Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c69ce8c4652b44accf6932761ae7837864f11151
https://github.com/WebKit/WebKit/commit/c69ce8c4652b44accf6932761ae7837864f11151
Author: Rupin Mittal <[email protected]>
Date: 2025-10-28 (Tue, 28 Oct 2025)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/page/Navigation.cpp
Log Message:
-----------
StabilityTracer: com.apple.WebKit.WebContent at
WebCore::Navigation::initializeForNewWindow
https://bugs.webkit.org/show_bug.cgi?id=301593
rdar://163496995
Reviewed by Chris Dumez.
The crash appears to be caused by dereferncing / trying to Ref a nullptr
returned by Navigation::currentEntry() on this line:
"m_activation = NavigationActivation::create(*navigationType, *currentEntry(),
WTFMove(previousEntry));"
Navigation::currentEntry() returns a nullptr in one of two cases:
1. hasEntriesAndEventsDisabled() is true
2. m_currentEntryIndex is null
Earlier on in Navigation::initializeForNewWindow(), there is a check for
hasEntriesAndEventsDisabled(). So it's likely that m_currentEntryIndex is null.
m_currentEntryIndex is obtained right before the crashing line. We can see from
this line that it being null means the currentItem is not in m_entries. This
else
clause is reachable only if the navigationType is Replace, Reload, or null.
1. If the navigation type is Replace, the currentItem would have been put into
m_entries in the if clause right before m_currentEntryIndex is obtained.
So we are likely not in this scenario.
2. If the navigation type is Reload, we expect that the currentItem is already
in m_entries. In theory it's possible that in some code path, a new item is
made for Reload, and so currentItem wouldn't be in m_entries.
(It's not clear why a new item would be made).
3. If the navigation type is null, currentItem would not be in m_entries.
(It's not clear why the navigation type would be null).
Situation 2 and more likely 3 are both possible. However, it is not clear how we
would end up in either scenario. So we make a speculative fix:
If the currentItem is not in m_entries (m_currentEntryIndex is null), don't
create NavigationAction and return, rather fall back to the regular code path
below where the item is added to m_entries and setActivation() is called.
We don't need the ASSERT to check the navigationType since dereferencing an
optional already has such an assert. Also, we make a small drive-by fix to use
the
protected documentLoader.
No new tests since this is a stability tracer crash and we have no reproduction
case and no clear idea on how we end up in this crash scenario as explained
above.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::initializeForNewWindow):
Canonical link: https://commits.webkit.org/302279@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
