Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c69ce8c4652b44accf6932761ae7837864f11151
      
https://github.com/WebKit/WebKit/commit/c69ce8c4652b44accf6932761ae7837864f11151
  Author: Rupin Mittal <[email protected]>
  Date:   2025-10-28 (Tue, 28 Oct 2025)

  Changed paths:
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/page/Navigation.cpp

  Log Message:
  -----------
  StabilityTracer: com.apple.WebKit.WebContent at 
WebCore::Navigation::initializeForNewWindow
https://bugs.webkit.org/show_bug.cgi?id=301593
rdar://163496995

Reviewed by Chris Dumez.

The crash appears to be caused by dereferncing / trying to Ref a nullptr
returned by Navigation::currentEntry() on this line:

"m_activation = NavigationActivation::create(*navigationType, *currentEntry(), 
WTFMove(previousEntry));"

Navigation::currentEntry() returns a nullptr in one of two cases:
1. hasEntriesAndEventsDisabled() is true
2. m_currentEntryIndex is null

Earlier on in Navigation::initializeForNewWindow(), there is a check for
hasEntriesAndEventsDisabled(). So it's likely that m_currentEntryIndex is null.

m_currentEntryIndex is obtained right before the crashing line. We can see from
this line that it being null means the currentItem is not in m_entries. This 
else
clause is reachable only if the navigationType is Replace, Reload, or null.

1. If the navigation type is Replace, the currentItem would have been put into
   m_entries in the if clause right before m_currentEntryIndex is obtained.
   So we are likely not in this scenario.
2. If the navigation type is Reload, we expect that the currentItem is already
   in m_entries. In theory it's possible that in some code path, a new item is
   made for Reload, and so currentItem wouldn't be in m_entries.
   (It's not clear why a new item would be made).
3. If the navigation type is null, currentItem would not be in m_entries.
   (It's not clear why the navigation type would be null).

Situation 2 and more likely 3 are both possible. However, it is not clear how we
would end up in either scenario. So we make a speculative fix:

If the currentItem is not in m_entries (m_currentEntryIndex is null), don't
create NavigationAction and return, rather fall back to the regular code path
below where the item is added to m_entries and setActivation() is called.

We don't need the ASSERT to check the navigationType since dereferencing an
optional already has such an assert. Also, we make a small drive-by fix to use 
the
protected documentLoader.

No new tests since this is a stability tracer crash and we have no reproduction
case and no clear idea on how we end up in this crash scenario as explained 
above.

* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::initializeForNewWindow):

Canonical link: https://commits.webkit.org/302279@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to