Bug 223536 - Crash in DocumentLoader::urlForHistory
Summary: Crash in DocumentLoader::urlForHistory
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-03-19 14:02 PDT by Ali Juma
Modified: 2022-03-28 15:54 PDT (History)
16 users (show)

See Also:


Attachments
Minimal test case (1.89 KB, text/html)
2021-03-19 14:02 PDT, Ali Juma
no flags Details
Patch (4.90 KB, patch)
2021-04-09 13:02 PDT, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (4.89 KB, patch)
2021-04-09 13:15 PDT, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (5.60 KB, patch)
2021-04-10 00:56 PDT, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (1.28 KB, patch)
2021-04-14 02:27 PDT, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (3.26 KB, patch)
2021-04-14 08:33 PDT, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (12.66 KB, patch)
2021-04-16 06:46 PDT, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (12.71 KB, patch)
2021-04-17 12:31 PDT, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (12.63 KB, patch)
2022-01-31 02:04 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (12.58 KB, patch)
2022-01-31 03:25 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (12.58 KB, patch)
2022-01-31 06:30 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (12.63 KB, patch)
2022-01-31 07:15 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (12.73 KB, patch)
2022-01-31 09:01 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (12.74 KB, patch)
2022-02-01 04:43 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (4.67 KB, patch)
2022-02-04 08:28 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (1.81 KB, patch)
2022-02-10 09:01 PST, Rob Buis
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ali Juma 2021-03-19 14:02:18 PDT
Created attachment 423773 [details]
Minimal test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

This reproduces in an ASan build of WebKitTestRunner.

Stack:
=================================================================
==60651==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000160 (pc 0x0001cb35843d bp 0x7ffeec11d630 sp 0x7ffeec11d630 T0)
==60651==The signal is caused by a READ memory access.
==60651==Hint: address points to the zero page.
    #0 0x1cb35843c in WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::operator void (WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::*)() const() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x395043c)
    #1 0x1cb358268 in WebCore::SubstituteData::isValid() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3950268)
    #2 0x1cbc75bbe in WebCore::DocumentLoader::urlForHistory() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426dbbe)
    #3 0x1cbcff641 in WebCore::FrameLoader::HistoryController::updateForStandardLoad(WebCore::FrameLoader::HistoryController::HistoryUpdateType) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f7641)
    #4 0x1cbcfd4ff in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f54ff)
    #5 0x1cbcfbac2 in WebCore::FrameLoader::commitProvisionalLoad() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42f3ac2)
    #6 0x1cbc68975 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4260975)
    #7 0x1cbc77354 in WebCore::DocumentLoader::maybeLoadEmpty() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426f354)
    #8 0x1cbc7769d in WebCore::DocumentLoader::startLoadingMainResource() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x426f69d)
    #9 0x1cbd2d8eb in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43258eb)
    #10 0x1c7a97fee in WTF::CompletionHandler<void ()>::operator()() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8ffee)
    #11 0x1cbcf6e44 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42eee44)
    #12 0x1cbd2a595 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4322595)
    #13 0x1cbd58980 in WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4350980)
    #14 0x1cbd6b359 in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4363359)
    #15 0x1cbd698d8 in WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43618d8)
    #16 0x1ba25ebee in WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x225ebee)
    #17 0x1ba261467 in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::ResourceResponse const&, WebCore::FormState*, WebCore::PolicyDecisionMode, WebCore::PolicyCheckIdentifier, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2261467)
    #18 0x1cbd57d17 in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x434fd17)
    #19 0x1cbcf5774 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ed774)
    #20 0x1cbcee285 in WebCore::FrameLoader::load(WebCore::DocumentLoader&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42e6285)
    #21 0x1cbcf4062 in WebCore::FrameLoader::load(WebCore::FrameLoadRequest&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ec062)
    #22 0x1ba50f515 in WebKit::WebPage::loadRequest(WebKit::LoadParameters&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x250f515)
    #23 0x1ba59bb69 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters&&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters&&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x259bb69)
    #24 0x1ba595542 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2595542)
    #25 0x1b85b6d3a in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b6d3a)
    #26 0x1b9d94ab5 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1d94ab5)
    #27 0x1b808c399 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8c399)
    #28 0x1b808cdf6 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8cdf6)
    #29 0x1b808d9bb in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8d9bb)
    #30 0x1e59062ec in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xce2ec)
    #31 0x1e5909995 in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1995)
    #32 0x7fff2dfce883 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84883)
    #33 0x7fff2dfce822 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84822)
    #34 0x7fff2dfce63c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8463c)
    #35 0x7fff2dfcd358 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x83358)
    #36 0x7fff2dfcc952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952)
    #37 0x7fff3068a1c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7)
    #38 0x7fff3073cc6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e)
    #39 0x7fff681a94e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9)
    #40 0x7fff681a942f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f)
    #41 0x7fff681a8f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62)
    #42 0x1b8ef6923 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0xef6923)
    #43 0x7fff67f57cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
==60651==Register values:
rax = 0x000000000000002c  rbx = 0x0000000000000000  rcx = 0x000010000000002c  rdx = 0x00001c2400006dcc
rdi = 0x0000000000000160  rsi = 0x0000000000000000  rbp = 0x00007ffeec11d630  rsp = 0x00007ffeec11d630
 r8 = 0x000000000000000f   r9 = 0x0000000000000001  r10 = 0x0000000000000030  r11 = 0x00000000000a0006
r12 = 0x00001fffdd823ad0  r13 = 0x00007ffeec11d6a0  r14 = 0x00007ffeec11d6a0  r15 = 0x0000000000000160
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x395043c) in WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::operator void (WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >::*)() const() const
Comment 1 Radar WebKit Bug Importer 2021-03-19 14:02:28 PDT
<rdar://problem/75635444>
Comment 2 Rob Buis 2021-04-08 12:51:16 PDT
Reduced test:
<script id="script">
function jsfuzzer() {
 document.createElement("audio").load(); 
 window.stop(); 
}
function eventhandler() {
 script.appendChild(iframe); 
 document.onreadystatechange = eventhandler;
}
</script>
<body onload=jsfuzzer()>
<iframe id="iframe" onload="eventhandler()" srcdoc="foo"></iframe>
</body>
Comment 3 Rob Buis 2021-04-09 13:02:59 PDT
Created attachment 425643 [details]
Patch
Comment 4 Chris Dumez 2021-04-09 13:06:08 PDT
Comment on attachment 425643 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425643&action=review

> Source/WebCore/loader/HistoryController.cpp:386
> +    auto historyURL = frameLoader.documentLoader() ? m_frame.loader().documentLoader()->urlForHistory() : URL { };

m_frame.loader() -> frameLoader
Comment 5 Rob Buis 2021-04-09 13:15:14 PDT
Created attachment 425645 [details]
Patch
Comment 6 Ryosuke Niwa 2021-04-09 16:47:03 PDT
Comment on attachment 425645 [details]
Patch

Hm... new assertion failure in fast/loader/crash-replacing-location-before-load.html seems like a real regression.
Comment 7 Rob Buis 2021-04-10 00:56:58 PDT
Created attachment 425679 [details]
Patch
Comment 8 Ryosuke Niwa 2021-04-10 21:30:07 PDT
Comment on attachment 425679 [details]
Patch

New test is hitting this assertion:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010f96e39e WTFCrash + 14 (Assertions.cpp:305)
1   com.apple.WebKitLegacy        	0x000000014b15f0eb WTFCrashWithInfo(int, char const*, char const*, int) + 27
2   com.apple.WebKitLegacy        	0x000000014b341898 -[WebHTMLView setDataSource:] + 104 (WebHTMLView.mm:4669)
3   com.apple.WebKitLegacy        	0x000000014b2fa436 WebFrameLoaderClient::transitionToCommittedForNewPage() + 1526 (WebFrameLoaderClient.mm:1474)
4   com.apple.WebCore             	0x0000000134cf0f8e WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 1982
5   com.apple.WebCore             	0x0000000134cefc37 WebCore::FrameLoader::commitProvisionalLoad() + 1191
6   com.apple.WebCore             	0x0000000134c625bc WebCore::DocumentLoader::commitIfReady() + 60 (DocumentLoader.cpp:400)
7   com.apple.WebCore             	0x0000000134c62d80 WebCore::DocumentLoader::finishedLoading() + 304 (DocumentLoader.cpp:465)
8   com.apple.WebCore             	0x0000000134c6e901 WebCore::DocumentLoader::maybeLoadEmpty() + 1073 (DocumentLoader.cpp:1891)
9   com.apple.WebCore             	0x0000000134c6ea85 WebCore::DocumentLoader::startLoadingMainResource() + 357 (DocumentLoader.cpp:1904)
10  com.apple.WebCore             	0x0000000134d1e96c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() + 1612
Comment 9 Rob Buis 2021-04-14 02:27:59 PDT
Created attachment 425962 [details]
Patch
Comment 10 Rob Buis 2021-04-14 08:33:17 PDT
Created attachment 425986 [details]
Patch
Comment 11 Alex Christensen 2021-04-14 15:30:51 PDT
Comment on attachment 425986 [details]
Patch

This seems fine.
Comment 12 Rob Buis 2021-04-16 06:46:31 PDT
Created attachment 426219 [details]
Patch
Comment 13 Rob Buis 2021-04-17 12:31:20 PDT
Created attachment 426341 [details]
Patch
Comment 14 Ryosuke Niwa 2021-04-24 16:12:41 PDT
Looks like fast/loader/commit-provisional-load-crash.html is timing out on Windows?
Comment 15 Rob Buis 2021-08-24 05:34:42 PDT
(In reply to Ryosuke Niwa from comment #14)
> Looks like fast/loader/commit-provisional-load-crash.html is timing out on
> Windows?

This is probably better checked by someone at Apple, I don't have much windows expertise. OTOH there was a windows specific bug that destabilized many network related tests, so if people think this is one of those cases, I could add the test
as skipped on Win? Of course this supposed the approach taken by the patch is okay.
Comment 16 Rob Buis 2022-01-31 02:04:17 PST
Created attachment 450389 [details]
Patch
Comment 17 Rob Buis 2022-01-31 03:25:36 PST
Created attachment 450398 [details]
Patch
Comment 18 Rob Buis 2022-01-31 06:30:03 PST
Created attachment 450406 [details]
Patch
Comment 19 Rob Buis 2022-01-31 07:15:46 PST
Created attachment 450408 [details]
Patch
Comment 20 Rob Buis 2022-01-31 09:01:51 PST
Created attachment 450412 [details]
Patch
Comment 21 Rob Buis 2022-02-01 04:43:53 PST
Created attachment 450517 [details]
Patch
Comment 22 Brent Fulgham 2022-02-01 09:08:07 PST
Comment on attachment 450517 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=450517&action=review

> Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:542
> +{

It seems like this should send a WebPageProxy message so that the UIProcess can clear m_provisionalURL, like you do in WebKitLegacy. Or is that not needed for some reason?
Comment 23 Darin Adler 2022-02-03 04:12:03 PST
Comment on attachment 450517 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=450517&action=review

> Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:678
> +    m_webFrame->_private->provisionalURL = nullptr;

Related to Brent’s question: How is this tested? What test will fail if we remove this line of code?
Comment 24 Rob Buis 2022-02-04 08:28:13 PST
Created attachment 450901 [details]
Patch
Comment 25 Darin Adler 2022-02-04 09:01:37 PST
Comment on attachment 450901 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=450901&action=review

> Source/WebCore/loader/FrameLoader.cpp:1830
> +    m_inStopForBackForwardCache = true;

Can this function be re-re-entered? Should we add an assertion or early return for that case?
Comment 26 EWS 2022-02-07 03:14:09 PST
Committed r289203 (246889@main): <https://commits.webkit.org/246889@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 450901 [details].
Comment 27 Rob Buis 2022-02-07 14:33:00 PST
Comment on attachment 450901 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=450901&action=review

>> Source/WebCore/loader/FrameLoader.cpp:1830
>> +    m_inStopForBackForwardCache = true;
> 
> Can this function be re-re-entered? Should we add an assertion or early return for that case?

Ah I missed this, will have a look tomorrow.
Comment 28 Rob Buis 2022-02-10 09:01:09 PST
Reopening to attach new patch.
Comment 29 Rob Buis 2022-02-10 09:01:13 PST
Created attachment 451548 [details]
Patch
Comment 30 Rob Buis 2022-03-25 09:50:11 PDT
ping for review :)
Comment 31 EWS 2022-03-28 15:54:00 PDT
Committed r292002 (248953@main): <https://commits.webkit.org/248953@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 451548 [details].