14127 – iframe with 'help:' protocol crashes Safari 3.0 beta

Bug 14127 - iframe with 'help:' protocol crashes Safari 3.0 beta

Summary: iframe with 'help:' protocol crashes Safari 3.0 beta

Status:	RESOLVED DUPLICATE of bug 14116

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	523.x (Safari 3)
Hardware:	Mac OS X 10.4

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-06-13 16:09 PDT by Richard Parker
Modified:	2007-06-13 16:14 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
The HTML that crashes Safari 3.0 beta (116 bytes, text/html) 2007-06-13 16:11 PDT, Richard Parker	no flags	Details
Crash report (19.80 KB, text/plain) 2007-06-13 16:11 PDT, Richard Parker	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Parker 2007-06-13 16:09:30 PDT

An iframe that species its source using the help:' protocol causes Safari 3.0 beta (522.11) to crash in WebCore.
 
Sample HTML that crashes Safari 3.0 beta (522.11) [see attachment]:

<html>
<head>
<title>Crash Safari 3.0 beta</title> 
</head>
<body>

<iframe src='help:'></iframe>

</body>
</html>

Process call chain at time of crash [see attachment for full report]:
0   com.apple.WebCore        	0x961e9c70 WebCore::DocumentLoader::frameLoader() const + 0
1   com.apple.WebCore        	0x961ea0f8 WebCore::DocumentLoader::isLoadingInAPISense() const + 24
2   com.apple.WebCore        	0x961dd92c WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 700
3   com.apple.WebCore        	0x961ddfe8 WebCore::FrameLoader::recursiveCheckLoadComplete() + 504
4   com.apple.WebCore        	0x961ddfd8 WebCore::FrameLoader::recursiveCheckLoadComplete() + 488
5   com.apple.WebCore        	0x961de270 WebCore::FrameLoader::finishedLoading() + 368
6   com.apple.WebCore        	0x961ee5e8 WebCore::MainResourceLoader::didFinishLoading() + 56
7   com.apple.WebCore        	0x961c5174 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 84

Comment 1 Richard Parker 2007-06-13 16:11:24 PDT

Created attachment 15008 [details]
The HTML that crashes Safari 3.0 beta

Comment 2 Richard Parker 2007-06-13 16:11:52 PDT

Created attachment 15009 [details]
Crash report

Comment 3 Mark Rowe (bdash) 2007-06-13 16:14:01 PDT

This does not appear to crash SVN HEAD, but I do see a suspicious console log:

2007-06-13 16:12:58.362 Safari[5704:10b] *** -[NSCFSet removeObject:]: attempt to remove nil

Comment 4 Mark Rowe (bdash) 2007-06-13 16:14:58 PDT

Thanks for the report!  After looking at your crash log this looks to be the same as bug 14116.

*** This bug has been marked as a duplicate of 14116 ***