<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[286574] trunk/Source/WebKit</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/286574">286574</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2021-12-06 15:37:28 -0800 (Mon, 06 Dec 2021)</dd>
</dl>
<h3>Log Message</h3>
<pre>Regression(<a href="http://trac.webkit.org/projects/webkit/changeset/286505">r286505</a>) imported/w3c/web-platform-tests/html/cross-origin-opener-policy/javascript-url.https.html is a flaky crash
https://bugs.webkit.org/show_bug.cgi?id=233874
Reviewed by Darin Adler.
<a href="http://trac.webkit.org/projects/webkit/changeset/286505">r286505</a> fixed ProvisionalPageProxy so that ProvisionalPageProxy::m_provisionalLoadURL gets properly initialized when the
ProvisionalPageProxy gets constructed *after* the provisional load has already started (COOP proces-swap case). One side
effect of this though is that ProvisionalPageProxy::cancel() no longer returns early and will try to notify the client
that the provisional load failed, dereferencing m_mainFrame in doing so. In the event where the main frame has not yet
been created in the new provisional process, this would do a null-dereference of m_mainFrame.
To address the issue, we now early return in ProvisionalPageProxy::cancel() if m_isProcessSwappingOnNavigationResponse
is true (i.e. The ProvisionalPageProxy was created after the provisional load had started). In such situations, we
don't want to ProvisionalPageProxy to be the one notifying the client of the provisional load failure anyway. The reason
is that there is still a provisional load going on in the committed process/page.
No new tests, covered by existing test that is flakily crashing.
* UIProcess/ProvisionalPageProxy.cpp:
(WebKit::ProvisionalPageProxy::cancel):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebKitChangeLog">trunk/Source/WebKit/ChangeLog</a></li>
<li><a href="#trunkSourceWebKitUIProcessProvisionalPageProxycpp">trunk/Source/WebKit/UIProcess/ProvisionalPageProxy.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/ChangeLog (286573 => 286574)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/ChangeLog 2021-12-06 22:53:46 UTC (rev 286573)
+++ trunk/Source/WebKit/ChangeLog 2021-12-06 23:37:28 UTC (rev 286574)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2021-12-06 Chris Dumez <cdumez@apple.com>
+
+ Regression(r286505) imported/w3c/web-platform-tests/html/cross-origin-opener-policy/javascript-url.https.html is a flaky crash
+ https://bugs.webkit.org/show_bug.cgi?id=233874
+
+ Reviewed by Darin Adler.
+
+ r286505 fixed ProvisionalPageProxy so that ProvisionalPageProxy::m_provisionalLoadURL gets properly initialized when the
+ ProvisionalPageProxy gets constructed *after* the provisional load has already started (COOP proces-swap case). One side
+ effect of this though is that ProvisionalPageProxy::cancel() no longer returns early and will try to notify the client
+ that the provisional load failed, dereferencing m_mainFrame in doing so. In the event where the main frame has not yet
+ been created in the new provisional process, this would do a null-dereference of m_mainFrame.
+
+ To address the issue, we now early return in ProvisionalPageProxy::cancel() if m_isProcessSwappingOnNavigationResponse
+ is true (i.e. The ProvisionalPageProxy was created after the provisional load had started). In such situations, we
+ don't want to ProvisionalPageProxy to be the one notifying the client of the provisional load failure anyway. The reason
+ is that there is still a provisional load going on in the committed process/page.
+
+ No new tests, covered by existing test that is flakily crashing.
+
+ * UIProcess/ProvisionalPageProxy.cpp:
+ (WebKit::ProvisionalPageProxy::cancel):
+
</ins><span class="cx"> 2021-12-06 Ryan Haddad <ryanhaddad@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (r286507): [macOS] Many file system access layout tests became flaky failures
</span></span></pre></div>
<a id="trunkSourceWebKitUIProcessProvisionalPageProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/UIProcess/ProvisionalPageProxy.cpp (286573 => 286574)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/UIProcess/ProvisionalPageProxy.cpp 2021-12-06 22:53:46 UTC (rev 286573)
+++ trunk/Source/WebKit/UIProcess/ProvisionalPageProxy.cpp 2021-12-06 23:37:28 UTC (rev 286574)
</span><span class="lines">@@ -143,9 +143,9 @@
</span><span class="cx"> void ProvisionalPageProxy::cancel()
</span><span class="cx"> {
</span><span class="cx"> // If the provisional load started, then indicate that it failed due to cancellation by calling didFailProvisionalLoadForFrame().
</span><del>- if (m_provisionalLoadURL.isEmpty())
</del><ins>+ if (m_provisionalLoadURL.isEmpty() || m_isProcessSwappingOnNavigationResponse)
</ins><span class="cx"> return;
</span><del>-
</del><ins>+
</ins><span class="cx"> ASSERT(m_process->state() == WebProcessProxy::State::Running);
</span><span class="cx">
</span><span class="cx"> PROVISIONALPAGEPROXY_RELEASE_LOG(ProcessSwapping, "cancel: Simulating a didFailProvisionalLoadForFrame");
</span></span></pre>
</div>
</div>
</body>
</html>