Bug 187121 - WebKitLegacy: Can trigger recursive loads triggering debug assertions
Summary: WebKitLegacy: Can trigger recursive loads triggering debug assertions
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Brent Fulgham
URL:
Keywords: InRadar
Depends on: 187008
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-27 16:07 PDT by Brent Fulgham
Modified: 2018-06-29 15:56 PDT (History)
8 users (show)

See Also:


Attachments
Patch (6.21 KB, patch)
2018-06-27 16:12 PDT, Brent Fulgham
no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews202 for win-future (12.94 MB, application/zip)
2018-06-27 19:51 PDT, EWS Watchlist
no flags Details
Patch (12.96 KB, patch)
2018-06-29 12:58 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews200 for win-future (12.84 MB, application/zip)
2018-06-29 15:07 PDT, EWS Watchlist
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2018-06-27 16:07:00 PDT
While investigating Bug 187008 I found that some WebKitLegacy clients trigger recursive loads while cancelling the loading of web content into a WebView.

This has the following impacts:

1. FrameLoader::continueLoadAfterNavigationPolicy gets entered with a nullptr Policy Document Loader as well as a nullptr Provisional Document Loader. If we continue in this state, we hit a ton of assertions, and eventually crash with a nullptr exception. If we return early, the cancel and alternate page load complete properly.

2. WebFrameLoaderClient::dispatchDidStartProvisionalLoad can be re-entered which triggers a set of assertions and eventually a nullptr dereference. If we keep track of whether we have started a load on the current client object, and return early in those cases, the cancel and alternate page load complete properly.
Comment 1 Brent Fulgham 2018-06-27 16:09:51 PDT
<rdar://problem/41259430>
Comment 2 Brent Fulgham 2018-06-27 16:12:40 PDT
Created attachment 343765 [details]
Patch
Comment 3 EWS Watchlist 2018-06-27 19:51:08 PDT
Comment on attachment 343765 [details]
Patch

Attachment 343765 [details] did not pass win-ews (win):
Output: https://webkit-queues.webkit.org/results/8365540

New failing tests:
http/tests/security/canvas-remote-read-remote-video-blocked-no-crossorigin.html
Comment 4 EWS Watchlist 2018-06-27 19:51:20 PDT
Created attachment 343783 [details]
Archive of layout-test-results from ews202 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews202  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 5 Chris Dumez 2018-06-29 12:58:35 PDT
Created attachment 343934 [details]
Patch
Comment 6 EWS Watchlist 2018-06-29 15:07:07 PDT
Comment on attachment 343934 [details]
Patch

Attachment 343934 [details] did not pass win-ews (win):
Output: https://webkit-queues.webkit.org/results/8387296

New failing tests:
http/tests/security/local-video-source-from-remote.html
Comment 7 EWS Watchlist 2018-06-29 15:07:19 PDT
Created attachment 343949 [details]
Archive of layout-test-results from ews200 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews200  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 8 Brent Fulgham 2018-06-29 15:29:38 PDT
Comment on attachment 343934 [details]
Patch

r=me
Comment 9 WebKit Commit Bot 2018-06-29 15:56:36 PDT
Comment on attachment 343934 [details]
Patch

Clearing flags on attachment: 343934

Committed r233374: <https://trac.webkit.org/changeset/233374>
Comment 10 WebKit Commit Bot 2018-06-29 15:56:38 PDT
All reviewed patches have been landed.  Closing bug.