[Webkit-unassigned] [Bug 167421] New: Crash when navigating back to a page in PacheCache when one of its frames has been removed

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 25 09:14:46 PST 2017


https://bugs.webkit.org/show_bug.cgi?id=167421

            Bug ID: 167421
           Summary: Crash when navigating back to a page in PacheCache
                    when one of its frames has been removed
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cdumez at apple.com
                CC: ap at webkit.org, beidson at apple.com, bfulgham at webkit.org,
                    darin at apple.com, koivisto at iki.fi, rniwa at webkit.org

Crash when navigating back to a page in PacheCache when one of its frames has been removed:
    let w = open("about:blank", "one");
    let d = w.document;
    let f = d.createElement("iframe");
    f.src = "http://www.espn.com";
    d.body.appendChild(f);

    let a = d.createElement("a");
    a.href = "https://google.com";
    a.click();

    let it = setInterval(() => {
        clearInterval(it);
        d.body.innerHTML = "LOL";
    }, 2000);


Wait 3 seconds then navigate back in the newly opened Window (that currently shows google.com). You'll get the following crash:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000100
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

Application Specific Information:
This process is running with libgmalloc.dylib (GuardMalloc) which may have forced the crash due to a memory access error.

Bundle controller class:
BrowserBundleController

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x0000000109e924fe WebCore::CachedFrameBase::restore() + 222 (Page.h:192)
1   com.apple.WebCore                 0x000000010a1e9ea5 WebCore::FrameLoader::open(WebCore::CachedFrameBase&) + 789 (utility:753)
2   com.apple.WebCore                 0x0000000109e96519 WebCore::CachedPage::restore(WebCore::Page&) + 25 (memory:2701)
3   com.apple.WebCore                 0x000000010a1e8637 WebCore::FrameLoader::commitProvisionalLoad() + 775 (Optional.h:366)
4   com.apple.WebCore                 0x000000010a1e6a9c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) + 1180 (FrameLoader.cpp:3251)
5   com.apple.WebCore                 0x000000010aa5c41d WebCore::PolicyCallback::call(bool) + 61 (functional:1817)
6   com.apple.WebCore                 0x000000010aa5d18c WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) + 732 (PolicyCallback.h:47)
7   com.apple.WebKit                  0x0000000107d0dbcc WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) + 192 (functional:1766)
8   com.apple.WebKit                  0x0000000107d12330 WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::FormState*, std::__1::function<void (WebCore::PolicyAction)>) + 1590 (WebFrameLoaderClient.cpp:822)
9   com.apple.WebCore                 0x000000010aa5ce11 WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WebCore::FormState*, std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>) + 1937 (functional:1766)
10  com.apple.WebCore                 0x000000010a1e63d2 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) + 2258 (functional:1766)
11  com.apple.WebCore                 0x000000010a1e2489 WebCore::FrameLoader::loadDifferentDocumentItem(WebCore::HistoryItem&, WebCore::FrameLoadType, WebCore::FrameLoader::FormSubmissionCacheLoadPolicy) + 409 (FrameLoader.cpp:3321)
12  com.apple.WebCore                 0x000000010a2624df WebCore::HistoryController::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType) + 207 (HistoryController.cpp:325)
13  com.apple.WebCore                 0x000000010aa1514a WebCore::Page::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType) + 90 (RefCounted.h:98)
14  com.apple.WebKit                  0x0000000107d4ca98 WebKit::WebPage::goBack(unsigned long long, unsigned long long) + 54 (MessageSender.h:39)

This is because it is currently possible for an opener to have wrappers to Nodes/Documents in windows that in opened (via window.open) and then for those documents to go into PageCache. Doing DOM mutations on documents that are currently in PageCache is unsupported and will lead to various crashes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170125/391db38e/attachment.html>


More information about the webkit-unassigned mailing list