[Webkit-unassigned] [Bug 173473] New: Null deref crash in DocumentLoader::finishedLoadingIcon

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 16 09:07:34 PDT 2017


https://bugs.webkit.org/show_bug.cgi?id=173473

            Bug ID: 173473
           Summary: Null deref crash in
                    DocumentLoader::finishedLoadingIcon
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: beidson at apple.com

Null deref crash in DocumentLoader::finishedLoadingIcon

Specifically, deref'ing a null frame.

0   com.apple.WebCore                   0x000000010faa91fd WebCore::DocumentLoader::finishedLoadingIcon(WebCore::IconLoader&, WebCore::SharedBuffer*) + 29
1   com.apple.WebCore                   0x000000010f8dc3fd WebCore::CachedResource::didAddClient(WebCore::CachedResourceClient&) + 205
2   com.apple.WebCore                   0x000000010f8d9ad6 WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&) + 758
3   com.apple.WebCore                   0x000000010f60f870 WebCore::ThreadTimers::sharedTimerFiredInternal() + 176
4   com.apple.WebCore                   0x000000010f60f7af WebCore::timerFired(__CFRunLoopTimer*, void*) + 31

I have not been able to reproduce.

I've been able to figure out a sequence of events to reproduce this:

0 - Be using an embedding app that uses the icon loading delegate API.
1 - Visit a website that references a site icon.
2 - The embedding app says "yes, load it".
3 - The icon is loaded as a sub resource, and that includes putting it in the memory cache.
4 - Navigate to another page within the same website that will load the same icon.
5 - Embedding app says "yes, load it"
6 - DocumentLoader - still attached to a frame - creates an IconLoader for the icon
7 - The IconLoader goes through the memory cache to get at a CachedResource for the icon, and finds it.
8 - The IconLoader attaches itself to the CachedResource as a CachedResourceClient. CachedResource schedules a timer to deliver callbacks to the IconLoader asynchronously
9 - Before that timer fires, the Frame navigates, so the DocumentLoader detaches itself from the frame.
10 - The timer fires, giving the data to the IconLoader and telling it that it finished.
11 - The IconLoader tells the DocumentLoader it finished, which then tries to call out to the FrameLoader client, but the m_frame is gone.

I'm 97% sure this is how this is happening, but cannot reproduce.

The timing around steps 8-10 is REALLY tight, and I have not found a way to reproduce - it's just a few tight spins of the runloop. 

I'm going to spend a little while longer trying to reproduce before I give up and fix this speculatively.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170616/6bda29dc/attachment.html>


More information about the webkit-unassigned mailing list