45833 2010-09-15 13:56:45 -0700 Crash in WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions 2010-09-16 10:17:28 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED http://blog.cnyes.com/My/itamian/article316071 P2 Normal --- 1 tonyg tonyg abarth commit-queue eric webkit.review.bot oldest_to_newest 279691 0 tonyg 2010-09-15 13:56:45 -0700 Reliably reproduces on http://blog.cnyes.com/My/itamian/article316071, but much more common with facebook.com + certain extensions. I'm distilling a repro now. 0x017b00e8 [Google Chrome Framework - FrameLoader.cpp:3072] WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions 0x01565a5d [Google Chrome Framework - Document.cpp:2528] WebCore::Document::processHttpEquiv 0x016c17a3 [Google Chrome Framework - HTMLMetaElement.cpp:76] WebCore::HTMLMetaElement::process 0x0154b2d7 [Google Chrome Framework - ContainerNode.cpp:632] WebCore::ContainerNode::parserAddChild 0x016ff038 [Google Chrome Framework - HTMLConstructionSite.cpp:98] WebCore::HTMLConstructionSite::attach<WebCore::Element> 0x016feba8 [Google Chrome Framework - HTMLConstructionSite.cpp:233] WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement 0x0171bfa1 [Google Chrome Framework - HTMLTreeBuilder.cpp:2735] WebCore::HTMLTreeBuilder::processStartTagForInHead 0x0171de9e [Google Chrome Framework - HTMLTreeBuilder.cpp:747] WebCore::HTMLTreeBuilder::processStartTagForInBody 0x0171f7cd [Google Chrome Framework - HTMLTreeBuilder.cpp:1337] WebCore::HTMLTreeBuilder::processStartTag 0x0172159c [Google Chrome Framework - HTMLTreeBuilder.cpp:485] WebCore::HTMLTreeBuilder::processToken 0x0172164f [Google Chrome Framework - HTMLTreeBuilder.cpp:466] WebCore::HTMLTreeBuilder::constructTreeFromToken 0x016ff423 [Google Chrome Framework - HTMLDocumentParser.cpp:234] WebCore::HTMLDocumentParser::pumpTokenizer 0x017009be [Google Chrome Framework - HTMLDocumentParser.cpp:183] WebCore::HTMLDocumentParser::insert 0x0170043e [Google Chrome Framework - HTMLDocumentParser.cpp:518] WebCore::HTMLDocumentParser::parseDocumentFragment 0x01691762 [Google Chrome Framework - HTMLElement.cpp:353] WebCore::createFragmentFromSource 0x016920f1 [Google Chrome Framework - HTMLElement.cpp:375] WebCore::HTMLElement::setInnerHTML 0x01bd6c84 [Google Chrome Framework - V8HTMLElement.cpp:168] WebCore::HTMLElementInternal::innerHTMLAttrSetter 0x00e3416e [Google Chrome Framework - objects.cc:1580] v8::internal::JSObject::SetPropertyWithCallback 0x00e487f4 [Google Chrome Framework - objects.cc:1865] v8::internal::JSObject::SetProperty 0x00e48d27 [Google Chrome Framework - objects.cc:1538] v8::internal::JSObject::SetProperty 0x00e01465 [Google Chrome Framework - ic.cc:1305] v8::internal::StoreIC::Store 0x00e01926 [Google Chrome Framework - ic.cc:1610] v8::internal::StoreIC_Miss 279755 1 67724 tonyg 2010-09-15 15:07:28 -0700 Created attachment 67724 Testcase 279759 2 67727 tonyg 2010-09-15 15:17:49 -0700 Created attachment 67727 Patch 279763 3 67727 abarth 2010-09-15 15:22:47 -0700 Comment on attachment 67727 Patch Precisely. 280130 4 67727 commit-queue 2010-09-16 09:12:34 -0700 Comment on attachment 67727 Patch Clearing flags on attachment: 67727 Committed r67627: <http://trac.webkit.org/changeset/67627> 280131 5 commit-queue 2010-09-16 09:12:40 -0700 All reviewed patches have been landed. Closing bug. 280180 6 webkit.review.bot 2010-09-16 10:17:28 -0700 http://trac.webkit.org/changeset/67627 might have broken Chromium Win Release The following changes are on the blame list: http://trac.webkit.org/changeset/67626 http://trac.webkit.org/changeset/67627 http://trac.webkit.org/changeset/67628 http://trac.webkit.org/changeset/67629 http://trac.webkit.org/changeset/67630 http://trac.webkit.org/changeset/67631 67724 2010-09-15 15:07:28 -0700 2010-09-15 15:07:28 -0700 Testcase x-frame-options-detached-document-crash.html text/html 258 tonyg PGlmcmFtZSBpZD1mb28+PC9pZnJhbWU+CjxzY3JpcHQ+CiAgdmFyIGZvb0ZyYW1lID0gZG9jdW1l bnQuZ2V0RWxlbWVudEJ5SWQoJ2ZvbycpOwogIHZhciBmb29Eb2MgPSBmb29GcmFtZS5jb250ZW50 V2luZG93LmRvY3VtZW50OwogIGZvb0ZyYW1lLnBhcmVudE5vZGUucmVtb3ZlQ2hpbGQoZm9vRnJh bWUpOwoKICBmb29Eb2Mud3JpdGUoJzxtZXRhIGh0dHAtZXF1aXY9IlgtRnJhbWUtT3B0aW9ucyIg Y29udGVudD0iZGVueSIvPicpOwo8L3NjcmlwdD4K 67727 2010-09-15 15:17:49 -0700 2010-09-16 09:12:34 -0700 Patch bug-45833-20100915151747.patch text/plain 4533 tonyg ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCBjOTczZjNiYmNlZGVlMjQ2MGM2ZjI1MWRkYmVhNWMwMTdhZDI5NTQ3Li40Y2Y3YjFk NjBmOGQyODQzMDQ0MmJlN2Q2MWNkY2JmYjE5ODdiZDVlIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0 cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAK KzIwMTAtMDktMTUgIFRvbnkgR2VudGlsY29yZSAgPHRvbnlnQGNocm9taXVtLm9yZz4KKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBDcmFzaCBpbiBXZWJD b3JlOjpGcmFtZUxvYWRlcjo6c2hvdWxkSW50ZXJydXB0TG9hZEZvclhGcmFtZU9wdGlvbnMKKyAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTQ1ODMzCisKKyAg ICAgICAgKiBmYXN0L3BhcnNlci94LWZyYW1lLW9wdGlvbnMtZGV0YWNoZWQtZG9jdW1lbnQtY3Jh c2gtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBmYXN0L3BhcnNlci94LWZyYW1lLW9w dGlvbnMtZGV0YWNoZWQtZG9jdW1lbnQtY3Jhc2guaHRtbDogQWRkZWQuIENyYXNoZXMgYmVmb3Jl IHRoaXMgcGF0Y2guCisKIDIwMTAtMDktMTUgIENocmlzIEZsZWl6YWNoICA8Y2ZsZWl6YWNoQGFw cGxlLmNvbT4KIAogICAgICAgICBBWDogd2hlbiB0ZXh0IGlzIGF1dG8tdHJ1bmNhdGVkLCBhY2Nl c3NpYmlsaXR5IGJvdW5kcyBhcmUgd3JvbmcKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3Qv cGFyc2VyL3gtZnJhbWUtb3B0aW9ucy1kZXRhY2hlZC1kb2N1bWVudC1jcmFzaC1leHBlY3RlZC50 eHQgYi9MYXlvdXRUZXN0cy9mYXN0L3BhcnNlci94LWZyYW1lLW9wdGlvbnMtZGV0YWNoZWQtZG9j dW1lbnQtY3Jhc2gtZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNzU1CmluZGV4IDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLmNiY2Y1OGY5YjIzMGMxYmRlNzkx NDgzNGFmZjJlYTczZmIzMjA1ZWIKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9mYXN0 L3BhcnNlci94LWZyYW1lLW9wdGlvbnMtZGV0YWNoZWQtZG9jdW1lbnQtY3Jhc2gtZXhwZWN0ZWQu dHh0CkBAIC0wLDAgKzEgQEAKK1RoaXMgY2hlY2tzIHRoYXQgd3JpdGluZyBhbiBYLUZyYW1lLU9w dGlvbnMgbWV0YSB0YWcgdG8gYSBkZXRhY2hlZCBkb2N1bWVudCBkb2VzIG5vdCBjcmFzaC4KZGlm ZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvcGFyc2VyL3gtZnJhbWUtb3B0aW9ucy1kZXRhY2hl ZC1kb2N1bWVudC1jcmFzaC5odG1sIGIvTGF5b3V0VGVzdHMvZmFzdC9wYXJzZXIveC1mcmFtZS1v cHRpb25zLWRldGFjaGVkLWRvY3VtZW50LWNyYXNoLmh0bWwKbmV3IGZpbGUgbW9kZSAxMDA2NDQK aW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uNDg0OWFlYjlk ZmVhZGViNmJmZTI1ZjE0NWQ4ZmViZGI2ZGI1NjlhOQotLS0gL2Rldi9udWxsCisrKyBiL0xheW91 dFRlc3RzL2Zhc3QvcGFyc2VyL3gtZnJhbWUtb3B0aW9ucy1kZXRhY2hlZC1kb2N1bWVudC1jcmFz aC5odG1sCkBAIC0wLDAgKzEsMTMgQEAKK1RoaXMgY2hlY2tzIHRoYXQgd3JpdGluZyBhbiBYLUZy YW1lLU9wdGlvbnMgbWV0YSB0YWcgdG8gYSBkZXRhY2hlZCBkb2N1bWVudCBkb2VzIG5vdCBjcmFz aC4KKzxzY3JpcHQ+CitpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgIGxheW91 dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKzwvc2NyaXB0PgorPGlmcmFtZSBpZD1mb28+ PC9pZnJhbWU+Cis8c2NyaXB0PgorICB2YXIgZm9vRnJhbWUgPSBkb2N1bWVudC5nZXRFbGVtZW50 QnlJZCgnZm9vJyk7CisgIHZhciBmb29Eb2MgPSBmb29GcmFtZS5jb250ZW50V2luZG93LmRvY3Vt ZW50OworICBmb29GcmFtZS5wYXJlbnROb2RlLnJlbW92ZUNoaWxkKGZvb0ZyYW1lKTsKKworICBm b29Eb2Mud3JpdGUoJzxtZXRhIGh0dHAtZXF1aXY9IlgtRnJhbWUtT3B0aW9ucyIgY29udGVudD0i ZGVueSIvPicpOworPC9zY3JpcHQ+CmRpZmYgLS1naXQgYS9XZWJDb3JlL0NoYW5nZUxvZyBiL1dl YkNvcmUvQ2hhbmdlTG9nCmluZGV4IGU2OTIwZTA3Zjc4MjZmNmFiYTYzZDVhOTE5ZWQ5ZDJkMjc2 YTQwODEuLmVkMjBlZTVlNmZlM2UxYzYwODIwODM0NDdhZWQxMTVkYzE0MGVlM2QgMTAwNjQ0Ci0t LSBhL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEs MTUgQEAKKzIwMTAtMDktMTUgIFRvbnkgR2VudGlsY29yZSAgPHRvbnlnQGNocm9taXVtLm9yZz4K KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBDcmFzaCBp biBXZWJDb3JlOjpGcmFtZUxvYWRlcjo6c2hvdWxkSW50ZXJydXB0TG9hZEZvclhGcmFtZU9wdGlv bnMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTQ1ODMz CisKKyAgICAgICAgVGVzdDogZmFzdC9wYXJzZXIveC1mcmFtZS1vcHRpb25zLWRldGFjaGVkLWRv Y3VtZW50LWNyYXNoLmh0bWwKKworICAgICAgICAqIGRvbS9Eb2N1bWVudC5jcHA6CisgICAgICAg IChXZWJDb3JlOjpEb2N1bWVudDo6cHJvY2Vzc0h0dHBFcXVpdik6IE90aGVyIGJyYW5jaGVzIGlu IHRoaXMgbWV0aG9kIGFscmVhZHkgdGVzdCBmb3IgYSBudWxsIGZyYW1lLiBTbyBpdCBzZWVtcyB0 byBtYWtlIHNlbnNlIHRvIHRlc3QgdGhhdCBoZXJlIGFzIHdlbGwuCisKIDIwMTAtMDktMTUgIENo cmlzIEZsZWl6YWNoICA8Y2ZsZWl6YWNoQGFwcGxlLmNvbT4KIAogICAgICAgICBSZXZpZXdlZCBi eSBTaW1vbiBGcmFzZXIuCmRpZmYgLS1naXQgYS9XZWJDb3JlL2RvbS9Eb2N1bWVudC5jcHAgYi9X ZWJDb3JlL2RvbS9Eb2N1bWVudC5jcHAKaW5kZXggMTJjMThhMGM2MDY4MTk3NTYzMTc0ODExMTQ2 NTZiMTFjMGRlZjkyOS4uZDY5MzY2ZmVhMWQ1NDg3MDdlOTY3YmZiZGE5ZTc1YWJiYTY1N2M4NiAx MDA2NDQKLS0tIGEvV2ViQ29yZS9kb20vRG9jdW1lbnQuY3BwCisrKyBiL1dlYkNvcmUvZG9tL0Rv Y3VtZW50LmNwcApAQCAtMjUxMywxMyArMjUxMywxNSBAQCB2b2lkIERvY3VtZW50Ojpwcm9jZXNz SHR0cEVxdWl2KGNvbnN0IFN0cmluZyYgZXF1aXYsIGNvbnN0IFN0cmluZyYgY29udGVudCkKICAg ICBlbHNlIGlmIChlcXVhbElnbm9yaW5nQ2FzZShlcXVpdiwgIngtZG5zLXByZWZldGNoLWNvbnRy b2wiKSkKICAgICAgICAgcGFyc2VETlNQcmVmZXRjaENvbnRyb2xIZWFkZXIoY29udGVudCk7CiAg ICAgZWxzZSBpZiAoZXF1YWxJZ25vcmluZ0Nhc2UoZXF1aXYsICJ4LWZyYW1lLW9wdGlvbnMiKSkg ewotICAgICAgICBGcmFtZUxvYWRlciogZnJhbWVMb2FkZXIgPSBmcmFtZS0+bG9hZGVyKCk7Ci0g ICAgICAgIGlmIChmcmFtZUxvYWRlci0+c2hvdWxkSW50ZXJydXB0TG9hZEZvclhGcmFtZU9wdGlv bnMoY29udGVudCwgdXJsKCkpKSB7Ci0gICAgICAgICAgICBmcmFtZUxvYWRlci0+c3RvcEFsbExv YWRlcnMoKTsKLSAgICAgICAgICAgIGZyYW1lLT5yZWRpcmVjdFNjaGVkdWxlcigpLT5zY2hlZHVs ZUxvY2F0aW9uQ2hhbmdlKGJsYW5rVVJMKCksIFN0cmluZygpKTsKLQotICAgICAgICAgICAgREVG SU5FX1NUQVRJQ19MT0NBTChTdHJpbmcsIGNvbnNvbGVNZXNzYWdlLCAoIlJlZnVzZWQgdG8gZGlz cGxheSBkb2N1bWVudCBiZWNhdXNlIGRpc3BsYXkgZm9yYmlkZGVuIGJ5IFgtRnJhbWUtT3B0aW9u cy5cbiIpKTsKLSAgICAgICAgICAgIGZyYW1lLT5kb21XaW5kb3coKS0+Y29uc29sZSgpLT5hZGRN ZXNzYWdlKEpTTWVzc2FnZVNvdXJjZSwgTG9nTWVzc2FnZVR5cGUsIEVycm9yTWVzc2FnZUxldmVs LCBjb25zb2xlTWVzc2FnZSwgMSwgU3RyaW5nKCkpOworICAgICAgICBpZiAoZnJhbWUpIHsKKyAg ICAgICAgICAgIEZyYW1lTG9hZGVyKiBmcmFtZUxvYWRlciA9IGZyYW1lLT5sb2FkZXIoKTsKKyAg ICAgICAgICAgIGlmIChmcmFtZUxvYWRlci0+c2hvdWxkSW50ZXJydXB0TG9hZEZvclhGcmFtZU9w dGlvbnMoY29udGVudCwgdXJsKCkpKSB7CisgICAgICAgICAgICAgICAgZnJhbWVMb2FkZXItPnN0 b3BBbGxMb2FkZXJzKCk7CisgICAgICAgICAgICAgICAgZnJhbWUtPnJlZGlyZWN0U2NoZWR1bGVy KCktPnNjaGVkdWxlTG9jYXRpb25DaGFuZ2UoYmxhbmtVUkwoKSwgU3RyaW5nKCkpOworCisgICAg ICAgICAgICAgICAgREVGSU5FX1NUQVRJQ19MT0NBTChTdHJpbmcsIGNvbnNvbGVNZXNzYWdlLCAo IlJlZnVzZWQgdG8gZGlzcGxheSBkb2N1bWVudCBiZWNhdXNlIGRpc3BsYXkgZm9yYmlkZGVuIGJ5 IFgtRnJhbWUtT3B0aW9ucy5cbiIpKTsKKyAgICAgICAgICAgICAgICBmcmFtZS0+ZG9tV2luZG93 KCktPmNvbnNvbGUoKS0+YWRkTWVzc2FnZShKU01lc3NhZ2VTb3VyY2UsIExvZ01lc3NhZ2VUeXBl LCBFcnJvck1lc3NhZ2VMZXZlbCwgY29uc29sZU1lc3NhZ2UsIDEsIFN0cmluZygpKTsKKyAgICAg ICAgICAgIH0KICAgICAgICAgfQogICAgIH0KIH0K