[Webkit-unassigned] [Bug 170114] New: Crash in WebCore::DocumentLoader::popArchiveForSubframe
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 27 03:29:05 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=170114
Bug ID: 170114
Summary: Crash in
WebCore::DocumentLoader::popArchiveForSubframe
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: buchob7 at yahoo.co.jp
CODE:
[main.html]
<!DOCTYPE html>
<html>
<head>
<title></title>
<script>
function boom()
{
document.getElementById("form").reset();
setInterval(function () { document.write(document.body.innerHTML); }, ( Math.random() * ( ( 40 + 1 ) - 0 ) ) + 0);
}
window.addEventListener("DOMContentLoaded",boom);
</script>
</head>
<body>
<form id="form">
<form>
<iframe id="ifr1" src="data:text/html;base64,PGh0bWw+DQo8aGVhZD4NCgk8c2NyaXB0Pg0KDQoJCWZ1bmN0aW9uIERvKCkNCgkJew0KCQkJZG9jdW1lbnQud3JpdGUoImNyYXNoPyIpOw0KCQkJd2luZG93LnN0b3AoKTsNCgkJfQ0KDQoJPC9zY3JpcHQ+DQo8L2hlYWQ+DQo8Ym9keSBvbmxvYWQ9IkRvKCkiPg0KDQo8L2JvZHk+DQo8L2h0bWw+"></iframe> //child.html
</form>
</form>
<script>
setInterval(function () { document.write(document.body.innerHTML); }, ( Math.random() * ( ( 40 + 1 ) - 0 ) ) + 0);
document.getElementById("form").submit();
</script>
</body>
</html>
[child.html]
<html>
<head>
<script>
function Do()
{
document.write("crash?");
window.stop();
}
</script>
</head>
<body onload="Do()">
</body>
</html>
Null Crash.(?)
LLDB LOG:
* thread #1: tid = 0x20a2b, 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x9e0)
frame #0: 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9
WebCore`WebCore::DocumentLoader::popArchiveForSubframe:
-> 0x7fff9d589a49 <+9>: movq 0x9e0(%rsi), %rsi
0x7fff9d589a50 <+16>: testq %rsi, %rsi
0x7fff9d589a53 <+19>: je 0x7fff9d589a5f ; <+31>
0x7fff9d589a55 <+21>: movq %rbx, %rdi
(lldb) reg re
General Purpose Registers:
rax = 0x00000001099ad0f0
rbx = 0x00007fff5a2071c0
rcx = 0x00007fff5a207600
rdx = 0x00000001098463d8
rdi = 0x00007fff5a2071c0
rsi = 0x0000000000000000
rbp = 0x00007fff5a207070
rsp = 0x00007fff5a207060
r8 = 0x000000010a1f58c0
r9 = 0x0000000000000000
r10 = 0x0000000000000001
r11 = 0x0000000000000073
r12 = 0x00000001099ad090
r13 = 0x00000001098463d8
r14 = 0x00007fff5a207598
r15 = 0x0000000109846380
rip = 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9
rflags = 0x0000000000010246
cs = 0x000000000000002b
fs = 0x0000000000000000
gs = 0x0000000000000000
(lldb) bt
* thread #1: tid = 0x20a2b, 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x9e0)
* frame #0: 0x00007fff9d589a49 WebCore`WebCore::DocumentLoader::popArchiveForSubframe(WTF::String const&, WebCore::URL const&) + 9
frame #1: 0x00007fff9d6ca65f WebCore`WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::URL const&, WTF::String const&, WebCore::Frame*) + 95
frame #2: 0x00007fff9e6198a2 WebKit`WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) + 120
frame #3: 0x00007fff9dfa558e WebCore`WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) + 302
frame #4: 0x00007fff9dfa4493 WebCore`WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 291
frame #5: 0x00007fff9dfa42d7 WebCore`WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 951
frame #6: 0x00007fff9d757c6b WebCore`WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) + 187
frame #7: 0x00007fff9d46d72c WebCore`WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) + 332
frame #8: 0x00007fff9d46c9a5 WebCore`WebCore::ContainerNode::parserAppendChild(WebCore::Node&) + 165
frame #9: 0x00007fff9d0fd14d WebCore`WebCore::HTMLConstructionSite::executeQueuedTasks() + 141
frame #10: 0x00007fff9d743db6 WebCore`WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) + 166
frame #11: 0x00007fff9d743bdc WebCore`WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 508
frame #12: 0x00007fff9d0fb293 WebCore`WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115
frame #13: 0x00007fff9d1a47d2 WebCore`WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString const&) + 146
frame #14: 0x00007fff9d21e9f2 WebCore`WebCore::Document::write(WebCore::SegmentedString const&, WebCore::Document*) + 146
frame #15: 0x00007fff9d9cc737 WebCore`WebCore::documentWrite(JSC::ExecState&, WebCore::JSHTMLDocument*, WebCore::NewlineRequirement) + 999
frame #16: 0x00007fff9d9cc344 WebCore`WebCore::JSHTMLDocument::write(JSC::ExecState&) + 20
frame #17: 0x00005a91e5c01028
frame #18: 0x00007fff98d96595 JavaScriptCore`llint_entry + 24967
frame #19: 0x00007fff98d9022b JavaScriptCore`vmEntryToJavaScript + 299
frame #20: 0x00007fff98c55e0e JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
frame #21: 0x00007fff9858d5ec JavaScriptCore`JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 412
frame #22: 0x00007fff988a2e4f JavaScriptCore`JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 191
frame #23: 0x00007fff9de8903f WebCore`WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) + 575
frame #24: 0x00007fff9de88c66 WebCore`WebCore::ScheduledAction::execute(WebCore::Document&) + 134
frame #25: 0x00007fff9d1fc63c WebCore`WebCore::DOMTimer::fired() + 332
frame #26: 0x00007fff9d0db120 WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 176
frame #27: 0x00007fff9d0db05f WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 31
frame #28: 0x00007fff960e9244 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
frame #29: 0x00007fff960e8ecf CoreFoundation`__CFRunLoopDoTimer + 1071
frame #30: 0x00007fff960e8a2a CoreFoundation`__CFRunLoopDoTimers + 298
frame #31: 0x00007fff960e03e1 CoreFoundation`__CFRunLoopRun + 2065
frame #32: 0x00007fff960df974 CoreFoundation`CFRunLoopRunSpecific + 420
frame #33: 0x00007fff9566ba5c HIToolbox`RunCurrentEventLoopInMode + 240
frame #34: 0x00007fff9566b891 HIToolbox`ReceiveNextEventCommon + 432
frame #35: 0x00007fff9566b6c6 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
frame #36: 0x00007fff93c115b4 AppKit`_DPSNextEvent + 1120
frame #37: 0x00007fff9438bd6b AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789
frame #38: 0x00007fff93c05f35 AppKit`-[NSApplication run] + 926
frame #39: 0x00007fff93bd0850 AppKit`NSApplicationMain + 1237
frame #40: 0x00007fffab89b8c7 libxpc.dylib`_xpc_objc_main + 775
frame #41: 0x00007fffab89a2e4 libxpc.dylib`xpc_main + 494
frame #42: 0x00000001059f67a2 com.apple.WebKit.WebContent`___lldb_unnamed_symbol1$$com.apple.WebKit.WebContent + 380
frame #43: 0x00007fffab637255 libdyld.dylib`start + 1
(lldb)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170327/50109828/attachment.html>
More information about the webkit-unassigned
mailing list