191217 – REGRESSION: Crash under DOMWindow::postMessageTimerFired()

Bug 191217 - REGRESSION: Crash under DOMWindow::postMessageTimerFired()

Summary: REGRESSION: Crash under DOMWindow::postMessageTimerFired()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar, Regression

Duplicates (1):	180174 (view as bug list)
Depends on:
Blocks:

Reported:	2018-11-02 16:22 PDT by Chris Dumez
Modified:	2018-11-08 15:33 PST (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (4.87 KB, patch) 2018-11-02 16:27 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2018-11-02 16:22:37 PDT

Crash under DOMWindow::postMessageTimerFired():
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000038)
[  0] 0x00007fff44a93869 WebCore`WebCore::DOMWindow::postMessageTimerFired(WebCore::PostMessageTimer&) [inlined] WebCore::Frame::page() const at Frame.h:388:12
       384 	}
       385 	
       386 	inline Page* Frame::page() const
       387 	{
    -> 388 	    return m_page;
       389 	}
       390 	
       391 	inline void Frame::detachFromPage()
       392 	{
    

     0x00007fff44a93855:     movq %r14, %rsi
     0x00007fff44a93858:    callq 0xf7c690             ; WebCore::InspectorInstrumentation::willDispatchPostMessageImpl at InspectorInstrumentation.cpp:352
     0x00007fff44a9385d:      jmp 0x108461a            ; <+138> [inlined] WebCore::ContextDestructionObserver::scriptExecutionContext() const at DOMWindow.cpp:1481
     0x00007fff44a93862:     movq 0x88(%rbx), %rax
 ->  0x00007fff44a93869:     movq 0x38(%rax), %rax
     0x00007fff44a9386d:    testq %rax, %rax
     0x00007fff44a93870:       je 0x10846d1            ; <+321> at DOMWindow.cpp:999
     0x00007fff44a93876:     movq 0x50(%rax), %rax
     0x00007fff44a9387a:     movq 0x8(%rax), %rdi

[  0] 0x00007fff44a93869 WebCore`WebCore::DOMWindow::postMessageTimerFired(WebCore::PostMessageTimer&) [inlined] WebCore::InspectorInstrumentation::instrumentingAgentsForFrame(WebCore::Frame&) at InspectorInstrumentation.h:1422
       1418	}
       1419	
       1420	inline InstrumentingAgents* InspectorInstrumentation::instrumentingAgentsForFrame(Frame& frame)
       1421	{
    -> 1422	    return instrumentingAgentsForPage(frame.page());
       1423	}
       1424	
       1425	inline InstrumentingAgents* InspectorInstrumentation::instrumentingAgentsForDocument(Document* document)
       1426	{
    
[  0] 0x00007fff44a93869 WebCore`WebCore::DOMWindow::postMessageTimerFired(WebCore::PostMessageTimer&) [inlined] WebCore::InspectorInstrumentation::didDispatchPostMessage(WebCore::Frame&, WebCore::TimerBase&) at InspectorInstrumentation.h:732
       728 	
       729 	inline void InspectorInstrumentation::didDispatchPostMessage(Frame& frame, TimerBase& timer)
       730 	{
       731 	    FAST_RETURN_IF_NO_FRONTENDS(void());
    -> 732 	    if (InstrumentingAgents* instrumentingAgents = instrumentingAgentsForFrame(frame))
       733 	        didDispatchPostMessageImpl(*instrumentingAgents, timer);
       734 	}
       735 	
       736 	inline InspectorInstrumentationCookie InspectorInstrumentation::willCallFunction(ScriptExecutionContext* context, const String& scriptName, int scriptLine)
    
[  0] 0x00007fff44a93869 WebCore`WebCore::DOMWindow::postMessageTimerFired(WebCore::PostMessageTimer&) + 729 at DOMWindow.cpp:998
       994 	    InspectorInstrumentation::willDispatchPostMessage(*m_frame, timer);
       995 	
       996 	    dispatchEvent(timer.event(*document()));
       997 	
    -> 998 	    InspectorInstrumentation::didDispatchPostMessage(*m_frame, timer);
       999 	}
       1000	
       1001	DOMSelection* DOMWindow::getSelection()
       1002	{
    
[  1] 0x00007fff43aec983 WebCore`WebCore::PostMessageTimer::fired() + 99 at DOMWindow.cpp:177:19

Comment 1 Chris Dumez 2018-11-02 16:22:58 PDT

<rdar://problem/40888466>

Comment 2 Chris Dumez 2018-11-02 16:27:41 PDT

Created attachment 353742 [details]
Patch

Comment 3 Geoffrey Garen 2018-11-05 11:51:41 PST

Comment on attachment 353742 [details]
Patch

r=me

Comment 4 WebKit Commit Bot 2018-11-05 11:58:14 PST

Comment on attachment 353742 [details]
Patch

Clearing flags on attachment: 353742

Committed r237825: <https://trac.webkit.org/changeset/237825>

Comment 5 WebKit Commit Bot 2018-11-05 11:58:16 PST

All reviewed patches have been landed.  Closing bug.

Comment 6 Sihui Liu 2018-11-08 15:33:39 PST

*** Bug 180174 has been marked as a duplicate of this bug. ***