| Summary: | CRASH doing open() on destroyed window | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Eric Roman <eroman> | ||||||||||
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> | ||||||||||
| Status: | RESOLVED FIXED | ||||||||||||
| Severity: | Normal | CC: | jchaffraix | ||||||||||
| Priority: | P1 | Keywords: | InRadar | ||||||||||
| Version: | 528+ (Nightly build) | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | All | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Eric Roman
2008-06-16 10:18:59 PDT
Created attachment 21730 [details]
Reproducible test case for crash -- click the button
Created attachment 21731 [details] Crash dump from running the above test on nightly webkit r34581 This is not a new crash. Using bisect-builds, I was able to reproduce this all the way back to r29753, the beginning of builds available to the tool. Created attachment 22415 [details]
Proposed fix: add null check
Comment on attachment 22415 [details]
Proposed fix: add null check
Why shouldn't you just use "top()" here? It seems "top()" wouldn't crash.
Seems like the end of the function doesn't check against null pages either... so that will need to be fixed and a test case added too.
Created attachment 22432 [details] Updated version: use top() and cover the other crash pointed by Eric > Why shouldn't you just use "top()" here? It seems "top()" wouldn't crash. top() is indeed fine. > Seems like the end of the function doesn't check against null pages either... > so that will need to be fixed and a test case added too. True, I have fixed that too including a layout test. Comment on attachment 22432 [details]
Updated version: use top() and cover the other crash pointed by Eric
Looks fine, but:
if (page) {
184 for (Frame* frame = page
should change to be an early return:
if (!page)
return 0;
Updated with Eric's comment and landed in r35321. |