RESOLVED FIXED 223536
Crash in DocumentLoader::urlForHistory 
https://bugs.webkit.org/show_bug.cgi?id=223536
Summary Crash in DocumentLoader::urlForHistory
Ali Juma
Reported 2021-03-19 14:02:18 PDT
Created attachment 423773 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner. Stack: ================================================================= ==60651==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000160 (pc 0x0001cb35843d bp 0x7ffeec11d630 sp 0x7ffeec11d630 T0) ==60651==The signal is caused by a READ memory access. ==60651==Hint: address points to the zero page. #0 0x1cb35843c in WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::operator void (WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::*)() const() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x395043c) #1 0x1cb358268 in WebCore::SubstituteData::isValid() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3950268) #2 0x1cbc75bbe in WebCore::DocumentLoader::urlForHistory() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426dbbe) #3 0x1cbcff641 in WebCore::FrameLoader::HistoryController::updateForStandardLoad(WebCore::FrameLoader::HistoryController::HistoryUpdateType) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f7641) #4 0x1cbcfd4ff in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f54ff) #5 0x1cbcfbac2 in WebCore::FrameLoader::commitProvisionalLoad() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f3ac2) #6 0x1cbc68975 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4260975) #7 0x1cbc77354 in WebCore::DocumentLoader::maybeLoadEmpty() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426f354) #8 0x1cbc7769d in WebCore::DocumentLoader::startLoadingMainResource() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426f69d) #9 0x1cbd2d8eb in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43258eb) #10 0x1c7a97fee in WTF::CompletionHandler<void ()>::operator()() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8ffee) #11 0x1cbcf6e44 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42eee44) #12 0x1cbd2a595 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4322595) #13 0x1cbd58980 in WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4350980) #14 0x1cbd6b359 in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4363359) #15 0x1cbd698d8 in WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43618d8) #16 0x1ba25ebee in WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x225ebee) #17 0x1ba261467 in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::ResourceResponse const&, WebCore::FormState*, WebCore::PolicyDecisionMode, WebCore::PolicyCheckIdentifier, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2261467) #18 0x1cbd57d17 in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x434fd17) #19 0x1cbcf5774 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ed774) #20 0x1cbcee285 in WebCore::FrameLoader::load(WebCore::DocumentLoader&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42e6285) #21 0x1cbcf4062 in WebCore::FrameLoader::load(WebCore::FrameLoadRequest&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ec062) #22 0x1ba50f515 in WebKit::WebPage::loadRequest(WebKit::LoadParameters&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x250f515) #23 0x1ba59bb69 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters&&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters&&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x259bb69) #24 0x1ba595542 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2595542) #25 0x1b85b6d3a in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b6d3a) #26 0x1b9d94ab5 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1d94ab5) #27 0x1b808c399 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8c399) #28 0x1b808cdf6 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8cdf6) #29 0x1b808d9bb in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8d9bb) #30 0x1e59062ec in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xce2ec) #31 0x1e5909995 in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1995) #32 0x7fff2dfce883 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84883) #33 0x7fff2dfce822 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84822) #34 0x7fff2dfce63c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8463c) #35 0x7fff2dfcd358 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x83358) #36 0x7fff2dfcc952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952) #37 0x7fff3068a1c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7) #38 0x7fff3073cc6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e) #39 0x7fff681a94e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9) #40 0x7fff681a942f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f) #41 0x7fff681a8f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62) #42 0x1b8ef6923 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0xef6923) #43 0x7fff67f57cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8) ==60651==Register values: rax = 0x000000000000002c rbx = 0x0000000000000000 rcx = 0x000010000000002c rdx = 0x00001c2400006dcc rdi = 0x0000000000000160 rsi = 0x0000000000000000 rbp = 0x00007ffeec11d630 rsp = 0x00007ffeec11d630 r8 = 0x000000000000000f r9 = 0x0000000000000001 r10 = 0x0000000000000030 r11 = 0x00000000000a0006 r12 = 0x00001fffdd823ad0 r13 = 0x00007ffeec11d6a0 r14 = 0x00007ffeec11d6a0 r15 = 0x0000000000000160 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x395043c) in WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::operator void (WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::*)() const() const
Attachments
Minimal test case (1.89 KB, text/html)
2021-03-19 14:02 PDT, Ali Juma 		no flags
Details
Patch (4.90 KB, patch)
2021-04-09 13:02 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (4.89 KB, patch)
2021-04-09 13:15 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (5.60 KB, patch)
2021-04-10 00:56 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (1.28 KB, patch)
2021-04-14 02:27 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (3.26 KB, patch)
2021-04-14 08:33 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (12.66 KB, patch)
2021-04-16 06:46 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (12.71 KB, patch)
2021-04-17 12:31 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (12.63 KB, patch)
2022-01-31 02:04 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (12.58 KB, patch)
2022-01-31 03:25 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (12.58 KB, patch)
2022-01-31 06:30 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (12.63 KB, patch)
2022-01-31 07:15 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (12.73 KB, patch)
2022-01-31 09:01 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (12.74 KB, patch)
2022-02-01 04:43 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (4.67 KB, patch)
2022-02-04 08:28 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (1.81 KB, patch)
2022-02-10 09:01 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (14) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-03-19 14:02:28 PDT
<rdar://problem/75635444>
Rob Buis
Comment 2 2021-04-08 12:51:16 PDT
Reduced test: <script id="script"> function jsfuzzer() { document.createElement("audio").load(); window.stop(); } function eventhandler() { script.appendChild(iframe); document.onreadystatechange = eventhandler; } </script> <body onload=jsfuzzer()> <iframe id="iframe" onload="eventhandler()" srcdoc="foo"></iframe> </body>
Rob Buis
Comment 3 2021-04-09 13:02:59 PDT
Created attachment 425643 [details] Patch
Chris Dumez
Comment 4 2021-04-09 13:06:08 PDT
Comment on attachment 425643 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425643&action=review > Source/WebCore/loader/HistoryController.cpp:386 > + auto historyURL = frameLoader.documentLoader() ? m_frame.loader().documentLoader()->urlForHistory() : URL { }; m_frame.loader() -> frameLoader
Rob Buis
Comment 5 2021-04-09 13:15:14 PDT
Created attachment 425645 [details] Patch
Ryosuke Niwa
Comment 6 2021-04-09 16:47:03 PDT
Comment on attachment 425645 [details] Patch Hm... new assertion failure in fast/loader/crash-replacing-location-before-load.html seems like a real regression.
Rob Buis
Comment 7 2021-04-10 00:56:58 PDT
Created attachment 425679 [details] Patch
Ryosuke Niwa
Comment 8 2021-04-10 21:30:07 PDT
Comment on attachment 425679 [details] Patch New test is hitting this assertion: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010f96e39e WTFCrash + 14 (Assertions.cpp:305) 1 com.apple.WebKitLegacy 0x000000014b15f0eb WTFCrashWithInfo(int, char const*, char const*, int) + 27 2 com.apple.WebKitLegacy 0x000000014b341898 -[WebHTMLView setDataSource:] + 104 (WebHTMLView.mm:4669) 3 com.apple.WebKitLegacy 0x000000014b2fa436 WebFrameLoaderClient::transitionToCommittedForNewPage() + 1526 (WebFrameLoaderClient.mm:1474) 4 com.apple.WebCore 0x0000000134cf0f8e WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 1982 5 com.apple.WebCore 0x0000000134cefc37 WebCore::FrameLoader::commitProvisionalLoad() + 1191 6 com.apple.WebCore 0x0000000134c625bc WebCore::DocumentLoader::commitIfReady() + 60 (DocumentLoader.cpp:400) 7 com.apple.WebCore 0x0000000134c62d80 WebCore::DocumentLoader::finishedLoading() + 304 (DocumentLoader.cpp:465) 8 com.apple.WebCore 0x0000000134c6e901 WebCore::DocumentLoader::maybeLoadEmpty() + 1073 (DocumentLoader.cpp:1891) 9 com.apple.WebCore 0x0000000134c6ea85 WebCore::DocumentLoader::startLoadingMainResource() + 357 (DocumentLoader.cpp:1904) 10 com.apple.WebCore 0x0000000134d1e96c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() + 1612
Rob Buis
Comment 9 2021-04-14 02:27:59 PDT
Created attachment 425962 [details] Patch
Rob Buis
Comment 10 2021-04-14 08:33:17 PDT
Created attachment 425986 [details] Patch
Alex Christensen
Comment 11 2021-04-14 15:30:51 PDT
Comment on attachment 425986 [details] Patch This seems fine.
Rob Buis
Comment 12 2021-04-16 06:46:31 PDT
Created attachment 426219 [details] Patch
Rob Buis
Comment 13 2021-04-17 12:31:20 PDT
Created attachment 426341 [details] Patch
Ryosuke Niwa
Comment 14 2021-04-24 16:12:41 PDT
Looks like fast/loader/commit-provisional-load-crash.html is timing out on Windows?
Rob Buis
Comment 15 2021-08-24 05:34:42 PDT
(In reply to Ryosuke Niwa from comment #14) > Looks like fast/loader/commit-provisional-load-crash.html is timing out on > Windows? This is probably better checked by someone at Apple, I don't have much windows expertise. OTOH there was a windows specific bug that destabilized many network related tests, so if people think this is one of those cases, I could add the test as skipped on Win? Of course this supposed the approach taken by the patch is okay.
Rob Buis
Comment 16 2022-01-31 02:04:17 PST
Created attachment 450389 [details] Patch
Rob Buis
Comment 17 2022-01-31 03:25:36 PST
Created attachment 450398 [details] Patch
Rob Buis
Comment 18 2022-01-31 06:30:03 PST
Created attachment 450406 [details] Patch
Rob Buis
Comment 19 2022-01-31 07:15:46 PST
Created attachment 450408 [details] Patch
Rob Buis
Comment 20 2022-01-31 09:01:51 PST
Created attachment 450412 [details] Patch
Rob Buis
Comment 21 2022-02-01 04:43:53 PST
Created attachment 450517 [details] Patch
Brent Fulgham
Comment 22 2022-02-01 09:08:07 PST
Comment on attachment 450517 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450517&action=review > Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:542 > +{ It seems like this should send a WebPageProxy message so that the UIProcess can clear m_provisionalURL, like you do in WebKitLegacy. Or is that not needed for some reason?
Darin Adler
Comment 23 2022-02-03 04:12:03 PST
Comment on attachment 450517 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450517&action=review > Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:678 > + m_webFrame->_private->provisionalURL = nullptr; Related to Brent’s question: How is this tested? What test will fail if we remove this line of code?
Rob Buis
Comment 24 2022-02-04 08:28:13 PST
Created attachment 450901 [details] Patch
Darin Adler
Comment 25 2022-02-04 09:01:37 PST
Comment on attachment 450901 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450901&action=review > Source/WebCore/loader/FrameLoader.cpp:1830 > + m_inStopForBackForwardCache = true; Can this function be re-re-entered? Should we add an assertion or early return for that case?
EWS
Comment 26 2022-02-07 03:14:09 PST
Committed r289203 (246889@main): <https://commits.webkit.org/246889@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450901 [details].
Rob Buis
Comment 27 2022-02-07 14:33:00 PST
Comment on attachment 450901 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450901&action=review >> Source/WebCore/loader/FrameLoader.cpp:1830 >> + m_inStopForBackForwardCache = true; > > Can this function be re-re-entered? Should we add an assertion or early return for that case? Ah I missed this, will have a look tomorrow.
Rob Buis
Comment 28 2022-02-10 09:01:09 PST
Reopening to attach new patch.
Rob Buis
Comment 29 2022-02-10 09:01:13 PST
Created attachment 451548 [details] Patch
Rob Buis
Comment 30 2022-03-25 09:50:11 PDT
ping for review :)
EWS
Comment 31 2022-03-28 15:54:00 PDT
Committed r292002 (248953@main): <https://commits.webkit.org/248953@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 451548 [details].
Note You need to log in before you can comment on or make changes to this bug.