[Webkit-unassigned] [Bug 32839] New: REGRESSION (r52446) - Crash starting an OutlivePage load

Mon Dec 21 13:30:27 PST 2009

https://bugs.webkit.org/show_bug.cgi?id=32839

           Summary: REGRESSION (r52446) - Crash starting an OutlivePage
                    load
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: beidson at apple.com

After updating past http://trac.webkit.org/changeset/52446 (the fix for
https://bugs.webkit.org/show_bug.cgi?id=30457), I've seen a crash twice with
one of these outlive page loads.  The crash is a null-deref.

I do not know exactly steps to reproduce yet (haven't tried) but it's easy to
see the cause.

#0    0x10258fa9a in WebCore::ResourceRequestBase::updateResourceRequest at
ResourceRequestBase.cpp:386
#1    0x10258fbb3 in WebCore::ResourceRequestBase::cachePolicy at
ResourceRequestBase.cpp:132
#2    0x102629d58 in WebCore::SubresourceLoader::create at
SubresourceLoader.cpp:97
#3    0x1023cd027 in WebCore::Loader::Host::servePendingRequests at
loader.cpp:359
#4    0x1023cd217 in WebCore::Loader::Host::servePendingRequests at
loader.cpp:313
#5    0x1023ce2b8 in WebCore::Loader::servePendingRequests at loader.cpp:191
#6    0x1023ce36c in WebCore::Loader::requestTimerFired at loader.cpp:170
#7    0x1023cfc05 in WebCore::Timer<WebCore::Loader>::fired at Timer.h:98
#8    0x102757744 in WebCore::ThreadTimers::sharedTimerFiredInternal at
ThreadTimers.cpp:112
#9    0x102757889 in WebCore::ThreadTimers::sharedTimerFired at
ThreadTimers.cpp:90
#10    0x1025ea6d2 in WebCore::timerFired at SharedTimerMac.mm:86
#11    0x7fff86677a58 in __CFRunLoopRun
#12    0x7fff86675c2f in CFRunLoopRunSpecific
#13    0x7fff83370a4e in RunCurrentEventLoopInMode
#14    0x7fff83370853 in ReceiveNextEventCommon
#15    0x7fff8337070c in BlockUntilNextEventMatchingListInMode
...

The interesting point of the crash is in frame #2 in SubresourceLoader::create
at SubresourceLoader.cpp:97
        newRequest.setCachePolicy(fl->originalRequest().cachePolicy());

The Frame is valid, kept alive past the lifetime of the Document.
The FrameLoader is valid, attached to the Frame.
But inside FrameLoader::originalRequest() is a call to
FrameLoader::activeDocumentLoader(), and the Frame has been detached so the
active DocumentLoader is null.

Therefore the ResourceRequest returned is bogus.

This crash is probably a specific manifestation of a more general problem with
r52446 - I think there are loads of callsites to
FrameLoader::activeDocumentLoader() that don't null check the result.  That is
because until now there has been an underlying assumption that FrameLoaders
*ALWAYS* have an active DocumentLoader, and this change changes that very
fundamental fact.  I think we'll be seeing more of these...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.