50200 2010-11-29 18:41:24 -0800 Crash when iframe transfers from one page to another and has child frames. 2010-12-14 15:22:20 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All ASSIGNED P2 Normal --- 1 dimich dimich dbates jennb levin oldest_to_newest 314804 0 dimich 2010-11-29 18:41:24 -0800 The crash happens due to lack of FrameLoaderClient updates for children of the Frame that was transferred from one page to another. This leaves the children of transferred Frame using the clients associated with the old Page, and once that one goes away and some GC'ing happens, the operations requiring FrameLoaderClient can cause crash. The code avoids unnecessary updates by accumulating 'didTransfer' bool. The change http://trac.webkit.org/changeset/71962 introduced code that overrides the boolean rather then accumulates the result. Patch is coming shortly. I can't figure out simple test for this, but I'm still working on it. Want to put the fix through before I can do the test since the crash blocks other developers at the moment. 314805 1 75098 dimich 2010-11-29 18:44:54 -0800 Created attachment 75098 Patch. 314807 2 levin 2010-11-29 18:48:58 -0800 OK, but I'm expecting a test soon! 314817 3 dimich 2010-11-29 19:10:16 -0800 Landed: http://trac.webkit.org/changeset/72863 314818 4 dimich 2010-11-29 19:10:53 -0800 Still working on a test so keeping bug open. 321783 5 75098 eric 2010-12-14 01:31:07 -0800 Comment on attachment 75098 Patch. Any updates? Obsoleting this patch since it was landed. 322283 6 75098 eric 2010-12-14 15:22:20 -0800 Comment on attachment 75098 Patch. Cleared David Levin's review+ from obsolete attachment 75098 so that this bug does not appear in http://webkit.org/pending-commit. 75098 2010-11-29 18:44:54 -0800 2010-12-14 15:22:20 -0800 Patch. patch.txt text/plain 1159 dimich ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg ZTdmMjA1My4uZjU1OTcyMSAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2Vi Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNCBAQAorMjAxMC0xMS0yOSAgRG1pdHJ5IFRpdG92 ICA8ZGltaWNoQGNocm9taXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBDcmFzaCB3aGVuIGlmcmFtZSB0cmFuc2ZlcnMgZnJvbSBvbmUgcGFn ZSB0byBhbm90aGVyIGFuZCBoYXMgY2hpbGQgZnJhbWVzLgorICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NTAyMDAKKworICAgICAgICAqIHBhZ2UvRnJhbWUu Y3BwOgorICAgICAgICAoV2ViQ29yZTo6RnJhbWU6OnRyYW5zZmVyQ2hpbGRGcmFtZVRvTmV3RG9j dW1lbnQpOgorICAgICAgICBhdm9pZCBvdmVycmlkaW5nICdkaWRUcmFuc2Zlcicgd2hpY2ggaGFz IHRoZSByZXN1bHQgb2YgcHJldmlvdXMgY2hlY2suCisKIDIwMTAtMTEtMjkgIEJyZW50IEZ1bGdo YW0gIDxiZnVsZ2hhbUB3ZWJraXQub3JnPgogCiAgICAgICAgIFVucmV2aWV3ZWQgYnVpbGQgZml4 LgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9wYWdlL0ZyYW1lLmNwcCBiL1dlYkNvcmUvcGFnZS9GcmFt ZS5jcHAKaW5kZXggNTAzMGM3Mi4uODU1MjNjNiAxMDA2NDQKLS0tIGEvV2ViQ29yZS9wYWdlL0Zy YW1lLmNwcAorKysgYi9XZWJDb3JlL3BhZ2UvRnJhbWUuY3BwCkBAIC03MzQsNyArNzM0LDcgQEAg dm9pZCBGcmFtZTo6dHJhbnNmZXJDaGlsZEZyYW1lVG9OZXdEb2N1bWVudCgpCiAgICAgfQogCiAg ICAgLy8gVXBkYXRlIHRoZSBmcmFtZSB0cmVlLgotICAgIGRpZFRyYW5zZmVyID0gbmV3UGFyZW50 LT50cmVlKCktPnRyYW5zZmVyQ2hpbGQodGhpcyk7CisgICAgZGlkVHJhbnNmZXIgPSBuZXdQYXJl bnQtPnRyZWUoKS0+dHJhbnNmZXJDaGlsZCh0aGlzKSB8fCBkaWRUcmFuc2ZlcjsKIAogICAgIC8v IEF2b2lkIHVubmVjZXNzYXJ5IGNhbGxzIHRvIGNsaWVudCBhbmQgZnJhbWUgc3VidHJlZSBpZiB0 aGUgZnJhbWUgZW5kZWQKICAgICAvLyB1cCBvbiB0aGUgc2FtZSBwYWdlIGFuZCB1bmRlciB0aGUg c2FtZSBwYXJlbnQgZnJhbWUuCg==