Bug 23806

Summary: Night builds crash when visiting http://www.spawn.com/toys/media.aspx
Product: WebKit Reporter: David Levin <levin>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: dglazkov, levin
Priority: P1 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://www.spawn.com/toys/media.aspx
Attachments:
Description Flags
crash stack traces
none
Crash reduction.
none
fix embed with empty src attribute crash, v1
hyatt: review+
Another stack trace. none

David Levin
Reported 2009-02-06 16:03:26 PST
This is related to the loader and started occurring due to some change in the range 40539:40668.
Attachments
crash stack traces (32.37 KB, text/plain)
2009-02-07 22:38 PST, David Levin 		no flags
Details
Crash reduction. (92 bytes, text/html)
2009-02-08 10:20 PST, Dimitri Glazkov (Google) 		no flags
Details
fix embed with empty src attribute crash, v1 (3.28 KB, patch)
2009-02-09 11:39 PST, Dimitri Glazkov (Google) 		hyatt: review+
DetailsFormatted DiffDiff
Another stack trace. (37.17 KB, text/plain)
2009-02-09 11:58 PST, Dimitri Glazkov (Google) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2009-02-07 04:13:40 PST
Is this a duplicate of bug 23736? Are stack traces the same?
David Levin
Comment 2 2009-02-07 22:38:41 PST
Created attachment 27459 [details] crash stack traces It looks like different stack traces to me.
David Levin
Comment 3 2009-02-07 22:45:01 PST
fwiw, rahulk@chromium.org emailed me on Friday that he thinks he knows where the fix needs to be.
Dimitri Glazkov (Google)
Comment 4 2009-02-08 08:39:52 PST
The issue occurs because there's a malformed embed tag on the page: it has an empty src attribute and a non-empty type attrubite. I'll look into this on Monday.
Dimitri Glazkov (Google)
Comment 5 2009-02-08 10:20:29 PST
Created attachment 27467 [details] Crash reduction. Here's the reduction. I have a simple fix, but really would dig deeper to figure out where the regression occurred -- and possibly have a more accurate fix.
Dimitri Glazkov (Google)
Comment 6 2009-02-09 11:39:20 PST
Created attachment 27489 [details] fix embed with empty src attribute crash, v1 LayoutTests/ChangeLog | 11 +++++++++++ .../loader/empty-embed-src-attribute-expected.txt | 7 +++++++ .../fast/loader/empty-embed-src-attribute.html | 14 ++++++++++++++ WebCore/ChangeLog | 14 ++++++++++++++ WebCore/loader/FrameLoader.cpp | 2 +- 5 files changed, 47 insertions(+), 1 deletions(-)
Dave Hyatt
Comment 7 2009-02-09 11:56:07 PST
Comment on attachment 27489 [details] fix embed with empty src attribute crash, v1 I don't think this is right, since an empty URL is not in the HTTP/S family and so should not add in HTTP fields. Why is the early return causing a crash? What does the stack look like?
Dimitri Glazkov (Google)
Comment 8 2009-02-09 11:58:22 PST
Created attachment 27490 [details] Another stack trace. Here is another stack trace, from the reduction.
Dave Hyatt
Comment 9 2009-02-09 12:32:06 PST
It seems to me that requestObject just shouldn't even be called on an empty URL, but I'm not a networking expert. Somehow having the mainDocumentURL set on the ResourceRequest caused the eventual ResourceRequest to have a non-null URL, but that doesn't seem right to me. I think patching RenderPartObject and then adding an assert !url.isEmpty() to requestObject may be the way to go here.
Dave Hyatt
Comment 10 2009-02-09 12:32:25 PST
(Or even just making requestObject bail if the URL is empty.)
Dave Hyatt
Comment 11 2009-02-09 12:36:29 PST
It looks like loads are deliberately allowed for empty URLs if the MIME type is set. Maybe we're wanting to load about:blank for HTML MIME types?
Dave Hyatt
Comment 12 2009-02-09 12:54:46 PST
Comment on attachment 27489 [details] fix embed with empty src attribute crash, v1 Just going to + this for now, since I can't see any better way to fix it. I think URL just gets coincidentally set to non-null from updateResourceRequest. That's private in platform though so FrameLoader can't be made a friend. We basically need some random operation to be done on the resource request like setting the main document URL to force an update to happen. This all seems really fragile and wrong, but oh well. r=me
Dimitri Glazkov (Google)
Comment 13 2009-02-09 13:11:08 PST
Landed as http://trac.webkit.org/changeset/40792.
Note You need to log in before you can comment on or make changes to this bug.