[Webkit-unassigned] [Bug 186081] New: REGRESSION(r216119): DocumentLoader::detachFromFrame still encounters nullptr frame

Tue May 29 21:09:31 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=186081

            Bug ID: 186081
           Summary: REGRESSION(r216119): DocumentLoader::detachFromFrame
                    still encounters nullptr frame
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bfulgham at webkit.org

In Bug 171604, we removed a nullptr check that we deemed unnecessary due to reentrancy checks and assertions that confirmed that the current frame is valid.

However, long term monitoring of crash data indicates that we are still encountering nullptr frames in this call stack.

It's unclear if PolicyChecker::stopCheck() can cause m_frame to be nulled out somehow. Since m_frame is Ref’d in this method, it doesn’t seem like FrameDestructionObserver could be causing this.

Could one of these be happening?
(1) DocumentLoader is being told to observe a different frame?
(2) DocumentLoader is being destroyed, which would set m_frame to nullptr?

We should put the nullptr check back, and add additional assertions to help catch this case in the wild.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180530/b9b1820e/attachment.html>