<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Crash when navigating back to a page in PacheCache when one of its frames has been removed"
href="https://bugs.webkit.org/show_bug.cgi?id=167421">167421</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Crash when navigating back to a page in PacheCache when one of its frames has been removed
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>Page Loading
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>cdumez@apple.com
</td>
</tr>
<tr>
<th>CC</th>
<td>ap@webkit.org, beidson@apple.com, bfulgham@webkit.org, darin@apple.com, koivisto@iki.fi, rniwa@webkit.org
</td>
</tr></table>
<p>
<div>
<pre>Crash when navigating back to a page in PacheCache when one of its frames has been removed:
let w = open("about:blank", "one");
let d = w.document;
let f = d.createElement("iframe");
f.src = "<a href="http://www.espn.com">http://www.espn.com</a>";
d.body.appendChild(f);
let a = d.createElement("a");
a.href = "<a href="https://google.com">https://google.com</a>";
a.click();
let it = setInterval(() => {
clearInterval(it);
d.body.innerHTML = "LOL";
}, 2000);
Wait 3 seconds then navigate back in the newly opened Window (that currently shows google.com). You'll get the following crash:
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000100
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
Application Specific Information:
This process is running with libgmalloc.dylib (GuardMalloc) which may have forced the crash due to a memory access error.
Bundle controller class:
BrowserBundleController
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 com.apple.WebCore 0x0000000109e924fe WebCore::CachedFrameBase::restore() + 222 (Page.h:192)
1 com.apple.WebCore 0x000000010a1e9ea5 WebCore::FrameLoader::open(WebCore::CachedFrameBase&) + 789 (utility:753)
2 com.apple.WebCore 0x0000000109e96519 WebCore::CachedPage::restore(WebCore::Page&) + 25 (memory:2701)
3 com.apple.WebCore 0x000000010a1e8637 WebCore::FrameLoader::commitProvisionalLoad() + 775 (Optional.h:366)
4 com.apple.WebCore 0x000000010a1e6a9c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) + 1180 (FrameLoader.cpp:3251)
5 com.apple.WebCore 0x000000010aa5c41d WebCore::PolicyCallback::call(bool) + 61 (functional:1817)
6 com.apple.WebCore 0x000000010aa5d18c WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) + 732 (PolicyCallback.h:47)
7 com.apple.WebKit 0x0000000107d0dbcc WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) + 192 (functional:1766)
8 com.apple.WebKit 0x0000000107d12330 WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::FormState*, std::__1::function<void (WebCore::PolicyAction)>) + 1590 (WebFrameLoaderClient.cpp:822)
9 com.apple.WebCore 0x000000010aa5ce11 WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WebCore::FormState*, std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>) + 1937 (functional:1766)
10 com.apple.WebCore 0x000000010a1e63d2 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) + 2258 (functional:1766)
11 com.apple.WebCore 0x000000010a1e2489 WebCore::FrameLoader::loadDifferentDocumentItem(WebCore::HistoryItem&, WebCore::FrameLoadType, WebCore::FrameLoader::FormSubmissionCacheLoadPolicy) + 409 (FrameLoader.cpp:3321)
12 com.apple.WebCore 0x000000010a2624df WebCore::HistoryController::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType) + 207 (HistoryController.cpp:325)
13 com.apple.WebCore 0x000000010aa1514a WebCore::Page::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType) + 90 (RefCounted.h:98)
14 com.apple.WebKit 0x0000000107d4ca98 WebKit::WebPage::goBack(unsigned long long, unsigned long long) + 54 (MessageSender.h:39)
This is because it is currently possible for an opener to have wrappers to Nodes/Documents in windows that in opened (via window.open) and then for those documents to go into PageCache. Doing DOM mutations on documents that are currently in PageCache is unsupported and will lead to various crashes.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>