[Webkit-unassigned] [Bug 273703] [WPE] Crash on WebCore::FrameLoader::effectiveReferrerPolicy() after 274396 at main with GCC 12.3.0 on ARM64 with -O3 (early-inlining-insns=14)

Fri May 3 12:14:09 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=273703

--- Comment #1 from Carlos Alberto Lopez Perez <clopez at igalia.com> ---
Some info about the crash that I debugged with a few printfs ...

 - On the backtrace above, the crash inside the function "WebCore::FrameLoader::effectiveReferrerPolicy()" happens exactly when doing the downcast of m_frame->opener()

In this line exactly:

RefPtr opener = dynamicDowncast<LocalFrame>(m_frame->opener()))

Note: "m_frame->opener()" is not null (I checked it)

If I comment out that code and simply return "ReferrerPolicy::Default" there then the same crash happens later at WebCore::Document::initSecurityContext()

exactly here:

    // If we do not obtain a meaningful origin from the URL, then we try to
    // find one via the frame hierarchy.
    RefPtr parentFrame = m_frame->tree().parent();
    RefPtr openerFrame = dynamicDowncast<LocalFrame>(m_frame->opener()); // <--- here crashes, again when trying to call "dynamicDowncast<LocalFrame>(m_frame->opener())" which is basically the same crash than previously (note: I checked that "m_frame->opener()" is not null)
    RefPtr ownerFrame = dynamicDowncast<LocalFrame>(parentFrame.get());

So not sure what is going on and/or if this is a valid bug or a crash caused by a bug on the compiler itself.

I have a workaround that is ensuring this file does not build with a value of "early-inlining-insns" higher than what its enabled for -O2 ... so I will propose that patch for now

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240503/c4226da3/attachment-0001.htm>