[Webkit-unassigned] [Bug 61810] New: FrameLoader::addExtraFieldsToRequest can crash when called from or after FrameLoader::detachFromParent

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 31 15:01:46 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=61810

           Summary: FrameLoader::addExtraFieldsToRequest can crash when
                    called from or after FrameLoader::detachFromParent
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: piman at chromium.org


See this crash on Chrome OS, when involving a pepper plugin that navigates away when destroyed. It crashes with an invalid DocumentWriter, because the FrameLoader's DocumentLoader was set to NULL.

0x75df3949     [chrome     - third_party/WebKit/Source/WebCore/loader/DocumentWriter.cpp:251]    WebCore::DocumentWriter::deprecatedFrameEncoding
0x75df90dc     [chrome     - third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:2730]    WebCore::FrameLoader::addExtraFieldsToRequest
0x75e0bd2b     [chrome     - third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:1345]    WebCore::FrameLoader::loadURL
0x75e0d25f     [chrome     - third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:1318]    WebCore::FrameLoader::loadFrameRequest
0x7570c9b5     [chrome     - third_party/WebKit/Source/WebKit/chromium/src/WebPluginContainerImpl.cpp:397]    WebKit::WebPluginContainerImpl::loadFrameRequest
0x762e6460     [chrome     - webkit/plugins/ppapi/ppapi_plugin_instance.cc:1203]    webkit::ppapi::PluginInstance::Navigate
0x762f755d     [chrome     - webkit/plugins/ppapi/ppb_flash_impl.cc:62]    webkit::ppapi::::Navigate
0x765deeb1     [chrome     - ppapi/proxy/ppb_flash_proxy.cc:260]    pp::proxy::PPB_Flash_Proxy::OnMsgNavigate
0x765e020b     [chrome     - ./base/tuple.h:751]    pp::proxy::PPB_Flash_Proxy::OnMessageReceived
0x765fd162     [chrome     - ppapi/proxy/host_dispatcher.cc:174]    pp::proxy::HostDispatcher::OnMessageReceived
0x756df6a6     [chrome     - ipc/ipc_channel_proxy.cc:254]    IPC::ChannelProxy::Context::OnDispatchMessage
0x756e60a6     [chrome     - ipc/ipc_sync_channel.cc:110]    IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages
0x756e7102     [chrome     - ipc/ipc_sync_channel.cc:276]    IPC::SyncChannel::SendWithTimeout
0x756e37dc     [chrome     - ipc/ipc_sync_channel.cc:399]    IPC::SyncChannel::Send
0x765ca18a     [chrome     - ppapi/proxy/proxy_channel.cc:80]    pp::proxy::ProxyChannel::Send
0x765fd210     [chrome     - ppapi/proxy/host_dispatcher.cc:138]    pp::proxy::HostDispatcher::Send
0x765fb53d     [chrome     - ppapi/proxy/ppp_instance_proxy.cc:43]    pp::proxy::::DidDestroy
0x762e7ff3     [chrome     - webkit/plugins/ppapi/ppapi_plugin_instance.cc:435]    webkit::ppapi::PluginInstance::Delete
0x76a37b37     [chrome     - webkit/plugins/ppapi/ppapi_webplugin_impl.cc:89]    webkit::ppapi::WebPluginImpl::destroy
0x7570a6ce     [chrome     - third_party/WebKit/Source/WebKit/chromium/src/WebPluginContainerImpl.cpp:467]    WebKit::WebPluginContainerImpl::~WebPluginContainerImpl
0x7570a77d     [chrome     - third_party/WebKit/Source/WebKit/chromium/src/WebPluginContainerImpl.cpp:468]    WebKit::WebPluginContainerImpl::~WebPluginContainerImpl
0x760cb3be     [chrome     - third_party/WebKit/Source/JavaScriptCore/wtf/RefCounted.h:141]    WebCore::RenderWidget::resumeWidgetHierarchyUpdates
0x75c93697     [chrome     - third_party/WebKit/Source/WebCore/dom/Element.cpp:1022]    WebCore::Element::detach
0x75c60c2a     [chrome     - third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:742]    WebCore::ContainerNode::detach
0x75c78e7f     [chrome     - third_party/WebKit/Source/WebCore/dom/Document.cpp:1758]    WebCore::Document::detach
0x75e81fcf     [chrome     - third_party/WebKit/Source/WebCore/page/Frame.cpp:271]    WebCore::Frame::setView
0x75e0065f     [chrome     - third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:2653]    WebCore::FrameLoader::detachFromParent
0x7571e63f     [chrome     - third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:949]    WebKit::WebViewImpl::close
0x766e1723     [chrome     - content/renderer/render_widget.cc:829]    RenderWidget::Close
0x766ce6ee     [chrome     - content/renderer/render_view.cc:3927]    RenderView::Close
0x766e191f     [chrome     - ./base/tuple.h:541]    RunnableMethod<RenderWidget, void (RenderWidget::*)(), Tuple0>::Run
0x74e6e082     [chrome     - base/message_loop.cc:371]    MessageLoop::DoWork
0x74e701c7     [chrome     - base/message_pump_default.cc:23]    base::MessagePumpDefault::Run
0x74e69f6d     [chrome     - base/message_loop.cc:346]    MessageLoop::RunHandler
0x74e6a1e9     [chrome     - base/message_loop.cc:243]    MessageLoop::Run
0x766ed0dc     [chrome     - content/renderer/renderer_main.cc:233]    RendererMain
0x744910cc     [chrome     - chrome/app/chrome_main.cc:446]    RunZygote
0x744917ef     [chrome     - chrome/app/chrome_main.cc:492]    ChromeMain
0x74492414     [chrome     - chrome/app/chrome_exe_main_gtk.cc:46]    main
0x73298a95     [libc-2.10.1.so     + 0x00016a95]    
0x74490aa0     [chrome     + 0x00219aa0]    
0x744923bf     [chrome     + 0x0021b3bf]    
0x74266fff     [ld-2.10.1.so     + 0x0000efff]

It's a re-entrancy issue, but I'm pretty sure it's a valid use case for a plugin to navigate the page away when destroyed.
It worked before http://trac.webkit.org/changeset/78342 because the DocumentWriter had the lifetime of the FrameLoader.

See also http://code.google.com/p/chromium-os/issues/detail?id=15943

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list