Bug 50200

Summary: Crash when iframe transfers from one page to another and has child frames.
Product: WebKit Reporter: Dmitry Titov <dimich>
Component: WebCore Misc.Assignee: Dmitry Titov <dimich>
Status: ASSIGNED    
Severity: Normal CC: dbates, jennb, levin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch. none

Dmitry Titov
Reported 2010-11-29 18:41:24 PST
The crash happens due to lack of FrameLoaderClient updates for children of the Frame that was transferred from one page to another. This leaves the children of transferred Frame using the clients associated with the old Page, and once that one goes away and some GC'ing happens, the operations requiring FrameLoaderClient can cause crash. The code avoids unnecessary updates by accumulating 'didTransfer' bool. The change http://trac.webkit.org/changeset/71962 introduced code that overrides the boolean rather then accumulates the result. Patch is coming shortly. I can't figure out simple test for this, but I'm still working on it. Want to put the fix through before I can do the test since the crash blocks other developers at the moment.
Attachments
Patch. (1.13 KB, patch)
2010-11-29 18:44 PST, Dmitry Titov 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dmitry Titov
Comment 1 2010-11-29 18:44:54 PST
Created attachment 75098 [details] Patch.
David Levin
Comment 2 2010-11-29 18:48:58 PST
OK, but I'm expecting a test soon!
Dmitry Titov
Comment 3 2010-11-29 19:10:16 PST
Landed: http://trac.webkit.org/changeset/72863
Dmitry Titov
Comment 4 2010-11-29 19:10:53 PST
Still working on a test so keeping bug open.
Eric Seidel (no email)
Comment 5 2010-12-14 01:31:07 PST
Comment on attachment 75098 [details] Patch. Any updates? Obsoleting this patch since it was landed.
Eric Seidel (no email)
Comment 6 2010-12-14 15:22:20 PST
Comment on attachment 75098 [details] Patch. Cleared David Levin's review+ from obsolete attachment 75098 [details] so that this bug does not appear in http://webkit.org/pending-commit.
Note You need to log in before you can comment on or make changes to this bug.