33828 2010-01-18 23:29:03 -0800 Crash in Page::backForwardList when using History object from a detached window 2010-01-19 14:14:42 -0800 1 1 1 Unclassified WebKit History 528+ (Nightly build) All All RESOLVED FIXED InRadar P1 Normal --- 1 ap webkit-unassigned beidson slewis oldest_to_newest 182150 0 46890 ap 2010-01-18 23:29:03 -0800 Created attachment 46890 test case (will crash) Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000100e43564 WebCore::Page::backForwardList() + 4 1 com.apple.WebCore 0x0000000100a64cb8 WebCore::HistoryController::replaceState(WTF::PassRefPtr<WebCore::SerializedScriptValue>, WebCore::String const&, WebCore::String const&) + 56 2 com.apple.WebCore 0x0000000100a64978 WebCore::History::stateObjectAdded(WTF::PassRefPtr<WebCore::SerializedScriptValue>, WebCore::String const&, WebCore::String const&, WebCore::History::StateObjectType, int&) + 440 3 com.apple.WebCore 0x0000000100c0f32a WebCore::JSHistory::replaceState(JSC::ExecState*, JSC::ArgList const&) + 650 4 com.apple.WebCore 0x0000000100c0e489 WebCore::jsHistoryPrototypeFunctionReplaceState(JSC::ExecState*, JSC::JSObject*, JSC::JSValue, JSC::ArgList const&) + 137 182285 1 beidson 2010-01-19 09:44:39 -0800 The real question here is... what's the expected behavior? Should you be able to pushState() or replaceState() on a detached frame? Clearly we could just do an early return, but what if someone does the state-API on the detached frame then reattaches it? 182287 2 beidson 2010-01-19 09:48:51 -0800 The question of "does a detached frame even have a back/forward list to manipulate?" already has an answer elsewhere in our code - calling history.length() on a detached frame will return 0 (not even 1!!) I'm pretty sure an early return is the right way to go here. If we later uncover an incompatibility with the spec or the real web, then we can do what's needed to fix that. 182288 3 beidson 2010-01-19 09:49:25 -0800 <rdar://problem/7556252> 182294 4 46922 beidson 2010-01-19 10:06:00 -0800 Created attachment 46922 Patch 182295 5 46922 ap 2010-01-19 10:10:12 -0800 Comment on attachment 46922 Patch "The spec really cover expected behavior"? The test should not just have empty output - a link to the bug and a phrase like "Passed in didn't crash" would suffice. Please add try/catch around each subtest - we want to test pushState even if replaceState raises an exception. r=me if you fix the above nitpicks. 182299 6 beidson 2010-01-19 10:14:49 -0800 Thanks! 182302 7 beidson 2010-01-19 10:19:14 -0800 http://trac.webkit.org/changeset/53472 46890 2010-01-18 23:29:03 -0800 2010-01-18 23:29:03 -0800 test case (will crash) test.html text/html 245 ap PGJvZHkgb25sb2FkID0gInRlc3QoKSI+CjxpZnJhbWUgc3JjPSJhYm91dDpibGFuayI+PC9pZnJh bWU+CjxzY3JpcHQ+CmZ1bmN0aW9uIHRlc3QoKQp7CiAgICB2YXIgaWZyID0gZnJhbWVzWzBdOwog ICAgZG9jdW1lbnQuYm9keS5yZW1vdmVDaGlsZChkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFt ZSgiaWZyYW1lIilbMF0pCiAgICBpZnIuaGlzdG9yeS5yZXBsYWNlU3RhdGUoImRhdGEiLCAidGl0 bGUiKTsKfQo8L3NjcmlwdD4= 46922 2010-01-19 10:06:00 -0800 2010-01-19 10:10:11 -0800 Patch bug-33828-20100119100559.patch text/plain 3365 beidson SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1MzQ3MCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTcgQEAKKzIwMTAtMDEtMTkgIEJyYWR5IEVpZHNvbiAgPGJlaWRzb25AYXBwbGUu Y29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIENy YXNoIGluIFBhZ2U6OmJhY2tGb3J3YXJkTGlzdCB3aGVuIHVzaW5nIEhpc3Rvcnkgb2JqZWN0IGZy b20gYSBkZXRhY2hlZCB3aW5kb3cKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzc1NTYyNTI+IGFu ZCBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MzM4MjgKKworICAgICAg ICBUZXN0OiBmYXN0L2xvYWRlci9zdGF0ZW9iamVjdHMvc3RhdGUtYXBpLW9uLWRldGFjaGVkLWZy YW1lLWNyYXNoLmh0bWwKKworICAgICAgICAqIHBhZ2UvSGlzdG9yeS5jcHA6CisgICAgICAgIChX ZWJDb3JlOjpIaXN0b3J5OjpzdGF0ZU9iamVjdEFkZGVkKTogRG8gYW4gZWFybHkgcmV0dXJuIHdo ZW4gZGV0YWNoZWQuIFRoZSBzcGVjCisgICAgICAgICAgcmVhbGx5IGNvdmVyIGV4cGVjdGVkIGJl aGF2aW9yIGFuZCB3ZSBhbHJlYWR5IGRvIHNvbWV0aGluZyBzaW1pbGFyIGluIG90aGVyIHBsYWNl cywKKyAgICAgICAgICBzdWNoIGFzIGluIEhpc3Rvcnk6Omxlbmd0aCgpLgorCiAyMDEwLTAxLTE5 ICBZdXJ5IFNlbWlraGF0c2t5ICA8eXVyeXNAY2hyb21pdW0ub3JnPgogCiAgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoYnVpbGQgZml4KS4KSW5kZXg6IFdlYkNvcmUvcGFnZS9IaXN0b3J5LmNw cAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL3BhZ2UvSGlzdG9yeS5jcHAJKHJldmlzaW9uIDUzNDY5 KQorKysgV2ViQ29yZS9wYWdlL0hpc3RvcnkuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC05OCw5ICs5 OCw4IEBAIEtVUkwgSGlzdG9yeTo6dXJsRm9yU3RhdGUoY29uc3QgU3RyaW5nJiAKIAogdm9pZCBI aXN0b3J5OjpzdGF0ZU9iamVjdEFkZGVkKFBhc3NSZWZQdHI8U2VyaWFsaXplZFNjcmlwdFZhbHVl PiBkYXRhLCBjb25zdCBTdHJpbmcmIHRpdGxlLCBjb25zdCBTdHJpbmcmIHVybFN0cmluZywgU3Rh dGVPYmplY3RUeXBlIHN0YXRlT2JqZWN0VHlwZSwgRXhjZXB0aW9uQ29kZSYgZWMpCiB7Ci0gICAg aWYgKCFtX2ZyYW1lKQorICAgIGlmICghbV9mcmFtZSB8fCAhbV9mcmFtZS0+cGFnZSgpKQogICAg ICAgICByZXR1cm47Ci0gICAgQVNTRVJUKG1fZnJhbWUtPnBhZ2UoKSk7CiAgICAgCiAgICAgS1VS TCBmdWxsVVJMID0gdXJsRm9yU3RhdGUodXJsU3RyaW5nKTsKICAgICBpZiAoIWZ1bGxVUkwuaXNW YWxpZCgpKSB7CkluZGV4OiBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5 b3V0VGVzdHMvQ2hhbmdlTG9nCShyZXZpc2lvbiA1MzQ3MCkKKysrIExheW91dFRlc3RzL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDEzIEBACisyMDEwLTAxLTE5ICBCcmFkeSBF aWRzb24gIDxiZWlkc29uQGFwcGxlLmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg KE9PUFMhKS4KKworICAgICAgICBDcmFzaCBpbiBQYWdlOjpiYWNrRm9yd2FyZExpc3Qgd2hlbiB1 c2luZyBIaXN0b3J5IG9iamVjdCBmcm9tIGEgZGV0YWNoZWQgd2luZG93CisgICAgICAgIDxyZGFy Oi8vcHJvYmxlbS83NTU2MjUyPiBhbmQgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcu Y2dpP2lkPTMzODI4CisKKyAgICAgICAgKiBmYXN0L2xvYWRlci9zdGF0ZW9iamVjdHMvc3RhdGUt YXBpLW9uLWRldGFjaGVkLWZyYW1lLWNyYXNoLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAg ICogZmFzdC9sb2FkZXIvc3RhdGVvYmplY3RzL3N0YXRlLWFwaS1vbi1kZXRhY2hlZC1mcmFtZS1j cmFzaC5odG1sOiBBZGRlZC4KKwogMjAxMC0wMS0xOSAgWXVyeSBTZW1pa2hhdHNreSAgPHl1cnlz QGNocm9taXVtLm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKGJ1aWxkIGZpeCku CkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2xvYWRlci9zdGF0ZW9iamVjdHMvc3RhdGUtYXBpLW9u LWRldGFjaGVkLWZyYW1lLWNyYXNoLWV4cGVjdGVkLnR4dAo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRU ZXN0cy9mYXN0L2xvYWRlci9zdGF0ZW9iamVjdHMvc3RhdGUtYXBpLW9uLWRldGFjaGVkLWZyYW1l LWNyYXNoLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zhc3QvbG9h ZGVyL3N0YXRlb2JqZWN0cy9zdGF0ZS1hcGktb24tZGV0YWNoZWQtZnJhbWUtY3Jhc2gtZXhwZWN0 ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAtMCwwICsxIEBACisKSW5kZXg6IExheW91dFRlc3RzL2Zh c3QvbG9hZGVyL3N0YXRlb2JqZWN0cy9zdGF0ZS1hcGktb24tZGV0YWNoZWQtZnJhbWUtY3Jhc2gu aHRtbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9mYXN0L2xvYWRlci9zdGF0ZW9iamVjdHMv c3RhdGUtYXBpLW9uLWRldGFjaGVkLWZyYW1lLWNyYXNoLmh0bWwJKHJldmlzaW9uIDApCisrKyBM YXlvdXRUZXN0cy9mYXN0L2xvYWRlci9zdGF0ZW9iamVjdHMvc3RhdGUtYXBpLW9uLWRldGFjaGVk LWZyYW1lLWNyYXNoLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMjAgQEAKKzxodG1sPgor PHNjcmlwdD4KKworaWYgKHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICBsYXlvdXRU ZXN0Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7CisKK2Z1bmN0aW9uIHJ1blRlc3QoKQoreworICAg IHZhciBpZnIgPSBmcmFtZXNbMF07CisgICAgZG9jdW1lbnQuYm9keS5yZW1vdmVDaGlsZChkb2N1 bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaWZyYW1lIilbMF0pCisgICAgaWZyLmhpc3Rvcnku cmVwbGFjZVN0YXRlKCJmb28iLCAiYmFyIik7CisgICAgaWZyLmhpc3RvcnkucHVzaFN0YXRlKCJm dSIsICJiYXJyZWQiKTsKK30KKworPC9zY3JpcHQ+Cis8Ym9keSBvbmxvYWQ9InJ1blRlc3QoKTsi PgorPGlmcmFtZSBzcmM9ImFib3V0OmJsYW5rIj4KKzwvaWZyYW1lPgorPC9ib2R5PgorPC9odG1s Pgo=