[11] Navigate-on-pageswap re-entrancy crash
Severity: Medium | Component: WebCore loader / Navigation API | e7745af
Rated Medium because the observable effect is a deterministic WebContent crash via pageswap-handler re-entrancy that clears m_provisionalDocumentLoader mid-commit, and escalation to a memory-safety primitive depends on loader ownership details (pdl Ref capture) not visible in the diff.
Source/WebCore/loader/FrameLoader.cpp
+SetForScope dispatchingPageSwapEvent(m_isDispatchingPageSwapEvent, true);
document->dispatchPageswapEvent(canTriggerCrossDocumentViewTransition, WTF::move(activation));
Source/WebCore/page/Navigation.cpp
-if (!protect(window->document())->isFullyActive() || window->document()->unloadCounter())
+if (!protect(window->document())->isFullyActive() || frame()->loader().isDispatchingPageSwapEvent() || window->document()->unloadCounter())
return createErrorResult(WTF::move(committed), WTF::move(finished), ExceptionCode::InvalidStateError, "Invalid state"_s);
Patch Details
FrameLoader::commitProvisionalLoad wraps document->dispatchPageswapEvent() in a SetForScope that sets m_isDispatchingPageSwapEvent = true for the dispatch's duration; a new bool m_isDispatchingPageSwapEvent { false } member backs a public getter isDispatchingPageSwapEvent(). Navigation::navigate() is amended to reject with InvalidStateError when that flag is true. A regression test installs onpageswap = async (e) => { await navigation.navigate('foo'); } to reproduce the crash.
Failure to forbid renavigation-triggering APIs during a synchronous JS event dispatched mid-commit, allowing the event handler to invalidate the very loader the commit depends on.
Background
FrameLoader::commitProvisionalLoad promotes m_provisionalDocumentLoader into the active loader, dispatches pageswap synchronously so script can observe the cross-document transition, then calls transitionToCommitted and HistoryController::updateForStandardLoad. navigation.navigate(url) runs synchronous initial steps including a policy check that can stop or replace any in-flight provisional load. SetForScope<T> sets a variable for the lifetime of the scope and restores it on exit.
Analysis
pageswap is dispatched synchronously inside the commit pipeline. Pre-fix, a script handler calling navigation.navigate('foo') ran synchronous policy/setup that could clear m_provisionalDocumentLoader; when the event returned, commitProvisionalLoad continued into transitionToCommitted → updateForStandardLoad → DocumentLoader::urlForHistory operating on a stale or null loader.
Aaa Aaaaa Aaaaaaaaa Aa Aaa Aaa Aaaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaa Aaa Aaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaa a Aaaaaaaaaaa Aaaaaa Aaaaa Aaaaaaaaaa Aaaaa Aaaaaa Aaa Aaaaaa Aaaaaa Aaaaa a Aaaaaa Aaaaaaaaa Aaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaa a Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaa Aaaaaa Aaaaaaaaaaa Aaaaa Aaaaaaa Aa Aaa Aaa Aa a Aaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaa Aa Aaa Aaaaaaaaaa Aaaaaa Aaaaa Aaaaaaaaaaa a Aaaaaaaa Aaaaaaaaaa Aaa Aaaa Aaa Aaaaaaaa
🔒Investigates the re-entrancy window opened by a synchronous DOM event fired mid-commit, and the lifetime implications for the provisional loader on either side of the dispatch.
Subscribe to read more
Audit directions
a Aaaaaaaaaaaaa Aaa Aaaaaa Aaaaa Aaaa Aaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaa Aaa Aaaaaa Aaaaaaa Aaaaaa Aaaaaaaa Aaaaaa Aaaaa Aaaaaa Aaaaaaaaa
a Aaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaaaaaaaaaa Aaaaaaa Aaaaa Aaaa Aaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaa Aaaaaaa Aaaaaaaaaaa Aaaa Aaaaa Aaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaa
a Aaaaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aa a Aaaaaa Aaaaaaaaaaaaaaaaaaaaa
a Aaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaa Aaaa Aaaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaa Aaa a Aaaaaaaaaa Aaaaa Aa Aaaaaaaa Aaaaaaaaaaaaaa
🔒Multiple reusable audit patterns covering synchronous-event re-entrancy across the loader pipeline, with concrete entrypoint lists for variant discovery.
Subscribe to read more