Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LibWeb: Crash on Acid3 in Navigable::get_session_history_entries() #21364

Closed
awesomekling opened this issue Oct 7, 2023 · 1 comment · Fixed by #21366
Closed

LibWeb: Crash on Acid3 in Navigable::get_session_history_entries() #21364

awesomekling opened this issue Oct 7, 2023 · 1 comment · Fixed by #21366
Labels
bug Something isn't working has-repro We have a way to reproduce this bug. regression

Comments

@awesomekling
Copy link
Collaborator

Simplified reduction:

<!doctype html><script>
    let iframe = document.createElement('iframe');
    let div = document.createElement('div');
    div.appendChild(iframe);
</script>
@awesomekling awesomekling added bug Something isn't working regression has-repro We have a way to reproduce this bug. labels Oct 7, 2023
@awesomekling
Copy link
Collaborator Author

To trigger the bug, reload the page and you get this:

VERIFICATION FAILED: false at /home/kling/src/serenity/Userland/Libraries/LibWeb/HTML/Navigable.cpp:382
/home/kling/src/serenity/Build/lagom/lib/liblagom-core.so.0(ak_verification_failed+0x97) [0x7f7237db9687]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::HTML::Navigable::get_session_history_entries() const 0x4b1) [0x7f72374278a1]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::HTML::Navigable::get_the_target_history_entry(int) const 0x8) [0x7f7237427388]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::HTML::TraversableNavigable::get_all_navigables_whose_current_session_history_entry_will_change_or_reload(int) const 0x117) [0x7f72374a8467]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::HTML::TraversableNavigable::apply_the_history_step(int, AK::Optional<Web::HTML::SourceSnapshotParams>) 0xa2) [0x7f72374a8742]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::HTML::TraversableNavigable::update_for_navigable_creation_or_destruction() 0x24) [0x7f72374a9874]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0(+0x8391f8) [0x7f72374391f8]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0(+0x8360b2) [0x7f72374360b2]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::HTML::NavigableContainer::shared_attribute_processing_steps_for_iframe_and_frame(bool) 0x661) [0x7f7237438831]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::HTML::HTMLIFrameElement::process_the_iframe_attributes(bool) 0x1a0) [0x7f72373e2a60]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::HTML::HTMLIFrameElement::inserted() 0x57) [0x7f72373e2ed7]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0(+0x70f04f) [0x7f723730f04f]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::DOM::Node::insert_before(JS::NonnullGCPtr<Web::DOM::Node>, JS::GCPtr<Web::DOM::Node>, bool) 0x621) [0x7f723730e731]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::DOM::Node::pre_insert(JS::NonnullGCPtr<Web::DOM::Node>, JS::GCPtr<Web::DOM::Node>) 0x4e) [0x7f723730f33e]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::DOM::Node::append_child(JS::NonnullGCPtr<Web::DOM::Node>) 0xb) [0x7f723731016b]
/home/kling/src/serenity/Build/lagom/lib/liblagom-web.so.0 Web::Bindings::NodePrototype::append_child(JS::VM&) 0x173) [0x7f723776dec3]
/home/kling/src/serenity/Build/lagom/bin/WebContent(+0xa939d) [0x55c4296ca39d]
/home/kling/src/serenity/Build/lagom/lib/liblagom-js.so.0(+0x3bc8f3) [0x7f72369bc8f3]
/home/kling/src/serenity/Build/lagom/lib/liblagom-js.so.0 JS::NativeFunction::call() 0x25) [0x7f72369bc795]
/home/kling/src/serenity/Build/lagom/lib/liblagom-js.so.0 JS::NativeFunction::internal_call(JS::Value, JS::MarkedVector<JS::Value, 32ul>) 0x276) [0x7f72369bc286]
/home/kling/src/serenity/Build/lagom/lib/liblagom-js.so.0 JS::call_impl(JS::VM&, JS::FunctionObject&, JS::Value, AK::Optional<JS::MarkedVector<JS::Value, 32ul> >) 0x300) [0x7f723687a700]
/home/kling/src/serenity/Build/lagom/lib/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x496) [0x7f72367fabe6]

kalenikaliaksandr added a commit to kalenikaliaksandr/serenity that referenced this issue Oct 7, 2023
@kalenikaliaksandr
LibWeb: Destroy navigable containers not inserted into document tree
1708336 
This change fixes the bug where navigable containers related to a
document, but not present in the tree, were never destroyed.

Fixes SerenityOS#21364
@kalenikaliaksandr kalenikaliaksandr mentioned this issue Oct 7, 2023
Merged
awesomekling pushed a commit that referenced this issue Oct 8, 2023
@kalenikaliaksandr @awesomekling
LibWeb: Destroy navigable containers not inserted into document tree
a865318 
This change fixes the bug where navigable containers related to a
document, but not present in the tree, were never destroyed.

Fixes #21364
@awesomekling awesomekling mentioned this issue Oct 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working has-repro We have a way to reproduce this bug. regression
Projects
No open projects
Ladybird
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

LibWeb: Destroy navigable containers not inserted into document tree kalenikaliaksandr/serenity
1 participant
@awesomekling