Bug 144597

Summary: Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, barraclough, commit-queue, japhet, kling, koivisto
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Chris Dumez 2015-05-04 14:46:17 PDT
Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185:
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x00000000000002e0)
[  0] 0x000000010c685d79 WebCore`WebCore::createWindow(WebCore::Frame*, WebCore::Frame*, WebCore::FrameLoadRequest const&, WebCore::WindowFeatures const&, bool&) [inlined] WTF::RefPtr<WebCore::Document>::get() const at RefPtr.h:57

     0x000000010c685d62:     leaq -0x1b8(%rbp), %rdi
     0x000000010c685d69:    callq 0xed016e             ; symbol stub for: WTF::AtomicString::addSlowCase(WTF::StringImpl&)
     0x000000010c685d6e:     movq -0x1b8(%rbp), %rsi
     0x000000010c685d75:     movq %rsi, -0x38(%rbp)
 ->  0x000000010c685d79:     movq 0x2e0(%r12), %rbx
     0x000000010c685d81:     movq 0x90(%r15), %rdi
     0x000000010c685d88:     addq $0x40, %rdi
     0x000000010c685d8c:     leaq -0x38(%rbp), %rsi
     0x000000010c685d90:    callq 0x1a1ea0             ; WebCore::FrameTree::find at FrameTree.cpp:268

[  0] 0x000000010c685d79 WebCore`WebCore::createWindow(WebCore::Frame*, WebCore::Frame*, WebCore::FrameLoadRequest const&, WebCore::WindowFeatures const&, bool&) [inlined] WebCore::Frame::document() const at Frame.h:347
       343 	    }
       344 	
       345 	    inline Document* Frame::document() const
       346 	    {
    -> 347 	        return m_doc.get();
       348 	    }
       349 	
       350 	    inline FrameSelection& Frame::selection() const
       351 	    {
    
[  0] 0x000000010c685d79 WebCore`WebCore::createWindow(WebCore::Frame*, WebCore::Frame*, WebCore::FrameLoadRequest const&, WebCore::WindowFeatures const&, bool&) + 185 at FrameLoader.cpp:3445
       3441	
       3442	    created = false;
       3443	
       3444	    if (!request.frameName().isEmpty() && request.frameName() != "_blank") {
    -> 3445	        if (RefPtr<Frame> frame = lookupFrame->loader().findFrameForNavigation(request.frameName(), openerFrame->document())) {
       3446	            if (request.frameName() != "_self") {
       3447	                if (Page* page = frame->page())
       3448	                    page->chrome().focus();
       3449	            }
    
[  1] 0x000000010c850621 WebCore`WebCore::DOMWindow::createWindow(WTF::String const&, WTF::AtomicString const&, WebCore::WindowFeatures const&, WebCore::DOMWindow&, WebCore::Frame*, WebCore::Frame*, std::__1::function<void (WebCore::DOMWindow&)>) + 1457 at DOMWindow.cpp:2100
       2096	
       2097	    // We pass the opener frame for the lookupFrame in case the active frame is different from
       2098	    // the opener frame, and the name references a frame relative to the opener frame.
       2099	    bool created;
    -> 2100	    RefPtr<Frame> newFrame = WebCore::createWindow(activeFrame, openerFrame, frameRequest, windowFeatures, created);
       2101	    if (!newFrame)
       2102	        return 0;
       2103	
       2104	    newFrame->loader().setOpener(openerFrame);
    
[  2] 0x000000010c850d0e WebCore`WebCore::DOMWindow::open(WTF::String const&, WTF::AtomicString const&, WTF::String const&, WebCore::DOMWindow&, WebCore::DOMWindow&) + 702 at DOMWindow.cpp:2178
[  3] 0x000000010c68553a WebCore`WebCore::JSDOMWindow::open(JSC::ExecState*) + 458 at JSDOMWindowCustom.cpp:487
[  4] 0x000000010c685352 WebCore`WebCore::jsDOMWindowPrototypeFunctionOpen(JSC::ExecState*) + 178 at JSDOMWindow.cpp:21707
[  5] 0x00005fbb35801034 0 + 105257661108276
[  6] 0x000000010c0c573d JavaScriptCore`llint_entry + 22743
[  7] 0x000000010c0c573d JavaScriptCore`llint_entry + 22743
[  8] 0x000000010c0bfc40 JavaScriptCore`callToJavaScript + 310
[  9] 0x000000010c044fa2 JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 34 at JITCode.cpp:47
[ 10] 0x000000010bd07fcd JavaScriptCore`JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 461 at Interpreter.cpp:1000
[ 11] 0x000000010bedea5e JavaScriptCore`JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) [inlined] JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 35 at CallData.cpp:39
[ 11] 0x000000010bedea3b JavaScriptCore`JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 27 at CallData.cpp:44
[ 12] 0x000000010c48c4c7 WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) [inlined] JSC::ArgList::ArgList(JSC::MarkedArgumentBuffer const&) + 93 at JSMainThreadExecState.h:56
[ 12] 0x000000010c48c46a WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 858 at JSEventListener.cpp:127
[ 13] 0x000000010c48bf83 WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 691 at EventTarget.cpp:246
[ 14] 0x000000010c360646 WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 166 at EventTarget.cpp:197
[ 15] 0x000000010c888b7d WebCore`WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const [inlined] WebCore::EventContext::handleLocalEvents(WebCore::Event&) const + 69 at EventContext.cpp:54
[ 15] 0x000000010c888b38 WebCore`WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const + 120 at EventContext.cpp:86
[ 16] 0x000000010c8890e4 WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) [inlined] WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&, WebCore::WindowEventContext&) + 375 at EventDispatcher.cpp:319
[ 16] 0x000000010c888f6d WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 685 at EventDispatcher.cpp:363
[ 17] 0x000000010c36045c WebCore`WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 28 at Node.cpp:2017
[ 18] 0x000000010c87fdca WebCore`WebCore::Element::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Element*) + 266 at Element.cpp:238
[ 19] 0x000000010c503636 WebCore`WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 118 at EventHandler.cpp:2451
[ 20] 0x000000010c50b5d1 WebCore`WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 1073 at EventHandler.cpp:1963
[ 21] 0x000000010b4f5467 WebKit`WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) + 102 at WebPage.cpp:1852
[ 22] 0x000000010b4f53c6 WebKit`WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) + 182 at WebPage.cpp:1894
[ 23] 0x000000010b67aa76 WebKit`void IPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(IPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) [inlined] void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::__1::tuple<WebKit::WebMouseEvent>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::__1::tuple<WebKit::WebMouseEvent>&&, std::index_sequence<0ul>) + 27 at HandleMessage.h:16

Radar: <rdar://problem/20361579>
Comment 1 Chris Dumez 2015-05-04 15:01:52 PDT
Created attachment 252335 [details]
Patch
Comment 2 Andreas Kling 2015-05-04 16:58:05 PDT
Comment on attachment 252335 [details]
Patch

r=me. Nice test :)
Comment 3 Chris Dumez 2015-05-04 16:59:49 PDT
Comment on attachment 252335 [details]
Patch

Clearing flags on attachment: 252335

Committed r183781: <http://trac.webkit.org/changeset/183781>
Comment 4 Chris Dumez 2015-05-04 16:59:54 PDT
All reviewed patches have been landed.  Closing bug.