7899 2006-03-21 20:18:19 -0800 FrameTree:uniqueChildName doesn't return unique names 2017-01-28 11:00:20 -0800 1 1 1 Unclassified WebKit Frames 420+ Mac OS X 10.4 NEW https://bugs.webkit.org/show_bug.cgi?id=167537 P2 Normal --- 1 justin.garcia webkit-unassigned brettw darin ddkilzer ian oldest_to_newest 37265 0 justin.garcia 2006-03-21 20:18:19 -0800 The number used for unique frame names is the childCount() of the parent frame: char suffix[40]; snprintf(suffix, sizeof(suffix), "/<!--frame%u-->-->", childCount()); This is wrong. See the attached test case. 37266 1 7224 justin.garcia 2006-03-21 20:26:51 -0800 Created attachment 7224 testcase Creates two unnamed iframes, removes the first one and reinserts it. It gets a generated name when it is reinserted, but that name is the same as the frame that is already in the document. This name collision prevents the inserted frame from being constructed. 40245 2 11979 ggaren 2006-12-22 23:12:15 -0800 Created attachment 11979 reduction1 Attaching two unique reductions for triggering this bug. 40220 3 11980 ggaren 2006-12-22 23:12:59 -0800 Created attachment 11980 reduction2 Attaching two unique reductions for how you can trigger this bug. 40221 4 ggaren 2006-12-22 23:17:41 -0800 It would be trivial to fix this bug by replacing childCount() with a never-decrementing count of the number of frames that have been added to the page. In fact, we could gut the whole uniqueChildName function and just use the count for unique-ing. Since a page can have a maximum of 200 frames, the count would be (virtually) guaranteed to be unique. The only problem is this comment: "Create a repeatable name." Why does the name need to be repeatable? What does repeatable mean? Using a global count would give a frame a new name if you removed and then re-added it to the document. So I don't think that would be "repeatable." On the other hand, this bug demonstrates that frames *need* to acquire new names when you remove and then re-add them to the document. 38901 5 darin 2006-12-30 12:50:50 -0800 (In reply to comment #4) > The only problem is this comment: "Create a repeatable name." Why does the name > need to be repeatable? What does repeatable mean? Using a global count would > give a frame a new name if you removed and then re-added it to the document. So > I don't think that would be "repeatable." My understanding was that the name of the frame needs to be the same for the same page the next time the page is loaded. Something about back/forward perhaps? 2894 6 brettw 2007-08-07 11:31:09 -0700 *** Bug 14895 has been marked as a duplicate of this bug. *** 2895 7 brettw 2007-08-07 11:49:55 -0700 This bug is causing some crashes for me, and is showing up in the topcrash list for my embedding application. Should it be P1? The crash is in EventHandler::passWheelEventToWidget (and presumably other input events) when you use the scroll wheel over certain iframes (seems to depend on timing, can can be hard to reproduce) because the widget for the RenderWidget is NULL. The widget is normally set when the load is committed for the frame, which of course requires that the load be started. The load is started from the redirect timer in the FrameLoader. What happens is that frame 1 comes in and sets the redirect timer to start the load. Other stuff happens, frames get deleted, etc. to cause the name to be the same (this is where the timing sutff comes in). Frame 2 then gets created and happens to get the same "unique" child name as Frame 1. In FrameLoader::requestFrame, we now get the *old* frame in |frame|, cancel the old (correct) load, and start loading the new frame's URL in it. Frame 2 is never initialized, leading to a crash. 2824 8 brettw 2007-08-08 09:05:25 -0700 Actually, it looks like this crash doesn't happen in Safari since the Mac Event handling code filters out sending messages to anything with a NULL widget. However, this still causes frames to not be loaded, as in the example. There could be other subtle bugs and crashes caused by the uninitialized frame, as well as, of course, the missing content. 2762 9 ddkilzer 2007-08-09 07:05:01 -0700 (In reply to comment #8) > Actually, it looks like this crash doesn't happen in Safari since the Mac Event > handling code filters out sending messages to anything with a NULL widget. > However, this still causes frames to not be loaded, as in the example. There > could be other subtle bugs and crashes caused by the uninitialized frame, as > well as, of course, the missing content. How is it crashing in your application but not in Safari? Are you using WebKit in your application? A (partial) stack trace of the issue would be helpful. 7224 2006-03-21 20:26:51 -0800 2006-12-22 23:12:15 -0800 testcase iframe-test.html text/html 674 justin.garcia CjxzY3JpcHQ+CmZ1bmN0aW9uIHJ1blRlc3QoKSB7CiAgICB2YXIgZnJhbWVzID0gZG9jdW1lbnQu Z2V0RWxlbWVudHNCeVRhZ05hbWUoImlmcmFtZSIpOwogICAgdmFyIGZyYW1lID0gZnJhbWVzWzBd OwogICAgdmFyIHBhcmVudCA9IGZyYW1lLnBhcmVudE5vZGU7CiAgICAKICAgIHBhcmVudC5yZW1v dmVDaGlsZChmcmFtZSk7CiAgICBwYXJlbnQuYXBwZW5kQ2hpbGQoZnJhbWUpOwogICAgCn0KPC9z Y3JpcHQ+Cgo8Ym9keT4KVGhpcyB0ZXN0IGNyZWF0ZXMgdHdvIHVubmFtZWQgZnJhbWVzLCB0aGVu IHJlbW92ZXMgdGhlIGZpcnN0IG9uZSBhbmQgcmVpbnNlcnRzIGl0LiAgVGhlIG5hbWUgZ2VuZXJh dGVkIGZvciB0aGF0IGZyYW1lIHdoZW4gaXQgaXMgcmVpbnNlcnRlZCBpcyB0aGUgc2FtZSBhcyB0 aGUgZnJhbWUgdGhhdCBpcyBhbHJlYWR5IGluIHRoZSBkb2N1bWVudC4gIEFzIGEgcmVzdWx0IG9m IHRoZSBjb2xsaXNpb24sIHRoZSBpbnNlcnRlZCBmcmFtZSBpc24ndCBjb25zdHJ1Y3RlZC48YnI+ PGJyPjxicj4KPGlmcmFtZSBzcmM9Imh0dHA6Ly93d3cuZ29vZ2xlLmNvbS90YWxrLyI+PC9pZnJh bWU+CjxpZnJhbWUgc3JjPSJodHRwOi8vd3d3Lmdvb2dsZS5jb20vaW50bC9lbi9hYm91dC5odG1s Ij48L2lmcmFtZT4KPHNjcmlwdD5ydW5UZXN0KCk7PC9zY3JpcHQ+CjwvYm9keT4= 11979 2006-12-22 23:12:15 -0800 2006-12-22 23:12:15 -0800 reduction1 scratch.html text/html 338 ggaren PGRpdj5Zb3Ugc2hvdWxkIHNlZSB0d28gImhlbGxvIHdvcmxkcyIgYmVsb3cuPC9kaXY+Cjxocj4K CjxpZnJhbWUgc3JjPSJkYXRhOnRleHQvaHRtbCwgPHA+aGVsbG8gd29ybGQ8L3A+Ij48L2lmcmFt ZT4KPGlmcmFtZSBzcmM9ImRhdGE6dGV4dC9odG1sLCA8cD5oZWxsbyB3b3JsZDwvcD4iPjwvaWZy YW1lPgoKPHNjcmlwdD4KdmFyIGZyYW1lID0gZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUo J2lmcmFtZScpWzBdOwp2YXIgcGFyZW50ID0gZnJhbWUucGFyZW50Tm9kZTsKCnBhcmVudC5yZW1v dmVDaGlsZChmcmFtZSk7CnBhcmVudC5hcHBlbmRDaGlsZChmcmFtZSk7Cjwvc2NyaXB0Pgo= 11980 2006-12-22 23:12:59 -0800 2006-12-22 23:12:59 -0800 reduction2 scratch2.html text/html 442 ggaren PGRpdj5Zb3Ugc2hvdWxkIHNlZSB0d28gImhlbGxvIHdvcmxkcyIgYmVsb3cuPC9kaXY+Cjxocj4K CjxpZnJhbWUgc3JjPSJkYXRhOnRleHQvaHRtbCwgPHA+aGVsbG8gd29ybGQ8L3A+Ij48L2lmcmFt ZT4KPGlmcmFtZSBzcmM9ImRhdGE6dGV4dC9odG1sLCA8cD5oZWxsbyB3b3JsZDwvcD4iPjwvaWZy YW1lPgoKPHNjcmlwdD4KdmFyIGZyYW1lID0gZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUo J2lmcmFtZScpWzBdOwp2YXIgcGFyZW50ID0gZnJhbWUucGFyZW50Tm9kZTsKCnBhcmVudC5yZW1v dmVDaGlsZChmcmFtZSk7Cgp2YXIgbmV3RnJhbWUgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdp ZnJhbWUnKTsKbmV3RnJhbWUuc3JjPSJkYXRhOnRleHQvaHRtbCwgPHA+aGVsbG8gd29ybGQ8L3A+ IjsKcGFyZW50LmFwcGVuZENoaWxkKG5ld0ZyYW1lKTsKPC9zY3JpcHQ+Cg==