Issue metadata
Sign in to add a comment
|
App crashes when opening itms://scheme using window.open |
||||||||||||||||||||
Issue descriptionApp Version: 66.0.3346.0 canary iOS Version: 11.2.5, 10.3.3 Device: iPhone7 plus, iPad Air URL: http://browsingtest.appspot.com/external_url.html Steps to reproduce: 1. Launch Google Chrome 2. Navigate to http://browsingtest.appspot.com/external_url.html 3. Tap on the 4th link ( onclick window.open itms App store) Observed results: App Crashes Expected results: App shouldn't crash Crash ID: http://crash/097bf52752d385a7 Number of times you were able to reproduce: 5/5 Bug reproducible after clean install: Yes Bug reproducible after clearing cache and cookies: Yes Bug reproducible on Chrome Mobile on Android: NA Bug reproducible on Safari/Firefox: Firefox: NA, Safari: NA Bug reproducible on current stable build (App Version, iOS Version): M64 NO Bug reproducible on the current beta channel build (App Version, iOS Version): M65 NO Stack Quality82%Show frame trust levels 0x000000010294dba4 (Chrome -web_state_impl.mm:212 ) web::WebStateImpl::SetIsLoading(bool) 0x000000010296b610 (Chrome -crw_web_controller.mm:4273 ) -[CRWWebController webView:decidePolicyForNavigationAction:decisionHandler:] 0x000000010296b610 (Chrome -crw_web_controller.mm:4273 ) -[CRWWebController webView:decidePolicyForNavigationAction:decisionHandler:] 0x00000001934368a8 (WebKit + 0x000738a8 ) WebKit::NavigationState::NavigationClient::decidePolicyForNavigationAction(WebKit::WebPageProxy&, API::NavigationAction&, WTF::Ref<WebKit::WebFramePolicyListenerProxy>&&, API::Object*) 0x000000019359eeb4 (WebKit + 0x001dbeb4 ) WebKit::WebPageProxy::decidePolicyForNavigationAction(unsigned long long, WebCore::SecurityOriginData const&, unsigned long long, WebKit::NavigationActionData const&, WebKit::FrameInfoData const&, unsigned long long, WebCore::ResourceRequest const&, WebCore::ResourceRequest const&, unsigned long long, WebKit::UserData const&, bool&, unsigned long long&, unsigned long long&, WebKit::DownloadID&, WebKit::WebsitePolicies&) 0x00000001935c6638 (WebKit + 0x00203638 ) void IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long long, WebCore::SecurityOriginData const&, unsigned long long, WebKit::NavigationActionData const&, WebKit::FrameInfoData const&, unsigned long long, WebCore::ResourceRequest const&, WebCore::ResourceRequest const&, unsigned long long, WebKit::UserData const&, bool&, unsigned long long&, unsigned long long&, WebKit::DownloadID&, WebKit::WebsitePolicies&), std::__1::tuple<unsigned long long, WebCore::SecurityOriginData, unsigned long long, WebKit::NavigationActionData, WebKit::FrameInfoData, unsigned long long, WebCore::ResourceRequest, WebCore::ResourceRequest, unsigned long long, WebKit::UserData>, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, std::__1::tuple<bool, unsigned long long, unsigned long long, WebKit::DownloadID, WebKit::WebsitePolicies>, 0ul, 1ul, 2ul, 3ul, 4ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long long, WebCore::SecurityOriginData const&, unsigned long long, WebKit::NavigationActionData const&, WebKit::FrameInfoData const&, unsigned long long, WebCore::ResourceRequest const&, WebCore::ResourceRequest const&, unsigned long long, WebKit::UserData const&, bool&, unsigned long long&, unsigned long long&, WebKit::DownloadID&, WebKit::WebsitePolicies&), std::__1::tuple<unsigned long long, WebCore::SecurityOriginData, unsigned long long, WebKit::NavigationActionData, WebKit::FrameInfoData, unsigned long long, WebCore::ResourceRequest, WebCore::ResourceRequest, unsigned long long, WebKit::UserData>&&, std::__1::tuple<bool, unsigned long long, unsigned long long, WebKit::DownloadID, WebKit::WebsitePolicies>&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul>, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul>) 0x00000001935bf6e4 (WebKit + 0x001fc6e4 ) void IPC::handleMessage<Messages::WebPageProxy::DecidePolicyForNavigationAction, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long long, WebCore::SecurityOriginData const&, unsigned long long, WebKit::NavigationActionData const&, WebKit::FrameInfoData const&, unsigned long long, WebCore::ResourceRequest const&, WebCore::ResourceRequest const&, unsigned long long, WebKit::UserData const&, bool&, unsigned long long&, unsigned long long&, WebKit::DownloadID&, WebKit::WebsitePolicies&)>(IPC::Decoder&, IPC::Encoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long long, WebCore::SecurityOriginData const&, unsigned long long, WebKit::NavigationActionData const&, WebKit::FrameInfoData const&, unsigned long long, WebCore::ResourceRequest const&, WebCore::ResourceRequest const&, unsigned long long, WebKit::UserData const&, bool&, unsigned long long&, unsigned long long&, WebKit::DownloadID&, WebKit::WebsitePolicies&)) 0x00000001934341dc (WebKit + 0x000711dc ) IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) 0x0000000193611890 (WebKit + 0x0024e890 ) WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) 0x00000001933f6f0c (WebKit + 0x00033f0c ) IPC::Connection::dispatchSyncMessage(IPC::Decoder&) 0x00000001933f4730 (WebKit + 0x00031730 ) IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 0x00000001933f713c (WebKit + 0x0003413c ) IPC::Connection::dispatchOneMessage() 0x000000018b614dc4 (JavaScriptCore + 0x0092edc4 ) 0x000000018b614ff4 (JavaScriptCore + 0x0092eff4 ) 0x00000001842ce978 (CoreFoundation + 0x000ee978 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00000001842ce8f8 (CoreFoundation + 0x000ee8f8 ) __CFRunLoopDoSource0 0x00000001842ce1d4 (CoreFoundation + 0x000ee1d4 ) __CFRunLoopDoSources0 0x00000001842cbd58 (CoreFoundation + 0x000ebd58 ) __CFRunLoopRun 0x00000001841ebe54 (CoreFoundation + 0x0000be54 ) CFRunLoopRunSpecific 0x0000000186098f80 (GraphicsServices + 0x0000af80 ) GSEventRunModal 0x000000018d86b678 (UIKit + 0x00073678 ) UIApplicationMain 0x00000001028ccb50 (Chrome -chrome_exe_main.mm:54 ) main 0x0000000183d08568 (libdyld.dylib + 0x00001568 ) start
,
Feb 13 2018
,
Feb 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3c071d65c3fb8ba013e678598acfb4fc0808f0be commit 3c071d65c3fb8ba013e678598acfb4fc0808f0be Author: Eugene But <eugenebut@google.com> Date: Tue Feb 13 23:19:44 2018 Check for _isBeingDestroyed before accessing WebState in decidePolicyForNavigationAction. -[CRWWebController shouldAllowLoadWithNavigationAction:] can actually destroy web controller when launching external app. So it is necessary to check _isBeingDestroyed before dereferencing WebState. Bug: 811777 Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs Change-Id: Ib73f9bf1d7695b91332a2b2e715a2bd443f76bd4 Reviewed-on: https://chromium-review.googlesource.com/917211 Reviewed-by: Danyao Wang <danyao@chromium.org> Commit-Queue: Eugene But <eugenebut@chromium.org> Cr-Commit-Position: refs/heads/master@{#536540} [modify] https://crrev.com/3c071d65c3fb8ba013e678598acfb4fc0808f0be/ios/web/web_state/ui/crw_web_controller.mm
,
Feb 13 2018
,
Feb 20 2018
Verified in M66.0.3351.0 canary Device: iPhoneX, iPad Pro iOS: 11.2.6, 11.3 beta#3 |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by eugene...@chromium.org
, Feb 13 2018Owner: eugene...@chromium.org
Status: Started (was: Untriaged)