[Webkit-unassigned] [Bug 146786] New: DocumentLoader::detachFromFrame() is being called with no current Frame set

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=146786

            Bug ID: 146786
           Summary: DocumentLoader::detachFromFrame() is being called with
                    no current Frame set
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: beidson at apple.com

DocumentLoader::detachFromFrame() is being called with no current Frame set

We're seeing the crashes in <rdar://problem/21293082>

Sample backtrace:
>  1 com.apple.WebCore              0x7fff88ab2985 WebCore::DocumentLoader::detachFromFrame() + 0xa5
   2 com.apple.WebCore              0x7fff88bc77ae WebCore::FrameLoader::clearProvisionalLoad() + 0x1e
   3 com.apple.WebCore              0x7fff88a810e9 WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 0x499
   4 com.apple.WebCore              0x7fff88a80b86 WebCore::FrameLoader::checkLoadComplete() + 0x136
   5 com.apple.WebCore              0x7fff88bc6657 WebCore::FrameLoader::receivedMainResourceError(WebCore::ResourceError const&) + 0x247
   6 com.apple.WebCore              0x7fff88ae73b9 WebCore::CachedResource::checkNotify() + 0x99
   7 com.apple.WebCore              0x7fff88bc6137 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) + 0x177
   8 com.apple.WebCore              0x7fff88aca3a5 WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) + 0x2a5
   9 com.apple.WebCore              0x7fff88aca0ec WebCore::PolicyCallback::call(WebCore::PolicyAction) + 0x1c
  10 com.apple.WebCore              0x7fff88aca0a3 WebCore::PolicyChecker::continueAfterContentPolicy(WebCore::PolicyAction) + 0x183
  11 com.apple.WebKit               0x7fff8b60657a WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, unsigned long long) + 0xc0
  12 com.apple.WebKit               0x7fff8b6078b3 WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse(WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, std::__1::function<void (WebCore::PolicyAction)>) + 0x2c3
  13 com.apple.WebCore              0x7fff8956a1a6 WebCore::PolicyChecker::checkContentPolicy(WebCore::ResourceResponse const&, std::__1::function<void (WebCore::PolicyAction)>) + 0xe6
  14 com.apple.WebCore              0x7fff88aa8b14 WebCore::DocumentLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&) + 0x724
  15 com.apple.WebCore              0x7fff88aa829d WebCore::CachedRawResource::responseReceived(WebCore::ResourceResponse const&) + 0xcd
  16 com.apple.WebCore              0x7fff88aa8019 WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) + 0x1b9
  17 com.apple.WebKit               0x7fff8b6ab6c5 WebKit::WebResourceLoader::didReceiveResponse(WebCore::ResourceResponse const&, bool) + 0x41

Digging in deeper to the detachFromFrame() frame of the backtrace, the crash is dereferencing m_frame when calling InspectorInstrumentation::loaderDetachedFromFrame

The null frame case means that either:
1 - The DocumentLoader is being detached twice
2 - The DocumentLoader is being detached before ever being attached.

We can't quite figure out which.

The ASSERT(m_frame) at the top of this method is still valid - it is a mistake for this case to ever happen.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150709/149db321/attachment.html>