Bug 11439 - REGRESSION: Another page loading crash
Summary: REGRESSION: Another page loading crash
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: John Sullivan
URL: http://www.computerworld.com/action/a...
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-27 13:46 PDT by Matt Lilek
Modified: 2006-10-27 14:35 PDT (History)
1 user (show)

See Also:

Attachments
patch to restore nil-handling behavior (1.50 KB, patch)
2006-10-27 14:31 PDT, John Sullivan 		andersca: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Lilek 2006-10-27 13:46:25 PDT 
The above url causes WebKit to crash with the following backtrace:

0   com.apple.WebCore        	0x013f5130 WebCore::DocumentLoader::originalRequestCopy() const + 0
1   com.apple.WebKit         	0x0032c0b0 -[WebFrame(WebInternal) _createItemTreeWithTargetFrame:clippedAtTarget:] + 80
2   com.apple.WebKit         	0x0032c13c -[WebFrame(WebInternal) _createItemTreeWithTargetFrame:clippedAtTarget:] + 220
3   com.apple.WebKit         	0x0032788c -[WebFrame(WebInternal) _addBackForwardItemClippedAtTarget:] + 108
4   com.apple.WebCore        	0x013fa9d4 WebCore::FrameLoader::transitionToCommitted(NSDictionary*) + 372
5   com.apple.WebCore        	0x013fc0fc WebCore::FrameLoader::commitProvisionalLoad(NSDictionary*) + 252
6   com.apple.WebCore        	0x013f4e98 WebCore::DocumentLoader::commitLoad(NSData*) + 56
7   com.apple.WebCore        	0x013f5504 WebCore::DocumentLoader::receivedData(NSData*) + 164
8   com.apple.WebCore        	0x013ffedc WebCore::WebResourceLoader::didReceiveData(NSData*, long long, bool) + 76
9   com.apple.WebCore        	0x01401c14 WebCore::MainResourceLoader::didReceiveData(NSData*, long long, bool) + 52
10  com.apple.WebCore        	0x013ff0d4 -[WebCoreResourceLoaderAsDelegate connection:didReceiveData:lengthReceived:] + 84
Comment 1 John Sullivan 2006-10-27 14:07:33 PDT 
Crash is here:

    if (useOriginal)
        request = [dataSrc _documentLoader]->originalRequestCopy();
    else
        request = [dataSrc request];

I suspect the fix is to fall back to [dataSrc request] in the case where [dataSrc _documentLoader] returns nil, but someone should check what this code used to do in the case where [dataSrc _documentLoader] returned nil.
Comment 2 John Sullivan 2006-10-27 14:22:47 PDT 
- (WebHistoryItem *)_createItem:(BOOL)useOriginal
{
    WebDataSource *dataSrc = [self dataSource];

dataSrc is nil here, which is why [dataSrc _documentLoader]->originalRequestCopy() crashes.

The crashing line used to be:

request = [[dataSrc _documentLoader] originalRequestCopy];

The change was in 17245. I'll test the simple fix of changing this one line.
Comment 3 John Sullivan 2006-10-27 14:31:51 PDT 
Created attachment 11261 [details]
patch to restore nil-handling behavior
Comment 4 Anders Carlsson 2006-10-27 14:34:10 PDT 
Comment on attachment 11261 [details]
patch to restore nil-handling behavior

r=me
Comment 5 John Sullivan 2006-10-27 14:35:29 PDT 
Checked in as svn revision 17388.