Bug 16866

Summary:	fast/frames/frame-name-reset.html crashes Windows XP
Product:	WebKit	Reporter:	mitz
Component:	New Bugs	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED INVALID
Severity:	Normal	CC:	alice.barraclough, aroben
Priority:	P2	Keywords:	InRadar, LayoutTestFailure
Version:	528+ (Nightly build)
Hardware:	PC
OS:	Windows XP
URL:	http://build.webkit.org/builders/trunk-win-release/builds/6984

mitz

Reported 2008-01-13 16:50:01 PST

fast/frames/frame-name-reset.html crashes on my Windows XP machine and on a build bot running Windows XP (see URL). When run in the debugger, the test outputs the ALERT message, then hangs for a while under CFNetwork code, then appears to crash due to memory corruption.

Attachments
Add attachment proposed patch, testcase, etc.

mitz

Comment 1 2008-01-13 16:57:14 PST

<http://build.webkit.org/builders/trunk-win-release/builds/6954> (@r29409) is the earliest run with this crash, because earlier runs crashed in an earlier test.

mitz

Comment 2 2008-01-13 19:39:21 PST

My untested theory of the day is that calling CFURLConnectionResume on a connection during one of that connection's callbacks results in the connection being over-released due to a bug in CFURLConnection. (In the test case, alert() is called under the data: URL's CFURLConnection's callback, and the chrome uses a PageGroupLoadDeferrer around the alert, which calls CFURLConnectionHalt and CFURLConnectionResume on the data: URL connection).

mitz

Comment 3 2008-01-13 19:41:24 PST

<rdar://problem/5686091>

mitz

Comment 4 2008-01-13 21:10:05 PST

(In reply to comment #2) > (In the test case, alert() > is called under the data: URL's CFURLConnection's callback I was wrong. It is called under the test's URL's (file:///cygwin/...) callback, so it is not immediately clear how the data: URL is involved. The file: URL connection is also halted and resumed, but that is expected to happen in any test that calls alert() before it is finished loading.

mitz

Comment 5 2008-01-13 21:49:12 PST

To test my theory, I added a CFRetain(d->m_connection.get()) in the !defers case of ResourceHandle::setDefersLoading(). After doing that, I could not reproduce the crash. I am not sure that the problem is over-releasing, though. It might be simply that there are still messages posted for the CFURLConnection on the queue when it is deallocated.

Adam Roben (:aroben)

Comment 6 2008-01-14 05:53:22 PST

This reminds me of a crash that Alice was working on -- maybe she can shed some more light?

mitz

Comment 7 2008-01-14 10:45:30 PST

The problem is most probably in a non-WebKit component.

Note You need to log in before you can comment on or make changes to this bug.