Bug 196479 - Nullptr crash in Document::open after calling policyChecker().stopCheck()
Summary: Nullptr crash in Document::open after calling policyChecker().stopCheck()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-04-01 20:25 PDT by Ryosuke Niwa
Modified: 2019-04-01 23:44 PDT (History)
6 users (show)

See Also:

Attachments
Fixes the bug (1.50 KB, patch)
2019-04-01 20:27 PDT, Ryosuke Niwa 		koivisto: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2019-04-01 20:25:22 PDT 
WebCore`WebCore::Document::open(WebCore::Document*) + 210 at Document.cpp:2647
       2643	        }
       2644	
       2645	        if (m_frame->loader().policyChecker().delegateIsDecidingNavigationPolicy())
       2646	            m_frame->loader().policyChecker().stopCheck();
    -> 2647	        if (m_frame->loader().state() == FrameStateProvisional)
       2648	            m_frame->loader().stopAllLoaders();
       2649	    }
       2650	
       2651	    removeAllEventListeners();

We can hit a nullptr crash here because m_frame->loader().policyChecker().stopCheck() invokes m_willSubmitFormCompletionHandlers, and that could clear the frame, etc...

<rdar://problem/48883397>
Comment 1 Ryosuke Niwa 2019-04-01 20:27:37 PDT 
Created attachment 366464 [details]
Fixes the bug
Comment 2 Ryosuke Niwa 2019-04-01 23:44:47 PDT 
Committed r243738: <https://trac.webkit.org/changeset/243738>