RESOLVED WORKSFORME 9953
REGRESSION: Repo CRASH when frame captures sibling frame's events and its invalid onunload handler is fired 
https://bugs.webkit.org/show_bug.cgi?id=9953
Summary REGRESSION: Repo CRASH when frame captures sibling frame's events and its inv...
Patrick Geiller
Reported 2006-07-16 06:53:52 PDT
This is reduced from the url : a frame repeatedly captures events of its sibling and has an invalid onunload handler. When onunload is fired, Safari sometimes crashes.
Attachments
part of test case (260 bytes, text/html)
2006-07-16 06:54 PDT, Patrick Geiller 		no flags
Details
part of test case (11 bytes, text/html)
2006-07-16 06:55 PDT, Patrick Geiller 		no flags
Details
test case (164 bytes, text/html)
2006-07-16 06:57 PDT, Patrick Geiller 		no flags
Details
Crash log from locally-built WebKit r15466 (21.56 KB, text/plain)
2006-07-16 07:41 PDT, David Kilzer (:ddkilzer) 		no flags
Details
DMG of test files (24.11 KB, application/x-diskcopy)
2006-07-16 08:05 PDT, David Kilzer (:ddkilzer) 		no flags
Details
ZIP of test files (691 bytes, application/zip)
2006-07-16 08:07 PDT, David Kilzer (:ddkilzer) 		no flags
Details
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Patrick Geiller
Comment 1 2006-07-16 06:54:57 PDT
Created attachment 9486 [details] part of test case
Patrick Geiller
Comment 2 2006-07-16 06:55:57 PDT
Created attachment 9487 [details] part of test case
Patrick Geiller
Comment 3 2006-07-16 06:57:57 PDT
Created attachment 9488 [details] test case Open in a new window, open a new tab, then right-click the tab bar and reload all tabs. This will crash Safari.
Patrick Geiller
Comment 4 2006-07-16 07:08:00 PDT
Well it doesn't work online :) Must be because of the latency ... Can anyone save the files to its hard drive and please check ? Excerpt of the crash log : Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000008 Thread 0 Crashed: 0 com.apple.WebCore 0x010c69a0 WebCore::Frame::page() const + 0 1 com.apple.WebCore 0x01103c94 -[WebCoreFrameBridge page] + 20 2 com.apple.WebKit 0x0031f700 -[WebFrameBridge webView] + 32 3 com.apple.WebKit 0x00320968 -[WebFrameBridge addMessageToConsole:] + 40 4 com.apple.WebCore 0x01296da0 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 1056 5 com.apple.WebCore 0x010d12b8 WebCore::Frame::executeScript(WebCore::Node*, WebCore::DeprecatedString const&, bool) + 184 6 com.apple.WebCore 0x0129e528 KJS::ScheduledAction::execute(KJS::Window*) + 792 7 com.apple.WebCore 0x0129e5dc KJS::Window::timerFired(KJS::DOMWindowTimer*) + 108 8 com.apple.WebCore 0x01231bdc WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 156 9 com.apple.WebCore 0x01231c70 WebCore::TimerBase::sharedTimerFired() + 112 10 com.apple.CoreFoundation 0x907ef550 __CFRunLoopDoTimer + 184 11 com.apple.CoreFoundation 0x907dbec8 __CFRunLoopRun + 1680 12 com.apple.CoreFoundation 0x907db47c CFRunLoopRunSpecific + 268 13 com.apple.HIToolbox 0x931e6740 RunCurrentEventLoopInMode + 264 14 com.apple.HIToolbox 0x931e5d4c ReceiveNextEventCommon + 244 15 com.apple.HIToolbox 0x931e5c40 BlockUntilNextEventMatchingListInMode + 96 16 com.apple.AppKit 0x936e9ae4 _DPSNextEvent + 384 17 com.apple.AppKit 0x936e97a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 18 com.apple.Safari 0x00006740 0x1000 + 22336 19 com.apple.AppKit 0x936e5cec -[NSApplication run] + 472 20 com.apple.AppKit 0x937d687c NSApplicationMain + 452 21 com.apple.Safari 0x0005c77c 0x1000 + 374652 22 com.apple.Safari 0x0005c624 0x1000 + 374308
David Kilzer (:ddkilzer)
Comment 5 2006-07-16 07:40:23 PDT
Confirmed crash by saving files to local disk and following the steps from Comment #3: 1. Open test2.html in a new window. 2. Create a new tab. 3. Right-click on new tab, select Reload All Tabs.
David Kilzer (:ddkilzer)
Comment 6 2006-07-16 07:41:20 PDT
Created attachment 9489 [details] Crash log from locally-built WebKit r15466
David Kilzer (:ddkilzer)
Comment 7 2006-07-16 07:45:11 PDT
This is a regression from production Safari 2.0.4 (419.3) on Mac OS X 10.4.7 (8J135/PowerPC).  Marking bug as such.
David Kilzer (:ddkilzer)
Comment 8 2006-07-16 08:05:22 PDT
Created attachment 9491 [details] DMG of test files Mount the DMG, then click on 'test2.html' to start testing.
David Kilzer (:ddkilzer)
Comment 9 2006-07-16 08:07:19 PDT
Created attachment 9492 [details] ZIP of test files I just realized that a DMG wouldn't be very cross-platform friendly.
Alexey Proskuryakov
Comment 10 2006-07-16 11:55:52 PDT
I don't think this is really caused by event capturing: changing the first line of capture() to a simple "parent.frames.fen2.document;" doesn't change the behavior. So while the crash is a regression, the root problem seems to be closely related to bug 9006.
Alice Liu
Comment 11 2006-08-14 15:37:24 PDT
<rdar://problem/4668767>
mitz
Comment 12 2006-12-18 12:40:47 PST
I can no longer reproduce the crash.
Patrick Geiller
Comment 13 2006-12-18 15:53:48 PST
I just downloaded the nightly and can't reproduce the crash either.
Beth Dakin
Comment 14 2006-12-20 15:28:31 PST
Looks like something fixed this bug!
Note You need to log in before you can comment on or make changes to this bug.