Bug 50200

Summary:

Crash when iframe transfers from one page to another and has child frames.

Product:

WebKit

Reporter:

Dmitry Titov <dimich>

Component:

WebCore Misc.

Assignee:

Dmitry Titov <dimich>

Status:

ASSIGNED ---

Severity:

Normal

CC:

dbates, jennb, levin

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch.	none

Description Dmitry Titov 2010-11-29 18:41:24 PST

The crash happens due to lack of FrameLoaderClient updates for children of the Frame that was transferred from one page to another. This leaves the children of transferred Frame using the clients associated with the old Page, and once that one goes away and some GC'ing happens, the operations requiring FrameLoaderClient can cause crash.

The code avoids unnecessary updates by accumulating 'didTransfer' bool. The change http://trac.webkit.org/changeset/71962 introduced code that overrides the boolean rather then accumulates the result.

Patch is coming shortly. I can't figure out simple test for this, but I'm still working on it. Want to put the fix through before I can do the test since the crash blocks other developers at the moment.

Comment 1 Dmitry Titov 2010-11-29 18:44:54 PST

Created attachment 75098 [details]
Patch.

Comment 2 David Levin 2010-11-29 18:48:58 PST

OK, but I'm expecting a test soon!

Comment 3 Dmitry Titov 2010-11-29 19:10:16 PST

Landed: http://trac.webkit.org/changeset/72863

Comment 4 Dmitry Titov 2010-11-29 19:10:53 PST

Still working on a test so keeping bug open.

Comment 5 Eric Seidel (no email) 2010-12-14 01:31:07 PST

Comment on attachment 75098 [details]
Patch.

Any updates?  Obsoleting this patch since it was landed.

Comment 6 Eric Seidel (no email) 2010-12-14 15:22:20 PST

Comment on attachment 75098 [details]
Patch.

Cleared David Levin's review+ from obsolete attachment 75098 [details] so that this bug does not appear in http://webkit.org/pending-commit.