222683 – Crash under SubresourceLoader::notifyDone()

Bug 222683 - Crash under SubresourceLoader::notifyDone()

Summary: Crash under SubresourceLoader::notifyDone()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-03-03 13:30 PST by Chris Dumez
Modified:	2021-03-03 14:37 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (1.90 KB, patch) 2021-03-03 13:32 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2021-03-03 13:30:31 PST

Crash under SubresourceLoader::notifyDone():
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000038)
[  0] 0x00000001b09e068c WebCore`WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const&) [inlined] WTF::RawPtrTraits<WebCore::CachedResourceLoader>::unwrap(WebCore::CachedResourceLoader* const&) at RawPtrTraits.h:43:69

     0x00000001b09e067c:      ldr w8, [x19, #0x628]
     0x00000001b09e0680:      cmp w8, #0x3             ; =0x3 
     0x00000001b09e0684:     cset w2, ne
     0x00000001b09e0688:      ldr x8, [x19, #0x28]
 ->  0x00000001b09e068c:      ldr x0, [x8, #0x38]
     0x00000001b09e0690:      mov w1, #0x1
     0x00000001b09e0694:       bl 0x17698ec            ; WebCore::CachedResourceLoader::loadDone at CachedResourceLoader.cpp:1377
     0x00000001b09e0698:     ldrb w8, [x19, #0x3b8]
     0x00000001b09e069c:      cbz w8, 0x172c6ac        ; <+204> [inlined] WTF::RawPtrTraits<WebCore::DocumentLoader>::unwrap(WebCore::DocumentLoader* const&) at RefPtr.h:83

[  0] 0x00000001b09e068c WebCore`WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const&) [inlined] WTF::Ref<WebCore::CachedResourceLoader, WTF::RawPtrTraits<WebCore::CachedResourceLoader> >::operator WebCore::CachedResourceLoader&() const at Ref.h:118
[  0] 0x00000001b09e068c WebCore`WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const&) [inlined] WebCore::DocumentLoader::cachedResourceLoader() at DocumentLoader.h:181
       177 	
       178 	    const ResourceRequest& request() const;
       179 	    ResourceRequest& request();
       180 	
    -> 181 	    CachedResourceLoader& cachedResourceLoader() { return m_cachedResourceLoader; }
       182 	
       183 	    const SubstituteData& substituteData() const { return m_substituteData; }
       184 	
       185 	    const URL& url() const;
    
[  0] 0x00000001b09e068c WebCore`WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const&) [inlined] WebCore::SubresourceLoader::notifyDone(WebCore::LoadCompletionType) + 84 at SubresourceLoader.cpp:845
       841 	#if PLATFORM(IOS_FAMILY)
       842 	    if (m_state == CancelledWhileInitializing)
       843 	        shouldPerformPostLoadActions = false;
       844 	#endif
    -> 845 	    m_documentLoader->cachedResourceLoader().loadDone(type, shouldPerformPostLoadActions);
       846 	    if (reachedTerminalState())
       847 	        return;
       848 	    m_documentLoader->removeSubresourceLoader(type, this);
       849 	}
    
[  0] 0x00000001b09e0638 WebCore`WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const&) + 88 at SubresourceLoader.cpp:831
       827 	    if (m_resource->type() != CachedResource::Type::MainResource)
       828 	        tracePoint(SubresourceLoadDidEnd);
       829 	
       830 	    m_resource->cancelLoad();
    -> 831 	    notifyDone(LoadCompletionType::Cancel);
       832 	}
       833 	
       834 	void SubresourceLoader::notifyDone(LoadCompletionType type)
       835 	{
    
[  1] 0x00000001b09e0637 WebCore`WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const&) + 87 at SubresourceLoader.cpp:830:17
       826 	
       827 	    if (m_resource->type() != CachedResource::Type::MainResource)
       828 	        tracePoint(SubresourceLoadDidEnd);
       829 	
    -> 830 	    m_resource->cancelLoad();
       831 	    notifyDone(LoadCompletionType::Cancel);
       832 	}
       833 	
       834 	void SubresourceLoader::notifyDone(LoadCompletionType type)
    
[  2] 0x00000001b09d3707 WebCore`WebCore::ResourceLoader::cancel(WebCore::ResourceError const&) + 579 at ResourceLoader.cpp:654:5
       650 	    // we don't want to redo didCancel() or releasesResources().
       651 	    if (m_reachedTerminalState)
       652 	        return;
       653 	
    -> 654 	    didCancel(nonNullError);
       655 	
       656 	    if (m_cancellationStatus == FinishedCancel)
       657 	        return;
       658 	    m_cancellationStatus = FinishedCancel;
    
[  3] 0x00000001b09d0d9b WebCore`WebCore::ResourceLoader::cancel() + 71 at ResourceLoader.cpp:609:5
[  4] 0x00000001b09d0a43 WebCore`WebCore::ResourceLoader::init(WebCore::ResourceRequest&&, WTF::CompletionHandler<void (bool)>&&) + 147 at ResourceLoader.cpp:127:9
[  5] 0x00000001b09db71b WebCore`WebCore::SubresourceLoader::create(WebCore::Frame&, WebCore::CachedResource&, WebCore::ResourceRequest&&, WebCore::ResourceLoaderOptions const&, WTF::CompletionHandler<void (WTF::RefPtr<WebCore::SubresourceLoader, WTF::RawPtrTraits<WebCore::SubresourceLoader>, WTF::DefaultRefDerefTraits<WebCore::SubresourceLoader> >&&)>&&) [inlined] WebCore::SubresourceLoader::init(WebCore::ResourceRequest&&, WTF::CompletionHandler<void (bool)>&&) + 63 at SubresourceLoader.cpp:165:21

Comment 1 Chris Dumez 2021-03-03 13:30:42 PST

<rdar://70342402>

Comment 2 Chris Dumez 2021-03-03 13:32:38 PST

Created attachment 422144 [details]
Patch

Comment 3 Geoffrey Garen 2021-03-03 13:38:25 PST

Comment on attachment 422144 [details]
Patch

r=me

Comment 4 EWS 2021-03-03 14:37:46 PST

Committed r273842: <https://commits.webkit.org/r273842>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 422144 [details].