Bug 15707

Summary: Crash when manipulating document from within an iframe onload function
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: FramesAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Normal CC: eric
Priority: P1 Keywords: InRadar
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
Bug Depends on:    
Bug Blocks: 15690    
Attachments:
Description Flags
test case
none
proposed fix darin: review+

Alexey Proskuryakov
Reported 2007-10-26 02:14:11 PDT
Several W3C DOM tests would crash for us if not masked by another bug. Reduction forthcoming.
Attachments
test case (2.92 KB, application/zip)
2007-10-26 02:14 PDT, Alexey Proskuryakov 		no flags
Details
proposed fix (4.82 KB, patch)
2009-02-18 09:53 PST, Alexey Proskuryakov 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2007-10-26 02:14:42 PDT
Created attachment 16875 [details] test case
Alexey Proskuryakov
Comment 2 2007-10-26 04:27:18 PDT
Here's what is going on: 1) There are two subframes, each calls parent.open() from its onload handler. 2) As the first subframe loads and open()s its parent, the parent is destroyed, and calls willRemove() on the second frame. 3) The second frame stops loading, dispatches onload and thus calls parent.open() again! Naturally, Document::open() causes havoc when entered recursively.
David Kilzer (:ddkilzer)
Comment 3 2007-11-15 09:15:30 PST
<rdar://problem/5602310>
Alexey Proskuryakov
Comment 4 2009-02-18 09:53:59 PST
Created attachment 27751 [details] proposed fix
Alexey Proskuryakov
Comment 5 2009-02-18 10:06:31 PST
*** Bug 18803 has been marked as a duplicate of this bug. ***
Darin Adler
Comment 6 2009-02-22 23:34:50 PST
Comment on attachment 27751 [details] proposed fix r=me Will this have any performance impact? I am not too happy about "protect". I always hate those. Could we scope the "n" variable better? Instead of this: for (n = m_firstChild; n; n = n->nextSibling()) we could do this: for (RefPtr<Node> n = m_firstChild; n; n = n->nextSibling()) Instead of this: while ((n = m_firstChild) != 0) { we could do this: while (RefPtr<Node> n = m_firstChild) { I think this would give slightly smaller/faster code because construction doesn't have to check the old value for 0.
Eric Seidel (no email)
Comment 7 2009-02-22 23:37:19 PST
I could have sworn we filed (and possibly fixed a) dupe of this for Chromium...? At least this bug sounds very familiar to me.
Alexey Proskuryakov
Comment 8 2009-02-23 01:04:36 PST
Committed <http://trac.webkit.org/changeset/41133>. > At least this bug sounds very familiar to me. See comment 5 :-)
Alexey Proskuryakov
Comment 9 2009-02-23 01:11:47 PST
> Committed <http://trac.webkit.org/changeset/41133>. And <http://trac.webkit.org/changeset/41134>.
Note You need to log in before you can comment on or make changes to this bug.