[Webkit-unassigned] [Bug 196479] New: Nullptr crash in Document::open after calling policyChecker().stopCheck()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 1 20:25:22 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196479
Bug ID: 196479
Summary: Nullptr crash in Document::open after calling
policyChecker().stopCheck()
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: rniwa at webkit.org
WebCore`WebCore::Document::open(WebCore::Document*) + 210 at Document.cpp:2647
2643 }
2644
2645 if (m_frame->loader().policyChecker().delegateIsDecidingNavigationPolicy())
2646 m_frame->loader().policyChecker().stopCheck();
-> 2647 if (m_frame->loader().state() == FrameStateProvisional)
2648 m_frame->loader().stopAllLoaders();
2649 }
2650
2651 removeAllEventListeners();
We can hit a nullptr crash here because m_frame->loader().policyChecker().stopCheck() invokes m_willSubmitFormCompletionHandlers, and that could clear the frame, etc...
<rdar://problem/48883397>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190402/7adb2ecc/attachment.html>
More information about the webkit-unassigned
mailing list