Bug 13792 - REGRESSION: WebKit doesn't show this javascript screenshot page (and crashes after click on its "hidden link")
: REGRESSION: WebKit doesn't show this javascript screenshot page (and crashes ...
Status: RESOLVED FIXED
: WebKit
New Bugs
: 528+ (Nightly build)
: Macintosh Mac OS X 10.5
: P1 Major
Assigned To:
: http://transmission.m0k.org/screensho...
: NeedsRadar, NeedsReduction, Regression
:
:
  Show dependency treegraph
 
Reported: 2007-05-20 21:14 PST by
Modified: 2011-01-12 00:34 PST (History)


Attachments
Reduction for the crash. Will crash the next time you open a document (498 bytes, text/html)
2007-05-24 01:33 PST, mitz@webkit.org
no flags Details
Simpler reduction for the crash (655 bytes, text/html)
2007-05-24 14:56 PST, mitz@webkit.org
no flags Details
Fix for the crash (5.60 KB, patch)
2007-05-26 01:53 PST, mitz@webkit.org
no flags Review Patch | Details | Formatted Diff | Diff
Fix for the crash (9.65 KB, patch)
2007-05-26 09:23 PST, mitz@webkit.org
no flags Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2007-05-20 21:14:14 PST
Go to http://transmission.m0k.org and click on "Screenshots" or go directly to the above URL, in Camino it shows a javascript screenshot page that tell you to click to close the window... in WebKit the page is not rendered and when you click on the supposed hidden link WebKit just crashes
------- Comment #1 From 2007-05-20 23:19:07 PST -------
This is a regression from Safari 2.0.4.

Backtrace:
#0  0x015e894c in WebCore::DeprecatedString::isEmpty (this=0x9c44c) at DeprecatedString.h:495
#1  0x01102a34 in WebCore::Document::completeURL (this=0x9c400, URL=@0xbfffd9b4) at /WebKit/WebCore/dom/Document.cpp:2619
#2  0x0147b43c in WebCore::HTMLFrameElementBase::isURLAllowed (this=0x7f853b0, URLString=@0x7f85420) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:63
#3  0x0147c280 in WebCore::HTMLFrameElementBase::openURL (this=0x7f853b0) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:96
#4  0x0147c998 in WebCore::HTMLFrameElementBase::openURLCallback (n=0x7f853b0) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:157
#5  0x011184f8 in WebCore::ContainerNode::attach (this=0x2937600) at /WebKit/WebCore/dom/ContainerNode.cpp:605
#6  0x011008d8 in WebCore::Document::attach (this=0x2937600) at /WebKit/WebCore/dom/Document.cpp:1101
#7  0x010f06ec in WebCore::Frame::setDocument (this=0x7cb8760, newDoc=@0xbfffde74) at /WebKit/WebCore/page/Frame.cpp:276
#8  0x01497000 in WebCore::FrameLoader::begin (this=0x29ab800, url=@0x29ab9d8) at /WebKit/WebCore/loader/FrameLoader.cpp:860
#9  0x0149731c in WebCore::FrameLoader::receivedFirstData (this=0x29ab800) at /WebKit/WebCore/loader/FrameLoader.cpp:803
#10 0x01497578 in WebCore::FrameLoader::setEncoding (this=0x29ab800, name=@0xbfffe1c4, userChosen=false) at /WebKit/WebCore/loader/FrameLoader.cpp:1583
#11 0x0111ebf8 in -[WebCoreFrameBridge receivedData:textEncodingName:] (self=0x74a90f0, _cmd=0x90aa9a94, data=0x7979c60, textEncodingName=0x7993ad0) at /WebKit/WebCore/page/mac/WebCoreFrameBridge.mm:1426
#12 0x00343b8c in -[WebHTMLRepresentation receivedData:withDataSource:] (self=0x7719c40, _cmd=0x90aa9ab4, data=0x7979c60, dataSource=0x7c59400) at /WebKit/WebKit/WebView/WebHTMLRepresentation.mm:173
#13 0x0033cbc8 in -[WebDataSource(WebInternal) _receivedData:] (self=0x7c59400, _cmd=0x90a72a2c, data=0x7979c60) at /WebKit/WebKit/WebView/WebDataSource.mm:176
#14 0x003c7164 in WebFrameLoaderClient::committedLoad (this=0x7c0eba0, loader=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebKit/WebCoreSupport/WebFrameLoaderClient.mm:716
#15 0x01492510 in WebCore::FrameLoader::committedLoad (this=0x29ab800, loader=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/FrameLoader.cpp:3039
#16 0x014a77fc in WebCore::DocumentLoader::commitLoad (this=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/DocumentLoader.cpp:347
#17 0x014a7884 in WebCore::DocumentLoader::receivedData (this=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/DocumentLoader.cpp:359
#18 0x01491004 in WebCore::FrameLoader::receivedData (this=0x29ab800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/FrameLoader.cpp:2037
#19 0x014a9858 in WebCore::MainResourceLoader::addData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, allAtOnce=false) at /WebKit/WebCore/loader/MainResourceLoader.cpp:136
#20 0x014ac46c in WebCore::ResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109, allAtOnce=false) at /WebKit/WebCore/loader/ResourceLoader.cpp:208
#21 0x014a9aa0 in WebCore::MainResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109, allAtOnce=false) at /WebKit/WebCore/loader/MainResourceLoader.cpp:292
#22 0x014abdcc in WebCore::ResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109) at /WebKit/WebCore/loader/ResourceLoader.cpp:332
#23 0x01480db0 in -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] (self=0x797f5c0, _cmd=0x90a8c9b8, con=0x7702960, data=0x70d0590, lengthReceived=1109) at /WebKit/WebCore/platform/network/mac/ResourceHandleMac.mm:351
#24 0x92c15624 in -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] ()
#25 0x92c13ac4 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] ()
#26 0x92c13860 in _sendCallbacks ()
#27 0x907df4fc in __CFRunLoopDoSources0 ()
#28 0x907dea2c in __CFRunLoopRun ()
#29 0x907de4ac in CFRunLoopRunSpecific ()
#30 0x9329bb20 in RunCurrentEventLoopInMode ()
#31 0x9329b1b4 in ReceiveNextEventCommon ()
#32 0x9329b020 in BlockUntilNextEventMatchingListInMode ()
#33 0x937a1ae4 in _DPSNextEvent ()
#34 0x937a17a8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#35 0x00006740 in ?? ()
#36 0x9379dcec in -[NSApplication run] ()
#37 0x9388e87c in NSApplicationMain ()
#38 0x0005c77c in ?? ()
#39 0x0005c624 in ?? ()
------- Comment #2 From 2007-05-24 01:33:03 PST -------
Created an attachment (id=14697) [details]
Reduction for the crash. Will crash the next time you open a document

The reduction queues up post-attach callback which is not dispatched. When you open another document and it attaches, the callback is dispatched, but its target has already been deleted, and you crash.

The way the reduction manages to queue the callback but avoid dispatch is that the body element changes from being in the document to not being in the document during dispatchChildInsertionEvents() in appendChild(). This means that the appended children get insertedIntoDocument() (so the iframe element queues up the callback), but never attached.
------- Comment #3 From 2007-05-24 14:56:08 PST -------
Created an attachment (id=14708) [details]
Simpler reduction for the crash

Made the removal explicit instead of using document.write(). To trigger the crash, it is important to close the reduction before opening the new document.
------- Comment #4 From 2007-05-26 01:53:00 PST -------
Created an attachment (id=14731) [details]
Fix for the crash

One strange thing that I noticed while making this patch is that the HTMLFrameElementBase methods call up to HTMLElement rather than HTMLFrameOwnerElement, which is the parent class. I followed this practice in removedFromDocument() but I don't understand it.
------- Comment #5 From 2007-05-26 07:30:44 PST -------
(In reply to comment #4)
> One strange thing that I noticed while making this patch is that the
> HTMLFrameElementBase methods call up to HTMLElement rather than
> HTMLFrameOwnerElement, which is the parent class. I followed this practice in
> removedFromDocument() but I don't understand it.

There's probably no reason to follow that practice. It's just a mistake that needs to be fixed. Are there any cases where it's actually skipping over a function in HTMLFrameOwnerElement? If so, we'd need to study those carefully before changing them.
------- Comment #6 From 2007-05-26 08:42:35 PST -------
(From update of attachment 14731 [details])
Going to make a new patch.
------- Comment #7 From 2007-05-26 09:23:40 PST -------
Created an attachment (id=14737) [details]
Fix for the crash

Corrected the parent class in overrides that call up. Did the same in HTMLPluginElement. HTMLFrameOwnerElement does not implement any of the functions being called.
------- Comment #8 From 2007-05-28 23:39:32 PST -------
(From update of attachment 14737 [details])
r=me
------- Comment #9 From 2007-05-29 13:43:13 PST -------
Landed in r21862.
------- Comment #10 From 2007-05-29 13:54:03 PST -------
Another bug is needed to track the "WebKit doesn't show this javascript screenshot page" part of the bug.
------- Comment #11 From 2008-03-27 04:19:13 PST -------
It isn't functional yet, it doesn't crash but after clicking on the screenshot you cannot go back to the screenshot page as works in firefox
------- Comment #12 From 2008-03-28 09:09:05 PST -------
It would probably have been better to use a separate bug report for the non-crashing half.
------- Comment #13 From 2008-03-28 09:09:26 PST -------
(From update of attachment 14737 [details])
Cleared the review flag on tis patch since it was landed.
------- Comment #14 From 2009-04-18 19:48:03 PST -------
The problem seems to be giving this error message:

TypeError: Result of expression 'd.postMessage' [undefined] is not a function.

It seems that this might just be a site problem, looking for postMessage on the 'document' rather than 'window'.
------- Comment #15 From 2009-04-19 00:04:50 PST -------
it's strange because works fine on firefox
------- Comment #16 From 2009-04-19 00:14:57 PST -------
There could be some unintended browser sniffing going on. I'll try to take a closer look. The actual problem is in a Google Ads JS file, so it is probably a good idea to figure out what is wrong.
------- Comment #17 From 2011-01-12 00:34:46 PST -------
The site has been redesigned, and the "screenshots don't appear" part no longer happens.