[Webkit-unassigned] [Bug 170114] New: Crash in WebCore::DocumentLoader::popArchiveForSubframe

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 27 03:29:05 PDT 2017


https://bugs.webkit.org/show_bug.cgi?id=170114

            Bug ID: 170114
           Summary: Crash in
                    WebCore::DocumentLoader::popArchiveForSubframe
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: buchob7 at yahoo.co.jp

CODE:

[main.html]
<!DOCTYPE html>
<html>
<head>
        <title></title>
        <script>

                function boom()
                {
                        document.getElementById("form").reset();
                        setInterval(function () { document.write(document.body.innerHTML); }, ( Math.random() * ( ( 40 + 1 ) - 0 ) ) + 0);
                }
                window.addEventListener("DOMContentLoaded",boom);
        </script>
</head>
<body>
        <form id="form">
                <form>
                        <iframe id="ifr1" src="data:text/html;base64,PGh0bWw+DQo8aGVhZD4NCgk8c2NyaXB0Pg0KDQoJCWZ1bmN0aW9uIERvKCkNCgkJew0KCQkJZG9jdW1lbnQud3JpdGUoImNyYXNoPyIpOw0KCQkJd2luZG93LnN0b3AoKTsNCgkJfQ0KDQoJPC9zY3JpcHQ+DQo8L2hlYWQ+DQo8Ym9keSBvbmxvYWQ9IkRvKCkiPg0KDQo8L2JvZHk+DQo8L2h0bWw+"></iframe> //child.html
                </form>
        </form>

        <script>
                setInterval(function () { document.write(document.body.innerHTML); }, ( Math.random() * ( ( 40 + 1 ) - 0 ) ) + 0);
                document.getElementById("form").submit();
        </script>
</body>
</html>

[child.html]
<html>
<head>
        <script>

                function Do()
                {
                        document.write("crash?");
                        window.stop();
                }

        </script>
</head>
<body onload="Do()">

</body>
</html>


Null Crash.(?)



LLDB LOG:

* thread #1: tid = 0x20a2b, 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x9e0)
    frame #0: 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9
WebCore`WebCore::DocumentLoader::popArchiveForSubframe:
->  0x7fff9d589a49 <+9>:  movq   0x9e0(%rsi), %rsi
    0x7fff9d589a50 <+16>: testq  %rsi, %rsi
    0x7fff9d589a53 <+19>: je     0x7fff9d589a5f            ; <+31>
    0x7fff9d589a55 <+21>: movq   %rbx, %rdi
(lldb) reg re
General Purpose Registers:
       rax = 0x00000001099ad0f0
       rbx = 0x00007fff5a2071c0
       rcx = 0x00007fff5a207600
       rdx = 0x00000001098463d8
       rdi = 0x00007fff5a2071c0
       rsi = 0x0000000000000000
       rbp = 0x00007fff5a207070
       rsp = 0x00007fff5a207060
        r8 = 0x000000010a1f58c0
        r9 = 0x0000000000000000
       r10 = 0x0000000000000001
       r11 = 0x0000000000000073
       r12 = 0x00000001099ad090
       r13 = 0x00000001098463d8
       r14 = 0x00007fff5a207598
       r15 = 0x0000000109846380
       rip = 0x00007fff9d589a49  WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9
    rflags = 0x0000000000010246
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000

(lldb) bt
* thread #1: tid = 0x20a2b, 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x9e0)
  * frame #0: 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9
    frame #1: 0x00007fff9d6ca65f WebCore`WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::URL const&, WTF::String const&, WebCore::Frame*) + 95
    frame #2: 0x00007fff9e6198a2 WebKit`WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) + 120
    frame #3: 0x00007fff9dfa558e WebCore`WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) + 302
    frame #4: 0x00007fff9dfa4493 WebCore`WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 291
    frame #5: 0x00007fff9dfa42d7 WebCore`WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 951
    frame #6: 0x00007fff9d757c6b WebCore`WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) + 187
    frame #7: 0x00007fff9d46d72c WebCore`WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) + 332
    frame #8: 0x00007fff9d46c9a5 WebCore`WebCore::ContainerNode::parserAppendChild(WebCore::Node&) + 165
    frame #9: 0x00007fff9d0fd14d WebCore`WebCore::HTMLConstructionSite::executeQueuedTasks() + 141
    frame #10: 0x00007fff9d743db6 WebCore`WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) + 166
    frame #11: 0x00007fff9d743bdc WebCore`WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 508
    frame #12: 0x00007fff9d0fb293 WebCore`WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115
    frame #13: 0x00007fff9d1a47d2 WebCore`WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString const&) + 146
    frame #14: 0x00007fff9d21e9f2 WebCore`WebCore::Document::write(WebCore::SegmentedString const&, WebCore::Document*) + 146
    frame #15: 0x00007fff9d9cc737 WebCore`WebCore::documentWrite(JSC::ExecState&, WebCore::JSHTMLDocument*, WebCore::NewlineRequirement) + 999
    frame #16: 0x00007fff9d9cc344 WebCore`WebCore::JSHTMLDocument::write(JSC::ExecState&) + 20
    frame #17: 0x00005a91e5c01028
    frame #18: 0x00007fff98d96595 JavaScriptCore`llint_entry + 24967
    frame #19: 0x00007fff98d9022b JavaScriptCore`vmEntryToJavaScript + 299
    frame #20: 0x00007fff98c55e0e JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
    frame #21: 0x00007fff9858d5ec JavaScriptCore`JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 412
    frame #22: 0x00007fff988a2e4f JavaScriptCore`JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 191
    frame #23: 0x00007fff9de8903f WebCore`WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) + 575
    frame #24: 0x00007fff9de88c66 WebCore`WebCore::ScheduledAction::execute(WebCore::Document&) + 134
    frame #25: 0x00007fff9d1fc63c WebCore`WebCore::DOMTimer::fired() + 332
    frame #26: 0x00007fff9d0db120 WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 176
    frame #27: 0x00007fff9d0db05f WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 31
    frame #28: 0x00007fff960e9244 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
    frame #29: 0x00007fff960e8ecf CoreFoundation`__CFRunLoopDoTimer + 1071
    frame #30: 0x00007fff960e8a2a CoreFoundation`__CFRunLoopDoTimers + 298
    frame #31: 0x00007fff960e03e1 CoreFoundation`__CFRunLoopRun + 2065
    frame #32: 0x00007fff960df974 CoreFoundation`CFRunLoopRunSpecific + 420
    frame #33: 0x00007fff9566ba5c HIToolbox`RunCurrentEventLoopInMode + 240
    frame #34: 0x00007fff9566b891 HIToolbox`ReceiveNextEventCommon + 432
    frame #35: 0x00007fff9566b6c6 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #36: 0x00007fff93c115b4 AppKit`_DPSNextEvent + 1120
    frame #37: 0x00007fff9438bd6b AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789
    frame #38: 0x00007fff93c05f35 AppKit`-[NSApplication run] + 926
    frame #39: 0x00007fff93bd0850 AppKit`NSApplicationMain + 1237
    frame #40: 0x00007fffab89b8c7 libxpc.dylib`_xpc_objc_main + 775
    frame #41: 0x00007fffab89a2e4 libxpc.dylib`xpc_main + 494
    frame #42: 0x00000001059f67a2 com.apple.WebKit.WebContent`___lldb_unnamed_symbol1$$com.apple.WebKit.WebContent + 380
    frame #43: 0x00007fffab637255 libdyld.dylib`start + 1
(lldb)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170327/50109828/attachment.html>


More information about the webkit-unassigned mailing list