search

LadybirdBrowser / ladybird

Truly independent web browser
https://ladybird.org
BSD 2-Clause "Simplified" License
19.58k stars 793 forks source link

LibWeb: VERIFY_NOT_REACHED in Navigable::get_session_history_entries() #729

Open awesomekling opened 2 months ago

awesomekling commented 2 months ago

Found by Domato.

Simplified reduction:

<script>    
    onload = function() {    
        requestAnimationFrame(callback);    
        requestIdleCallback(callback);    
        form.submit();                               
    }    

    function callback() {    
        iframe.srcdoc = "data:text/html,foo";    
    }      
</script>    
<form id="form"></form><iframe id="iframe">
awesomekling commented 2 months ago

Crash backtrace:

#0  ak_verification_failed () at /home/kling/src/ladybird/AK/Assertions.cpp:102
#1  0x00007f1946802901 in get_session_history_entries () at /home/kling/src/ladybird/Userland/Libraries/LibWeb/HTML/Navigable.cpp:524
#2  0x00007f194680a999 in finalize_a_cross_document_navigation () at /home/kling/src/ladybird/Userland/Libraries/LibWeb/HTML/Navigable.cpp:1858
#3  0x00007f194680ebd2 in operator() () at /home/kling/src/ladybird/Userland/Libraries/LibWeb/HTML/Navigable.cpp:1459
#4  call () at /home/kling/src/ladybird/AK/Function.h:187
#5  0x00007f194650ca4f in operator() () at /home/kling/src/ladybird/AK/Function.h:120
#6  0x00007f194686e0d4 in execute_steps () at /home/kling/src/ladybird/Userland/Libraries/LibWeb/HTML/SessionHistoryTraversalQueue.h:29
#7  operator() () at /home/kling/src/ladybird/Userland/Libraries/LibWeb/HTML/SessionHistoryTraversalQueue.cpp:37
#8  call () at /home/kling/src/ladybird/AK/Function.h:187
#9  0x00007f1947b4a36f in operator() () at /home/kling/src/ladybird/AK/Function.h:120
#10 0x00007f1947b49845 in dispatch_event () at /home/kling/src/ladybird/Userland/Libraries/LibCore/EventReceiver.cpp:162
#11 0x00006515016821c0 in qt_timer_fired () at /home/kling/src/ladybird/Ladybird/Qt/EventLoopImplementationQt.cpp:219
#12 operator() () at /home/kling/src/ladybird/Ladybird/Qt/EventLoopImplementationQt.cpp:233
#13 call () at /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:127
#14 call<QtPrivate::List<>, void> () at /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:241
#15 impl () at /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:408
#16 0x00007f1947d83d9b in ??? () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#17 0x00007f1947d8ed6d in QTimer::timeout(QTimer::QPrivateSignal) () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#18 0x00007f1947d76576 in QObject::event(QEvent*) () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#19 0x00007f1947d38416 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#20 0x00007f1947e7b7ab in QTimerInfoList::activateTimers() () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#21 0x00007f1947f33a61 in ??? () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#22 0x00007f19427145b5 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x00007f1942773717 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x00007f1942713a53 in g_main_context_iteration () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#25 0x00007f1947f315ef in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#26 0x00007f1947d429a3 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#27 0x00007f1947b42067 in exec () at /home/kling/src/ladybird/Userland/Libraries/LibCore/EventLoop.cpp:88
#28 0x000065150168e6d6 in serenity_main () at /home/kling/src/ladybird/Ladybird/WebContent/main.cpp:195
#29 0x0000651501730be2 in main () at /home/kling/src/ladybird/Userland/Libraries/LibMain/Main.cpp:39
GetPapaWls commented 1 month ago

// Before: May contain VERIFY_NOT_REACHED as a placeholder Vector Navigable::get_session_history_entries() { if (.some_condition_is_met) { VERIFY_NOT_REACHED(); }

// Actual logic to retrieve session history entries.
Vector<SessionHistoryEntry> history_entries;
// Populate history_entries.
return history_entries;

}

// After: Add proper handling Vector Navigable::get_session_history_entries() { Vector history_entries;

if (.some_condition_is_met) { // Handle the case properly instead of crashing dbgln("Condition not met, returning empty history."); return history_entries; // or some other appropriate action }

// Actual logic to retrieve session history entries.

// Populate history_entries. return history_entries; }

GetPapaWls commented 1 month ago

This was Example Code to fix.