RESOLVED FIXED 189568
WebPageProxy::reportPageLoadResult can crash on some code paths 
https://bugs.webkit.org/show_bug.cgi?id=189568
Summary WebPageProxy::reportPageLoadResult can crash on some code paths
Keith Rollin
Reported 2018-09-12 16:58:58 PDT
WebPageProxy::reportPageLoadResult (which is called from WebPageProxy::didFinishLoadForFrame) can sometimes crash when accessing m_pageLoadStart (a std::optional) in its unloaded state. Normally, m_pageLoadStart is initialized in WebPageProxy::didStartProvisionalLoadForFrame, which one would expect would be called before WebPageProxy::didFinishLoadForFrame. But that turns out to not always be the case. It's not apparent under what conditions didStartProvisionalLoadForFrame will not be called, but it's happening in the wild, leading to crashes now that std::optional asserts in release builds on bad accesses (see Bug 187669). rdar://problem/44356683
Attachments
Patch (4.05 KB, patch)
2018-09-12 17:06 PDT, Keith Rollin 		no flags
DetailsFormatted DiffDiff
Patch (3.27 KB, patch)
2018-09-13 10:24 PDT, Keith Rollin 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Keith Rollin
Comment 1 2018-09-12 17:04:36 PDT
Fix this by adding checks of m_pageLoadState before all calls to reportPageLoadResult. The check of m_pageLoadState is made outside of reportPageLoadResult rather than inside of it because of review comments suggesting that they worked better outside and ended up being more efficient (Bug 183221, comment #30).
Keith Rollin
Comment 2 2018-09-12 17:06:08 PDT
Also remove an ASSERT that is no longer needed now that std::optional provides its own.
Keith Rollin
Comment 3 2018-09-12 17:06:33 PDT
Created attachment 349599 [details] Patch
David Kilzer (:ddkilzer)
Comment 4 2018-09-12 18:05:32 PDT
Comment on attachment 349599 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=349599&action=review r- to fix patch applying to trunk and consider feedback. > Source/WebKit/UIProcess/WebPageProxy.cpp:3564 > + if (m_pageLoadStart) Why not just add an early return to reportPageLoadResult() so that the engineer that adds new calls to it doesn’t have to remember this prerequisite? Then you can remove all the checks (or add Debug asserts if you want to document the expected state of m_pageLoadStart).
Chris Dumez
Comment 5 2018-09-13 09:45:52 PDT
Comment on attachment 349599 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=349599&action=review >> Source/WebKit/UIProcess/WebPageProxy.cpp:3564 >> + if (m_pageLoadStart) > > Why not just add an early return to reportPageLoadResult() so that the engineer that adds new calls to it doesn’t have to remember this prerequisite? > > Then you can remove all the checks (or add Debug asserts if you want to document the expected state of m_pageLoadStart). I initially suggested to have the check outside to avoid unnecessarily constructing the ResourceError parameters in some cases. That said, since this is apparently error-prone (proof being this bug), I wouldn't be opposed to moving the check inside anymore.
Keith Rollin
Comment 6 2018-09-13 09:55:51 PDT
OK. Fix is now to check m_pageLoadStart inside of reportPageLoadResult.
Keith Rollin
Comment 7 2018-09-13 10:24:37 PDT
Created attachment 349678 [details] Patch
Chris Dumez
Comment 8 2018-09-13 10:26:33 PDT
Comment on attachment 349678 [details] Patch r=me
WebKit Commit Bot
Comment 9 2018-09-13 15:32:41 PDT
Comment on attachment 349678 [details] Patch Clearing flags on attachment: 349678 Committed r235992: <https://trac.webkit.org/changeset/235992>
WebKit Commit Bot
Comment 10 2018-09-13 15:32:43 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.