Bug 206204

Summary: Nullptr crash in DocumentLoader::clearMainResourceLoader
Product: WebKit Reporter: Pinki Gyanchandani <pgyanchandani>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aakash_jain, achristensen, ap, beidson, bfulgham, cdumez, commit-queue, dbates, ews-feeder, ews-watchlist, japhet, product-security, rniwa, webkit-bot-watchers-bugzilla, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=206304
Bug Depends on: 206306    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch
none
Patch rniwa: review+

Description Pinki Gyanchandani 2020-01-13 16:05:49 PST 
: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000002cd8c2000 WebCore::FrameLoader::activeDocumentLoader() const + 16
1   com.apple.WebCore             	0x00000002cd86b77b WebCore::DocumentLoader::clearMainResourceLoader() + 43
2   com.apple.WebCore             	0x00000002cd86d007 WebCore::DocumentLoader::finishedLoading() + 519
3   com.apple.WebCore             	0x00000002cd86cc15 WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) + 501
4   com.apple.WebCore             	0x00000002cd9b6212 WebCore::CachedResource::checkNotify() + 130
5   com.apple.WebCore             	0x00000002cd9b2184 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 52
6   com.apple.WebCore             	0x00000002cd9b3434 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 324
7   com.apple.WebCore             	0x00000002cd946616 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 1206
8   com.apple.WebCore             	0x00000002cd93e0c7 auto WebCore::ResourceLoader::loadDataURL()::$_2::operator()<WTF::Optional<WebCore::DataURLDecoder::Result> >(WTF::Optional<WebCore::DataURLDecoder::Result>)::'lambda'()::operator()() + 247
9   com.apple.WebCore             	0x00000002cd93deee WTF::Detail::CallableWrapper<auto WebCore::ResourceLoader::loadDataURL()::$_2::operator()<WTF::Optional<WebCore::DataURLDecoder::Result> >(WTF::Optional<WebCore::DataURLDecoder::Result>)::'lambda'(), void>::call() + 30
10  com.apple.WebCore             	0x00000002ca83b392 WTF::Function<void ()>::operator()() const + 130
11  com.apple.WebCore             	0x00000002ca8a0c7e WTF::CompletionHandler<void ()>::operator()() + 238
12  com.apple.WebCore             	0x00000002cd948504 WebCore::SubresourceLoader::didReceiveResponsePolicy() + 180
13  com.apple.WebCore             	0x00000002cd8a3465 WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) + 229
14  com.apple.WebCore             	0x00000002cd8a3237 WTF::Detail::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) + 103
15  com.apple.WebKit              	0x00000002c1243a88 WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const + 216
16  com.apple.WebKit              	0x00000002c12bde0e WebKit::WebFrame::invalidatePolicyListener() + 286
17  com.apple.WebKit              	0x00000002c1245d79 WebKit::WebFrameLoaderClient::cancelPolicyCheck() + 25
18  com.apple.WebCore             	0x00000002cd9185ec WebCore::PolicyChecker::stopCheck() + 44
19  com.apple.WebCore             	0x00000002cd87436e WebCore::DocumentLoader::cancelPolicyCheckIfNeeded() + 174
20  com.apple.WebCore             	0x00000002cd86c853 WebCore::DocumentLoader::cancelMainResourceLoad(WebCore::ResourceError const&) + 499
21  com.apple.WebCore             	0x00000002cd86bcea WebCore::DocumentLoader::stopLoading() + 1354
22  com.apple.WebCore             	0x00000002cd901d43 WebCore::NavigationScheduler::schedule(std::__1::unique_ptr<WebCore::ScheduledNavigation, std::__1::default_delete<WebCore::ScheduledNavigation> >) + 211
23  com.apple.WebCore             	0x00000002cd902539 WebCore::NavigationScheduler::scheduleLocationChange(WebCore::Document&, WebCore::SecurityOrigin&, WTF::URL const&, WTF::String const&, WebCore::LockHistory, WebCore::LockBackForwardList, WTF::CompletionHandler<void ()>&&) + 1241
24  com.apple.WebCore             	0x00000002cd93248a WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WTF::URL const&, WTF::AtomString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 362
25  com.apple.WebCore             	0x00000002cd931fa0 WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomString const&, WebCore::LockHistory, WebCore::LockBackForwardList) + 560
26  com.apple.WebCore             	0x00000002cd304d13 WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) + 467
27  com.apple.WebCore             	0x00000002cd304e20 WebCore::HTMLFrameElementBase::setLocation(WTF::String const&) + 192
28  com.apple.WebCore             	0x00000002cd3045e9 WebCore::HTMLFrameElementBase::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) + 105
29  com.apple.WebCore             	0x00000002cd30e846 WebCore::HTMLIFrameElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) + 438
30  com.apple.WebCore             	0x00000002ccf63994 WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 1156
31  com.apple.WebCore             	0x00000002cd0accdc WebCore::StyledElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 236
32  com.apple.WebCore             	0x00000002ccf6a222 WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) + 82
33  com.apple.WebCore             	0x00000002ccf6a173 WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 195
34  com.apple.WebCore             	0x00000002ccf63081 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 129
35  com.apple.WebCore             	0x00000002ccf63485 WebCore::Element::setAttributeWithoutSynchronization(WebCore::QualifiedName const&, WTF::AtomString const&) + 117
36  com.apple.WebCore             	0x00000002cb2ae308 WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()::operator()() const + 88
37  com.apple.WebCore             	0x00000002cb2ae29d std::__1::enable_if<std::is_same<void, decltype(fp1())>::value, void>::type WebCore::AttributeSetter::call<WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()&&) + 29
38  com.apple.WebCore             	0x00000002cb2ae249 WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&) + 169
39  com.apple.WebCore             	0x00000002cb212384 bool WebCore::IDLAttribute<WebCore::JSHTMLIFrameElement>::set<&(WebCore::setJSHTMLIFrameElementSrcdocSetter(JSC::JSGlobalObject&, WebCore::JSHTMLIFrameElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) + 324
40  com.apple.WebCore             	0x00000002cb21222c WebCore::setJSHTMLIFrameElementSrcdoc(JSC::JSGlobalObject*, long long, long long) + 44
41  com.apple.JavaScriptCore      	0x00000002e45ae75e JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSValue, JSC::JSValue) + 190
42  com.apple.JavaScriptCore      	0x00000002e45ae832 JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 162
43  com.apple.JavaScriptCore      	0x00000002e47059ee JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1566
44  com.apple.JavaScriptCore      	0x00000002e3f51a41 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1265
45  com.apple.JavaScriptCore      	0x00000002e3f51508 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 152
46  com.apple.JavaScriptCore      	0x00000002e3f53463 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 163
47  com.apple.JavaScriptCore      	0x00000002e435b29c llint_slow_path_put_by_id + 700
48  com.apple.JavaScriptCore      	0x00000002e3575960 llint_entry + 43090
49  com.apple.JavaScriptCore      	0x00000002e35879f1 llint_entry + 116963
50  com.apple.JavaScriptCore      	0x00000002e356aea3 vmEntryToJavaScript + 273
51  com.apple.JavaScriptCore      	0x00000002e424f327 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 199
52  com.apple.JavaScriptCore      	0x00000002e424f976 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1494
53  com.apple.JavaScriptCore      	0x00000002e453bd09 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 233
54  com.apple.JavaScriptCore      	0x00000002e453bdfa JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 218
55  com.apple.JavaScriptCore      	0x00000002e453c0ee JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 142
56  com.apple.WebCore             	0x00000002cc944c58 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 136
57  com.apple.WebCore             	0x00000002cc9603d7 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1927
58  com.apple.WebCore             	0x00000002ccf9f37d WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 925
59  com.apple.WebCore             	0x00000002ccf9b614 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 356
60  com.apple.WebCore             	0x00000002cd00f942 WebCore::Node::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 178
61  com.apple.WebCore             	0x00000002ccf75921 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 193
62  com.apple.WebCore             	0x00000002ccf7641f WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 383
63  com.apple.WebCore             	0x00000002ccf75f27 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 567
64  com.apple.WebCore             	0x00000002cd00f99d WebCore::Node::dispatchEvent(WebCore::Event&) + 29
65  com.apple.WebCore             	0x00000002cda39a45 WebCore::DOMWindow::dispatchLoadEvent() + 485
66  com.apple.WebCore             	0x00000002ccea74f8 WebCore::Document::dispatchWindowLoadEvent() + 136
67  com.apple.WebCore             	0x00000002ccea6fc8 WebCore::Document::implicitClose() + 600
68  com.apple.WebCore             	0x00000002cd8c62cb WebCore::FrameLoader::checkCallImplicitClose() + 155
69  com.apple.WebCore             	0x00000002cd8c5dda WebCore::FrameLoader::checkCompleted() + 442
70  com.apple.WebCore             	0x00000002cd8c41dd WebCore::FrameLoader::finishedParsing() + 285
71  com.apple.WebCore             	0x00000002cceb9bde WebCore::Document::finishedParsing() + 670
72  com.apple.WebCore             	0x00000002cd522398 WebCore::HTMLConstructionSite::finishedParsing() + 24
73  com.apple.WebCore             	0x00000002cd56e767 WebCore::HTMLTreeBuilder::finished() + 263
74  com.apple.WebCore             	0x00000002cd5296d8 WebCore::HTMLDocumentParser::end() + 248
75  com.apple.WebCore             	0x00000002cd527658 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 296
76  com.apple.WebCore             	0x00000002cd527387 WebCore::HTMLDocumentParser::prepareToStopParsing() + 295
77  com.apple.WebCore             	0x00000002cd529742 WebCore::HTMLDocumentParser::attemptToEnd() + 66
78  com.apple.WebCore             	0x00000002cd529819 WebCore::HTMLDocumentParser::finish() + 73
79  com.apple.WebCore             	0x00000002cd86e072 WebCore::DocumentWriter::end() + 386
80  com.apple.WebCore             	0x00000002cd86cfcf WebCore::DocumentLoader::finishedLoading() + 463
81  com.apple.WebCore             	0x00000002cd871df6 WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) + 1990
82  com.apple.WebCore             	0x00000002cd86eab8 WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) + 2248
83  com.apple.WebCore             	0x00000002cd869e85 WebCore::DocumentLoader::handleSubstituteDataLoadNow() + 341
84  com.apple.WebCore             	0x00000002cd899bab WTF::RunLoopTimer<WebCore::DocumentLoader>::fired() + 107
85  com.apple.JavaScriptCore      	0x00000002e314563e WTF::timerFired(__CFRunLoopTimer*, void*) + 46
86  com.apple.CoreFoundation      	0x00007fff3d6cff08 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
87  com.apple.CoreFoundation      	0x00007fff3d6cfa6e __CFRunLoopDoTimer + 872
88  com.apple.CoreFoundation      	0x00007fff3d6cf489 __CFRunLoopDoTimers + 322
89  com.apple.CoreFoundation      	0x00007fff3d6b072d __CFRunLoopRun + 1885
90  com.apple.CoreFoundation      	0x00007fff3d6afd53 CFRunLoopRunSpecific + 466
91  com.apple.Foundation          	0x00007fff3fe19cd7 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
92  com.apple.Foundation          	0x00007fff3fe19bf0 -[NSRunLoop(NSRunLoop) run] + 76
93  libxpc.dylib                  	0x00007fff78f41e52 _xpc_objc_main.cold.4 + 49
94  libxpc.dylib                  	0x00007fff78f29e6b _xpc_objc_main + 559
95  libxpc.dylib                  	0x00007fff78f299e5 xpc_main + 377
96  com.apple.WebKit              	0x00000002c0762747 WebKit::XPCServiceMain(int, char const**) + 1303
97  com.apple.WebKit              	0x00000002c175788b WKXPCServiceMain + 27
98  com.apple.WebKit.WebContent   	0x000000010ab91eb2 main + 34
99                   	0x00007fff78cce765 start + 1

[...]

Comment 1 Radar WebKit Bug Importer 2020-01-13 16:07:24 PST 
<rdar://problem/58548455>
Comment 2 Pinki Gyanchandani 2020-01-13 16:51:17 PST 
Created attachment 387592 [details]
Patch
Comment 3 Ryosuke Niwa 2020-01-13 16:57:54 PST 
Comment on attachment 387592 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=387592&action=review

r- because change logs need to be fixed.

> Source/WebCore/ChangeLog:8
> +        No new tests (OOPS!).

Please remove this line but add a description as to what caused the bug & how you're fixing it.

> Source/WebCore/loader/DocumentLoader.cpp:159
> +

Please revert this change.

> Source/WebCore/loader/DocumentLoader.cpp:1273
>  {

Should the caller exit early as well?

> Tools/ChangeLog:8
> +        * WebKitTestRunner/WebKitTestRunner.xcodeproj/xcshareddata/xcschemes/WebKitTestRunner.xcscheme:

Please revert this change log change.

> ChangeLog:8
> +        * WebKit.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings:

Ditto.
Comment 4 Ryosuke Niwa 2020-01-13 17:06:52 PST 
This is not a security bug.
Comment 5 Pinki Gyanchandani 2020-01-14 14:34:11 PST 
Created attachment 387706 [details]
Patch
Comment 6 Ryosuke Niwa 2020-01-14 21:09:18 PST 
Comment on attachment 387706 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=387706&action=review

> Source/WebCore/loader/DocumentLoader.cpp:159
> +

Again, please revert this unnecessary code change.
Comment 7 Alexey Proskuryakov 2020-01-14 22:59:55 PST 
rdar://problem/56968500
Comment 8 Alex Christensen 2020-01-15 10:41:35 PST 
I removed the unneeded space addition and committed this to http://trac.webkit.org/r254576
Comment 9 Aakash Jain 2020-01-15 11:49:39 PST 
(In reply to Alex Christensen from comment #8)
> I removed the unneeded space addition and committed this to http://trac.webkit.org/r254576
Newly added test change-src-during-iframe-load-crash.html seems to be consistently timing out, and slowing down commit-queue. Tracked in https://bugs.webkit.org/show_bug.cgi?id=206304
Comment 10 Aakash Jain 2020-01-15 12:14:39 PST 
The test failure was also indicated by EWS in https://ews-build.webkit.org/#/builders/30/builds/604 and https://ews-build.webkit.org/#/builders/10/builds/3730
Comment 11 WebKit Commit Bot 2020-01-15 12:18:58 PST 
Re-opened since this is blocked by bug 206306
Comment 12 Aakash Jain 2020-01-15 12:21:32 PST 
This also caused http/tests/security/http-0.9/xhr-blocked.html to fail, because of possibly unintended addition of 'asdf'

https://results.webkit.org/?suite=layout-tests&test=http%2Ftests%2Fsecurity%2Fhttp-0.9%2Fxhr-blocked.html
Comment 13 Ryosuke Niwa 2020-01-15 16:38:59 PST 
Comment on attachment 387706 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=387706&action=review

> LayoutTests/loader/change-src-during-iframe-load-crash.html:3
> +function load() {

The issue is that in WebKit1, this event handler runs after eventhandler3 had finished running.
The solution is to add a flag which eventhandler3 set, and only call waitUntilDone when the flag isn't set like this:

let didLoad = false;
let didFinishTesting = false;

function load() {
    document.body.innerHTML = 'The test is declared pass if there is no crash observed.';
    didLoad = true;
    if (window.testRunner) {
        testRunner.dumpAsText();
        if (!didFinishTesting)
            testRunner.waitUntilDone();
    }
}

function eventhandler3() {
    iframe1.srcdoc = "x";
    didFinishTesting = true;
    if (window.testRunner && didLoad)
        testRunner.notifyDone();
}

> LayoutTests/loader/change-src-during-iframe-load-crash.html:11
> +function eventhandler3() {

Can we rename this event handler to something more sensible like didLoadFrame2.
Comment 14 Ryosuke Niwa 2020-01-15 16:39:13 PST 
Comment on attachment 387706 [details]
Patch

r- given this patch caused the landed test to fail in WK1.
Comment 15 Pinki Gyanchandani 2020-01-15 17:30:17 PST 
Created attachment 387876 [details]
Patch
Comment 16 Ryosuke Niwa 2020-01-15 18:29:30 PST 
Comment on attachment 387876 [details]
Patch

Let's wait for EWS before landing.
Comment 17 Ryosuke Niwa 2020-01-15 19:02:26 PST 
Committed r254662: <https://trac.webkit.org/changeset/254662>