The above url causes WebKit to crash with the following backtrace: 0 com.apple.WebCore 0x013f5130 WebCore::DocumentLoader::originalRequestCopy() const + 0 1 com.apple.WebKit 0x0032c0b0 -[WebFrame(WebInternal) _createItemTreeWithTargetFrame:clippedAtTarget:] + 80 2 com.apple.WebKit 0x0032c13c -[WebFrame(WebInternal) _createItemTreeWithTargetFrame:clippedAtTarget:] + 220 3 com.apple.WebKit 0x0032788c -[WebFrame(WebInternal) _addBackForwardItemClippedAtTarget:] + 108 4 com.apple.WebCore 0x013fa9d4 WebCore::FrameLoader::transitionToCommitted(NSDictionary*) + 372 5 com.apple.WebCore 0x013fc0fc WebCore::FrameLoader::commitProvisionalLoad(NSDictionary*) + 252 6 com.apple.WebCore 0x013f4e98 WebCore::DocumentLoader::commitLoad(NSData*) + 56 7 com.apple.WebCore 0x013f5504 WebCore::DocumentLoader::receivedData(NSData*) + 164 8 com.apple.WebCore 0x013ffedc WebCore::WebResourceLoader::didReceiveData(NSData*, long long, bool) + 76 9 com.apple.WebCore 0x01401c14 WebCore::MainResourceLoader::didReceiveData(NSData*, long long, bool) + 52 10 com.apple.WebCore 0x013ff0d4 -[WebCoreResourceLoaderAsDelegate connection:didReceiveData:lengthReceived:] + 84
Crash is here: if (useOriginal) request = [dataSrc _documentLoader]->originalRequestCopy(); else request = [dataSrc request]; I suspect the fix is to fall back to [dataSrc request] in the case where [dataSrc _documentLoader] returns nil, but someone should check what this code used to do in the case where [dataSrc _documentLoader] returned nil.
- (WebHistoryItem *)_createItem:(BOOL)useOriginal { WebDataSource *dataSrc = [self dataSource]; dataSrc is nil here, which is why [dataSrc _documentLoader]->originalRequestCopy() crashes. The crashing line used to be: request = [[dataSrc _documentLoader] originalRequestCopy]; The change was in 17245. I'll test the simple fix of changing this one line.
Created attachment 11261 [details] patch to restore nil-handling behavior
Comment on attachment 11261 [details] patch to restore nil-handling behavior r=me
Checked in as svn revision 17388.