WebResourceLoader may try to send a IPC with a destination ID that is 0: Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x00000001b067bee0 Termination Signal: Trace/BPT trap: 5 Termination Reason: Namespace SIGNAL, Code 0x5 Terminating Process: exc handler [5462] Triggered by Thread: 0 Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed ↩: 0 WebKit 0x00000001b067bee0 WebKit::WebResourceLoader::messageSenderDestinationID() + 56 (WebResourceLoader.cpp:77) 1 WebKit 0x00000001b067bebc WebKit::WebResourceLoader::messageSenderDestinationID() + 20 (WebResourceLoader.cpp:76) 2 WebKit 0x00000001b067cfa8 WTF::Function<void ()>::CallableWrapper<WebKit::WebResourceLoader::didReceiveResponse(WebCore::ResourceResponse const&, bool)::$_1>::call() + 48 (MessageSender.h:39) 3 WebCore 0x00000001aa41f584 WebCore::SubresourceLoader::didReceiveResponsePolicy() + 44 (Function.h:56) 4 WebCore 0x00000001aa3d86cc WTF::Function<void (WebCore::PolicyAction)>::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_7>::call(WebCore::PolicyAction) + 36 (DocumentLoader.cpp:838) 5 WebKit 0x00000001b056254c WebKit::WebFrame::invalidatePolicyListener() + 64 (Function.h:56) 6 WebCore 0x00000001aa3cdb70 WebCore::DocumentLoader::detachFromFrame() + 476 (DocumentLoader.cpp:1818) 7 WebCore 0x00000001aa3ee2cc WebCore::FrameLoader::clearProvisionalLoad() + 52 (FrameLoader.cpp:1898) 8 WebCore 0x00000001aa3ef760 WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 1716 (FrameLoader.cpp:2418) 9 WebCore 0x00000001aa3e7af8 WebCore::FrameLoader::checkLoadComplete() + 408 (FrameLoader.cpp:2629) 10 WebCore 0x00000001aa3f139c WebCore::FrameLoader::receivedMainResourceError(WebCore::ResourceError const&) + 324 (FrameLoader.cpp:3030) 11 WebCore 0x00000001aa44c5e8 WebCore::CachedResource::checkNotify() + 292 (CachedResource.cpp:341) 12 WebCore 0x00000001aa41fbe4 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) + 264 (SubresourceLoader.cpp:677) 13 WebKit 0x00000001b058a51c WebKit::WebLoaderStrategy::internallyFailedLoadTimerFired() + 92 (WebLoaderStrategy.cpp:362) 14 JavaScriptCore 0x00000001a7dee02c WTF::RunLoop::TimerBase::timerFired(__CFRunLoopTimer*, void*) + 44 (RunLoopCF.cpp:84) 15 CoreFoundation 0x00000001a00ef148 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28 (CFRunLoop.c:1830) 16 CoreFoundation 0x00000001a00eee74 __CFRunLoopDoTimer + 864 (CFRunLoop.c:2417) 17 CoreFoundation 0x00000001a00ee6a8 __CFRunLoopDoTimers + 248 (CFRunLoop.c:2564) 18 CoreFoundation 0x00000001a00e9558 __CFRunLoopRun + 1884 (CFRunLoop.c:0) 19 CoreFoundation 0x00000001a00e8ad8 CFRunLoopRunSpecific + 436 (CFRunLoop.c:3247) 20 Foundation 0x00000001a0ada314 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 300 (NSRunLoop.m:367) 21 Foundation 0x00000001a0b16328 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:389) 22 libxpc.dylib 0x000000019fdba078 _xpc_objc_main + 532 (main.m:170) 23 libxpc.dylib 0x000000019fdbcab8 xpc_main + 184 (init.c:1471) 24 com.apple.WebKit.WebContent 0x00000001009d759c main + 380 (XPCServiceMain.mm:160) 25 libdyld.dylib 0x000000019fba9dd8 0x19fba9000 + 3544 This can lead to HashMap corruption on recipient side when trying to lookup a key that is 0.
<rdar://problem/39265927>
Created attachment 344966 [details] Patch
Comment on attachment 344966 [details] Patch Clearing flags on attachment: 344966 Committed r233815: <https://trac.webkit.org/changeset/233815>
All reviewed patches have been landed. Closing bug.