, WebCore::FormState*, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>&&)::$_6>::call(WebCore::PolicyAction) + 181 (memory:2602) 10 com.apple.WebKit 0x0000000104b29adb WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData>&&) + 183 (memory:2397) 11 com.apple.WebKit 0x0000000104b98f65 void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&), std::__1::tuple<unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData> >, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&), std::__1::tuple<unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, std::optional<WebKit::WebsitePoliciesData> >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>) + 58 (HandleMessage.h:41) 12 com.apple.WebKit 0x0000000104b93afa void IPC::handleMessage<Messages::WebPage::DidReceivePolicyDecision, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID const&, std::optional<WebKit::WebsitePoliciesData>&&)) + 100 (Optional.h:470) 13 com.apple.WebKit 0x00000001049f8baf IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 127 14 com.apple.WebKit 0x0000000104c04e88 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 28 (WebProcess.cpp:639) 15 com.apple.WebKit 0x00000001049c116f IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 119 (memory:2581) 16 com.apple.WebKit 0x00000001049c3916 IPC::Connection::dispatchOneMessage() + 176 (Connection.cpp:964) 17 JavaScriptCore 0x000000010c98e7ac WTF::RunLoop::performWork() + 236 (Function.h:56) 18 JavaScriptCore 0x000000010c98ea42 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 19 com.apple.CoreFoundation 0x0000000105e482b1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 20 com.apple.CoreFoundation 0x0000000105ee7d31 __CFRunLoopDoSource0 + 81 21 com.apple.CoreFoundation 0x0000000105e2cc19 __CFRunLoopDoSources0 + 185 22 com.apple.CoreFoundation 0x0000000105e2c1ff __CFRunLoopRun + 1279 23 com.apple.CoreFoundation 0x0000000105e2ba89 CFRunLoopRunSpecific + 409 24 com.apple.Foundation 0x000000010437ce5e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 274 25 com.apple.Foundation 0x000000010437cd39 -[NSRunLoop(NSRunLoop) run] + 76 26 libxpc.dylib 0x000000010793b0d9 _xpc_objc_main + 460 27 libxpc.dylib 0x000000010793d4cb xpc_main + 143 28 com.apple.WebKit.WebContent 0x00000001042d21ee main + 408 (OSObjectPtr.h:65) 29 libdyld.dylib 0x00000001075e6d81 start + 1

Attachments
Patch (3.79 KB, patch) 2018-03-13 16:29 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Patch (3.80 KB, patch) 2018-03-13 16:49 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2018-03-13 16:29:00 PDT

Created attachment 335744 [details] Patch

youenn fablet

Comment 2 2018-03-13 16:39:34 PDT

Comment on attachment 335744 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=335744&action=review > Source/WebCore/ChangeLog:9 > + return null due to the load getting cancelled synchronously. If this load the parent frame's last s/load/load is/ > Source/WebCore/ChangeLog:15 > + which crashes flakily. crashes/crashed > Source/WebCore/loader/DocumentLoader.cpp:1725 > + return; I wonder whether some housekeeping would be good to do, hopefully not but hey... For instance, is m_loadingMainResource false when returning early (hopefully yes)? > Source/WebCore/loader/DocumentLoader.cpp:1728 > RELEASE_LOG_IF_ALLOWED("startLoadingMainResource: Unable to load main resource, URL is invalid (frame = %p, main = %d)", m_frame, m_frame->isMainFrame()); I wonder whether we would still want to log this error case even in the case frame is null?

Chris Dumez

Comment 3 2018-03-13 16:49:46 PDT

Created attachment 335745 [details] Patch

Chris Dumez

Comment 4 2018-03-13 16:50:17 PDT

Comment on attachment 335744 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=335744&action=review >> Source/WebCore/loader/DocumentLoader.cpp:1725 >> + return; > > I wonder whether some housekeeping would be good to do, hopefully not but hey... > For instance, is m_loadingMainResource false when returning early (hopefully yes)? m_loadingMainResource is false. I checked.

WebKit Commit Bot

Comment 5 2018-03-13 18:02:25 PDT

Comment on attachment 335745 [details] Patch Clearing flags on attachment: 335745 Committed r229596: <https://trac.webkit.org/changeset/229596>

WebKit Commit Bot

Comment 6 2018-03-13 18:02:27 PDT

All reviewed patches have been landed. Closing bug.

Radar WebKit Bug Importer

Comment 7 2018-03-13 18:03:36 PDT

<rdar://problem/38440197>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Page Loading

Assignee

Chris Dumez

Reported

2018-03-13 13:30 PDT

Modified

2018-03-13 18:03 PDT History

CC List

9 users Show

URL

Keywords InRadar

Depends on

Blocks

180568

Dependencies

tree graph