RESOLVED FIXED 206204
Nullptr crash in DocumentLoader::clearMainResourceLoader 
https://bugs.webkit.org/show_bug.cgi?id=206204
Summary Nullptr crash in DocumentLoader::clearMainResourceLoader
Pinki Gyanchandani
Reported 2020-01-13 16:05:49 PST
: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000002cd8c2000 WebCore::FrameLoader::activeDocumentLoader() const + 16 1 com.apple.WebCore 0x00000002cd86b77b WebCore::DocumentLoader::clearMainResourceLoader() + 43 2 com.apple.WebCore 0x00000002cd86d007 WebCore::DocumentLoader::finishedLoading() + 519 3 com.apple.WebCore 0x00000002cd86cc15 WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) + 501 4 com.apple.WebCore 0x00000002cd9b6212 WebCore::CachedResource::checkNotify() + 130 5 com.apple.WebCore 0x00000002cd9b2184 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 52 6 com.apple.WebCore 0x00000002cd9b3434 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 324 7 com.apple.WebCore 0x00000002cd946616 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 1206 8 com.apple.WebCore 0x00000002cd93e0c7 auto WebCore::ResourceLoader::loadDataURL()::$_2::operator()<WTF::Optional<WebCore::DataURLDecoder::Result> >(WTF::Optional<WebCore::DataURLDecoder::Result>)::'lambda'()::operator()() + 247 9 com.apple.WebCore 0x00000002cd93deee WTF::Detail::CallableWrapper<auto WebCore::ResourceLoader::loadDataURL()::$_2::operator()<WTF::Optional<WebCore::DataURLDecoder::Result> >(WTF::Optional<WebCore::DataURLDecoder::Result>)::'lambda'(), void>::call() + 30 10 com.apple.WebCore 0x00000002ca83b392 WTF::Function<void ()>::operator()() const + 130 11 com.apple.WebCore 0x00000002ca8a0c7e WTF::CompletionHandler<void ()>::operator()() + 238 12 com.apple.WebCore 0x00000002cd948504 WebCore::SubresourceLoader::didReceiveResponsePolicy() + 180 13 com.apple.WebCore 0x00000002cd8a3465 WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) + 229 14 com.apple.WebCore 0x00000002cd8a3237 WTF::Detail::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) + 103 15 com.apple.WebKit 0x00000002c1243a88 WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const + 216 16 com.apple.WebKit 0x00000002c12bde0e WebKit::WebFrame::invalidatePolicyListener() + 286 17 com.apple.WebKit 0x00000002c1245d79 WebKit::WebFrameLoaderClient::cancelPolicyCheck() + 25 18 com.apple.WebCore 0x00000002cd9185ec WebCore::PolicyChecker::stopCheck() + 44 19 com.apple.WebCore 0x00000002cd87436e WebCore::DocumentLoader::cancelPolicyCheckIfNeeded() + 174 20 com.apple.WebCore 0x00000002cd86c853 WebCore::DocumentLoader::cancelMainResourceLoad(WebCore::ResourceError const&) + 499 21 com.apple.WebCore 0x00000002cd86bcea WebCore::DocumentLoader::stopLoading() + 1354 22 com.apple.WebCore 0x00000002cd901d43 WebCore::NavigationScheduler::schedule(std::__1::unique_ptr<WebCore::ScheduledNavigation, std::__1::default_delete<WebCore::ScheduledNavigation> >) + 211 23 com.apple.WebCore 0x00000002cd902539 WebCore::NavigationScheduler::scheduleLocationChange(WebCore::Document&, WebCore::SecurityOrigin&, WTF::URL const&, WTF::String const&, WebCore::LockHistory, WebCore::LockBackForwardList, WTF::CompletionHandler<void ()>&&) + 1241 24 com.apple.WebCore 0x00000002cd93248a WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WTF::URL const&, WTF::AtomString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 362 25 com.apple.WebCore 0x00000002cd931fa0 WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 560 26 com.apple.WebCore 0x00000002cd304d13 WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) + 467 27 com.apple.WebCore 0x00000002cd304e20 WebCore::HTMLFrameElementBase::setLocation(WTF::String const&) + 192 28 com.apple.WebCore 0x00000002cd3045e9 WebCore::HTMLFrameElementBase::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) + 105 29 com.apple.WebCore 0x00000002cd30e846 WebCore::HTMLIFrameElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) + 438 30 com.apple.WebCore 0x00000002ccf63994 WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 1156 31 com.apple.WebCore 0x00000002cd0accdc WebCore::StyledElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 236 32 com.apple.WebCore 0x00000002ccf6a222 WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) + 82 33 com.apple.WebCore 0x00000002ccf6a173 WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 195 34 com.apple.WebCore 0x00000002ccf63081 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 129 35 com.apple.WebCore 0x00000002ccf63485 WebCore::Element::setAttributeWithoutSynchronization(WebCore::QualifiedName const&, WTF::AtomString const&) + 117 36 com.apple.WebCore 0x00000002cb2ae308 WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()::operator()() const + 88 37 com.apple.WebCore 0x00000002cb2ae29d std::__1::enable_if<std::is_same<void, decltype(fp1())>::value, void>::type WebCore::AttributeSetter::call<WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()&&) + 29 38 com.apple.WebCore 0x00000002cb2ae249 WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&) + 169 39 com.apple.WebCore 0x00000002cb212384 bool WebCore::IDLAttribute<WebCore::JSHTMLIFrameElement>::set<&(WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) + 324 40 com.apple.WebCore 0x00000002cb21222c WebCore::setJSHTMLIFrameElementSrcdoc(JSC::JSGlobalObject*, long long, long long) + 44 41 com.apple.JavaScriptCore 0x00000002e45ae75e JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSValue, JSC::JSValue) + 190 42 com.apple.JavaScriptCore 0x00000002e45ae832 JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 162 43 com.apple.JavaScriptCore 0x00000002e47059ee JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1566 44 com.apple.JavaScriptCore 0x00000002e3f51a41 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1265 45 com.apple.JavaScriptCore 0x00000002e3f51508 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 152 46 com.apple.JavaScriptCore 0x00000002e3f53463 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 163 47 com.apple.JavaScriptCore 0x00000002e435b29c llint_slow_path_put_by_id + 700 48 com.apple.JavaScriptCore 0x00000002e3575960 llint_entry + 43090 49 com.apple.JavaScriptCore 0x00000002e35879f1 llint_entry + 116963 50 com.apple.JavaScriptCore 0x00000002e356aea3 vmEntryToJavaScript + 273 51 com.apple.JavaScriptCore 0x00000002e424f327 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 199 52 com.apple.JavaScriptCore 0x00000002e424f976 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1494 53 com.apple.JavaScriptCore 0x00000002e453bd09 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 233 54 com.apple.JavaScriptCore 0x00000002e453bdfa JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 218 55 com.apple.JavaScriptCore 0x00000002e453c0ee JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 142 56 com.apple.WebCore 0x00000002cc944c58 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 136 57 com.apple.WebCore 0x00000002cc9603d7 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1927 58 com.apple.WebCore 0x00000002ccf9f37d WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 925 59 com.apple.WebCore 0x00000002ccf9b614 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 356 60 com.apple.WebCore 0x00000002cd00f942 WebCore::Node::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 178 61 com.apple.WebCore 0x00000002ccf75921 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 193 62 com.apple.WebCore 0x00000002ccf7641f WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 383 63 com.apple.WebCore 0x00000002ccf75f27 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 567 64 com.apple.WebCore 0x00000002cd00f99d WebCore::Node::dispatchEvent(WebCore::Event&) + 29 65 com.apple.WebCore 0x00000002cda39a45 WebCore::DOMWindow::dispatchLoadEvent() + 485 66 com.apple.WebCore 0x00000002ccea74f8 WebCore::Document::dispatchWindowLoadEvent() + 136 67 com.apple.WebCore 0x00000002ccea6fc8 WebCore::Document::implicitClose() + 600 68 com.apple.WebCore 0x00000002cd8c62cb WebCore::FrameLoader::checkCallImplicitClose() + 155 69 com.apple.WebCore 0x00000002cd8c5dda WebCore::FrameLoader::checkCompleted() + 442 70 com.apple.WebCore 0x00000002cd8c41dd WebCore::FrameLoader::finishedParsing() + 285 71 com.apple.WebCore 0x00000002cceb9bde WebCore::Document::finishedParsing() + 670 72 com.apple.WebCore 0x00000002cd522398 WebCore::HTMLConstructionSite::finishedParsing() + 24 73 com.apple.WebCore 0x00000002cd56e767 WebCore::HTMLTreeBuilder::finished() + 263 74 com.apple.WebCore 0x00000002cd5296d8 WebCore::HTMLDocumentParser::end() + 248 75 com.apple.WebCore 0x00000002cd527658 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 296 76 com.apple.WebCore 0x00000002cd527387 WebCore::HTMLDocumentParser::prepareToStopParsing() + 295 77 com.apple.WebCore 0x00000002cd529742 WebCore::HTMLDocumentParser::attemptToEnd() + 66 78 com.apple.WebCore 0x00000002cd529819 WebCore::HTMLDocumentParser::finish() + 73 79 com.apple.WebCore 0x00000002cd86e072 WebCore::DocumentWriter::end() + 386 80 com.apple.WebCore 0x00000002cd86cfcf WebCore::DocumentLoader::finishedLoading() + 463 81 com.apple.WebCore 0x00000002cd871df6 WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) + 1990 82 com.apple.WebCore 0x00000002cd86eab8 WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) + 2248 83 com.apple.WebCore 0x00000002cd869e85 WebCore::DocumentLoader::handleSubstituteDataLoadNow() + 341 84 com.apple.WebCore 0x00000002cd899bab WTF::RunLoopTimer<WebCore::DocumentLoader>::fired() + 107 85 com.apple.JavaScriptCore 0x00000002e314563e WTF::timerFired(__CFRunLoopTimer*, void*) + 46 86 com.apple.CoreFoundation 0x00007fff3d6cff08 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 87 com.apple.CoreFoundation 0x00007fff3d6cfa6e __CFRunLoopDoTimer + 872 88 com.apple.CoreFoundation 0x00007fff3d6cf489 __CFRunLoopDoTimers + 322 89 com.apple.CoreFoundation 0x00007fff3d6b072d __CFRunLoopRun + 1885 90 com.apple.CoreFoundation 0x00007fff3d6afd53 CFRunLoopRunSpecific + 466 91 com.apple.Foundation 0x00007fff3fe19cd7 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 92 com.apple.Foundation 0x00007fff3fe19bf0 -[NSRunLoop(NSRunLoop) run] + 76 93 libxpc.dylib 0x00007fff78f41e52 _xpc_objc_main.cold.4 + 49 94 libxpc.dylib 0x00007fff78f29e6b _xpc_objc_main + 559 95 libxpc.dylib 0x00007fff78f299e5 xpc_main + 377 96 com.apple.WebKit 0x00000002c0762747 WebKit::XPCServiceMain(int, char const**) + 1303 97 com.apple.WebKit 0x00000002c175788b WKXPCServiceMain + 27 98 com.apple.WebKit.WebContent 0x000000010ab91eb2 main + 34 99 0x00007fff78cce765 start + 1 [...] 
Attachments
Patch (2.87 KB, patch)
2020-01-13 16:51 PST, Pinki Gyanchandani 		no flags
DetailsFormatted DiffDiff
Patch (3.66 KB, patch)
2020-01-14 14:34 PST, Pinki Gyanchandani 		no flags
DetailsFormatted DiffDiff
Patch (3.66 KB, patch)
2020-01-15 17:30 PST, Pinki Gyanchandani 		rniwa: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-01-13 16:07:24 PST
<rdar://problem/58548455>
Pinki Gyanchandani
Comment 2 2020-01-13 16:51:17 PST
Created attachment 387592 [details] Patch
Ryosuke Niwa
Comment 3 2020-01-13 16:57:54 PST
Comment on attachment 387592 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=387592&action=review r- because change logs need to be fixed. > Source/WebCore/ChangeLog:8 > + No new tests (OOPS!). Please remove this line but add a description as to what caused the bug & how you're fixing it. > Source/WebCore/loader/DocumentLoader.cpp:159 > + Please revert this change. > Source/WebCore/loader/DocumentLoader.cpp:1273 > { Should the caller exit early as well? > Tools/ChangeLog:8 > + * WebKitTestRunner/WebKitTestRunner.xcodeproj/xcshareddata/xcschemes/WebKitTestRunner.xcscheme: Please revert this change log change. > ChangeLog:8 > + * WebKit.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings: Ditto.
Ryosuke Niwa
Comment 4 2020-01-13 17:06:52 PST
This is not a security bug.
Pinki Gyanchandani
Comment 5 2020-01-14 14:34:11 PST
Created attachment 387706 [details] Patch
Ryosuke Niwa
Comment 6 2020-01-14 21:09:18 PST
Comment on attachment 387706 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=387706&action=review > Source/WebCore/loader/DocumentLoader.cpp:159 > + Again, please revert this unnecessary code change.
Alexey Proskuryakov
Comment 7 2020-01-14 22:59:55 PST
rdar://problem/56968500
Alex Christensen
Comment 8 2020-01-15 10:41:35 PST
I removed the unneeded space addition and committed this to http://trac.webkit.org/r254576
Aakash Jain
Comment 9 2020-01-15 11:49:39 PST
(In reply to Alex Christensen from comment #8) > I removed the unneeded space addition and committed this to http://trac.webkit.org/r254576 Newly added test change-src-during-iframe-load-crash.html seems to be consistently timing out, and slowing down commit-queue. Tracked in https://bugs.webkit.org/show_bug.cgi?id=206304
Aakash Jain
Comment 10 2020-01-15 12:14:39 PST
The test failure was also indicated by EWS in https://ews-build.webkit.org/#/builders/30/builds/604 and https://ews-build.webkit.org/#/builders/10/builds/3730
WebKit Commit Bot
Comment 11 2020-01-15 12:18:58 PST
Re-opened since this is blocked by bug 206306
Aakash Jain
Comment 12 2020-01-15 12:21:32 PST
This also caused http/tests/security/http-0.9/xhr-blocked.html to fail, because of possibly unintended addition of 'asdf' https://results.webkit.org/?suite=layout-tests&test=http%2Ftests%2Fsecurity%2Fhttp-0.9%2Fxhr-blocked.html
Ryosuke Niwa
Comment 13 2020-01-15 16:38:59 PST
Comment on attachment 387706 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=387706&action=review > LayoutTests/loader/change-src-during-iframe-load-crash.html:3 > +function load() { The issue is that in WebKit1, this event handler runs after eventhandler3 had finished running. The solution is to add a flag which eventhandler3 set, and only call waitUntilDone when the flag isn't set like this: let didLoad = false; let didFinishTesting = false; function load() { document.body.innerHTML = 'The test is declared pass if there is no crash observed.'; didLoad = true; if (window.testRunner) { testRunner.dumpAsText(); if (!didFinishTesting) testRunner.waitUntilDone(); } } function eventhandler3() { iframe1.srcdoc = "x"; didFinishTesting = true; if (window.testRunner && didLoad) testRunner.notifyDone(); } > LayoutTests/loader/change-src-during-iframe-load-crash.html:11 > +function eventhandler3() { Can we rename this event handler to something more sensible like didLoadFrame2.
Ryosuke Niwa
Comment 14 2020-01-15 16:39:13 PST
Comment on attachment 387706 [details] Patch r- given this patch caused the landed test to fail in WK1.
Pinki Gyanchandani
Comment 15 2020-01-15 17:30:17 PST
Created attachment 387876 [details] Patch
Ryosuke Niwa
Comment 16 2020-01-15 18:29:30 PST
Comment on attachment 387876 [details] Patch Let's wait for EWS before landing.
Ryosuke Niwa
Comment 17 2020-01-15 19:02:26 PST
Committed r254662: <https://trac.webkit.org/changeset/254662>
Note You need to log in before you can comment on or make changes to this bug.