Summary: | REGRESSION: Repro crash when dragging an image from the window to the address bar | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | mitz | ||||||||
Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | alice.barraclough, andersca, ddkilzer | ||||||||
Priority: | P1 | Keywords: | HasReduction, InRadar, Regression | ||||||||
Version: | 420+ | ||||||||||
Hardware: | Mac | ||||||||||
OS: | OS X 10.4 | ||||||||||
URL: | http://animatedtv.about.com/library/gallerysimpsons/blphoto_other_hibbert.htm?terms=dr.+hibbert | ||||||||||
Attachments: |
|
Description
mitz
2006-07-16 06:22:57 PDT
(In reply to comment #1) > Is this a regression from Bug 9466? > Just prior to fixing bug 9466 it was obviously impossible to reproduce this bug, but I think fixing bug 9466 just lifted the mask from this one, which was caused earlier (perhaps by the same change that cause bug 9466?). Created attachment 9539 [details]
reduction
Created attachment 9540 [details]
file needed to use reduction (put this next to it on the local disk)
Very simple reduction -- I predict this will be easy to fix. Here's what I've found out so far. The problem happens because the image document is detached. The detach happens in the ~FrameView destructor (which contains this comment: "FIXME: Is this really the right place to call detach on the document?"). The FrameView in question has the same Frame as the FrameView that is coming in (Frame::setView() does not update the back pointer from the FrameView to the Frame), and hence the same document. The Iframe in the reduction serves the sole purpose of not allowing the page to go into the page cache, thus leading to the FrameView being deref'ed (and destructed) at that particular point. I think the fix should be along the lines of addressing the FIXME, but it's also possible that there's some way to manage the pointers from FrameViews to Frame to avoid the detach. I just found out that essentially the same crash can be reproduced in shipping Safari by clicking a link to about:blank with the back/forward cache disabled. To reproduce, go to data:text/html,<a%20href="about:blank">Turn%20off%20the%20Back/Forward%20cache%20and%20click%20me</a> then in Safari's Debug menu deselect Use Back/Forward Cache and click the link. The image case is a regression because of the new image document implementation. manual-tests/form-value-restore.html fails because of this bug. Created attachment 12536 [details]
Patch, including change log
This patch makes sure that the view does not mess with the frame when it is not its active view. No layout test regressions.
Comment on attachment 12536 [details]
Patch, including change log
r=me!
Landed in r18965. |