Bug 13792 - REGRESSION: WebKit doesn't show this javascript screenshot page (and crashes after click on its "hidden link")
: REGRESSION: WebKit doesn't show this javascript screenshot page (and crashes ...
Status: RESOLVED FIXED
Product: WebKit
Classification: Unclassified
Component: New Bugs
: 528+ (Nightly build)
: Macintosh Mac OS X 10.5
: P1 Major
Assigned To: Nobody
http://transmission.m0k.org/screensho...
: NeedsRadar, NeedsReduction, Regression
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-20 21:14 PDT by Rodrigo Recio
Modified: 2011-01-12 00:34 PST (History)
4 users (show)

See Also:


Attachments
Reduction for the crash. Will crash the next time you open a document (498 bytes, text/html)
2007-05-24 01:33 PDT, mitz@webkit.org
no flags Details
Simpler reduction for the crash (655 bytes, text/html)
2007-05-24 14:56 PDT, mitz@webkit.org
no flags Details
Fix for the crash (5.60 KB, patch)
2007-05-26 01:53 PDT, mitz@webkit.org
no flags Details | Formatted Diff | Diff
Fix for the crash (9.65 KB, patch)
2007-05-26 09:23 PDT, mitz@webkit.org
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Rodrigo Recio 2007-05-20 21:14:14 PDT
Go to http://transmission.m0k.org and click on "Screenshots" or go directly to the above URL, in Camino it shows a javascript screenshot page that tell you to click to close the window... in WebKit the page is not rendered and when you click on the supposed hidden link WebKit just crashes
Comment 1 mitz@webkit.org 2007-05-20 23:19:07 PDT
This is a regression from Safari 2.0.4.

Backtrace:
#0  0x015e894c in WebCore::DeprecatedString::isEmpty (this=0x9c44c) at DeprecatedString.h:495
#1  0x01102a34 in WebCore::Document::completeURL (this=0x9c400, URL=@0xbfffd9b4) at /WebKit/WebCore/dom/Document.cpp:2619
#2  0x0147b43c in WebCore::HTMLFrameElementBase::isURLAllowed (this=0x7f853b0, URLString=@0x7f85420) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:63
#3  0x0147c280 in WebCore::HTMLFrameElementBase::openURL (this=0x7f853b0) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:96
#4  0x0147c998 in WebCore::HTMLFrameElementBase::openURLCallback (n=0x7f853b0) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:157
#5  0x011184f8 in WebCore::ContainerNode::attach (this=0x2937600) at /WebKit/WebCore/dom/ContainerNode.cpp:605
#6  0x011008d8 in WebCore::Document::attach (this=0x2937600) at /WebKit/WebCore/dom/Document.cpp:1101
#7  0x010f06ec in WebCore::Frame::setDocument (this=0x7cb8760, newDoc=@0xbfffde74) at /WebKit/WebCore/page/Frame.cpp:276
#8  0x01497000 in WebCore::FrameLoader::begin (this=0x29ab800, url=@0x29ab9d8) at /WebKit/WebCore/loader/FrameLoader.cpp:860
#9  0x0149731c in WebCore::FrameLoader::receivedFirstData (this=0x29ab800) at /WebKit/WebCore/loader/FrameLoader.cpp:803
#10 0x01497578 in WebCore::FrameLoader::setEncoding (this=0x29ab800, name=@0xbfffe1c4, userChosen=false) at /WebKit/WebCore/loader/FrameLoader.cpp:1583
#11 0x0111ebf8 in -[WebCoreFrameBridge receivedData:textEncodingName:] (self=0x74a90f0, _cmd=0x90aa9a94, data=0x7979c60, textEncodingName=0x7993ad0) at /WebKit/WebCore/page/mac/WebCoreFrameBridge.mm:1426
#12 0x00343b8c in -[WebHTMLRepresentation receivedData:withDataSource:] (self=0x7719c40, _cmd=0x90aa9ab4, data=0x7979c60, dataSource=0x7c59400) at /WebKit/WebKit/WebView/WebHTMLRepresentation.mm:173
#13 0x0033cbc8 in -[WebDataSource(WebInternal) _receivedData:] (self=0x7c59400, _cmd=0x90a72a2c, data=0x7979c60) at /WebKit/WebKit/WebView/WebDataSource.mm:176
#14 0x003c7164 in WebFrameLoaderClient::committedLoad (this=0x7c0eba0, loader=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebKit/WebCoreSupport/WebFrameLoaderClient.mm:716
#15 0x01492510 in WebCore::FrameLoader::committedLoad (this=0x29ab800, loader=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/FrameLoader.cpp:3039
#16 0x014a77fc in WebCore::DocumentLoader::commitLoad (this=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/DocumentLoader.cpp:347
#17 0x014a7884 in WebCore::DocumentLoader::receivedData (this=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/DocumentLoader.cpp:359
#18 0x01491004 in WebCore::FrameLoader::receivedData (this=0x29ab800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/FrameLoader.cpp:2037
#19 0x014a9858 in WebCore::MainResourceLoader::addData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, allAtOnce=false) at /WebKit/WebCore/loader/MainResourceLoader.cpp:136
#20 0x014ac46c in WebCore::ResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109, allAtOnce=false) at /WebKit/WebCore/loader/ResourceLoader.cpp:208
#21 0x014a9aa0 in WebCore::MainResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109, allAtOnce=false) at /WebKit/WebCore/loader/MainResourceLoader.cpp:292
#22 0x014abdcc in WebCore::ResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109) at /WebKit/WebCore/loader/ResourceLoader.cpp:332
#23 0x01480db0 in -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] (self=0x797f5c0, _cmd=0x90a8c9b8, con=0x7702960, data=0x70d0590, lengthReceived=1109) at /WebKit/WebCore/platform/network/mac/ResourceHandleMac.mm:351
#24 0x92c15624 in -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] ()
#25 0x92c13ac4 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] ()
#26 0x92c13860 in _sendCallbacks ()
#27 0x907df4fc in __CFRunLoopDoSources0 ()
#28 0x907dea2c in __CFRunLoopRun ()
#29 0x907de4ac in CFRunLoopRunSpecific ()
#30 0x9329bb20 in RunCurrentEventLoopInMode ()
#31 0x9329b1b4 in ReceiveNextEventCommon ()
#32 0x9329b020 in BlockUntilNextEventMatchingListInMode ()
#33 0x937a1ae4 in _DPSNextEvent ()
#34 0x937a17a8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#35 0x00006740 in ?? ()
#36 0x9379dcec in -[NSApplication run] ()
#37 0x9388e87c in NSApplicationMain ()
#38 0x0005c77c in ?? ()
#39 0x0005c624 in ?? ()

Comment 2 mitz@webkit.org 2007-05-24 01:33:03 PDT
Created attachment 14697 [details]
Reduction for the crash. Will crash the next time you open a document

The reduction queues up post-attach callback which is not dispatched. When you open another document and it attaches, the callback is dispatched, but its target has already been deleted, and you crash.

The way the reduction manages to queue the callback but avoid dispatch is that the body element changes from being in the document to not being in the document during dispatchChildInsertionEvents() in appendChild(). This means that the appended children get insertedIntoDocument() (so the iframe element queues up the callback), but never attached.
Comment 3 mitz@webkit.org 2007-05-24 14:56:08 PDT
Created attachment 14708 [details]
Simpler reduction for the crash

Made the removal explicit instead of using document.write(). To trigger the crash, it is important to close the reduction before opening the new document.
Comment 4 mitz@webkit.org 2007-05-26 01:53:00 PDT
Created attachment 14731 [details]
Fix for the crash

One strange thing that I noticed while making this patch is that the HTMLFrameElementBase methods call up to HTMLElement rather than HTMLFrameOwnerElement, which is the parent class. I followed this practice in removedFromDocument() but I don't understand it.
Comment 5 Darin Adler 2007-05-26 07:30:44 PDT
(In reply to comment #4)
> One strange thing that I noticed while making this patch is that the
> HTMLFrameElementBase methods call up to HTMLElement rather than
> HTMLFrameOwnerElement, which is the parent class. I followed this practice in
> removedFromDocument() but I don't understand it.

There's probably no reason to follow that practice. It's just a mistake that needs to be fixed. Are there any cases where it's actually skipping over a function in HTMLFrameOwnerElement? If so, we'd need to study those carefully before changing them.
Comment 6 mitz@webkit.org 2007-05-26 08:42:35 PDT
Comment on attachment 14731 [details]
Fix for the crash

Going to make a new patch.
Comment 7 mitz@webkit.org 2007-05-26 09:23:40 PDT
Created attachment 14737 [details]
Fix for the crash

Corrected the parent class in overrides that call up. Did the same in HTMLPluginElement. HTMLFrameOwnerElement does not implement any of the functions being called.
Comment 8 Maciej Stachowiak 2007-05-28 23:39:32 PDT
Comment on attachment 14737 [details]
Fix for the crash

r=me
Comment 9 Sam Weinig 2007-05-29 13:43:13 PDT
Landed in r21862.
Comment 10 mitz@webkit.org 2007-05-29 13:54:03 PDT
Another bug is needed to track the "WebKit doesn't show this javascript screenshot page" part of the bug.
Comment 11 Rodrigo Recio 2008-03-27 04:19:13 PDT
It isn't functional yet, it doesn't crash but after clicking on the screenshot you cannot go back to the screenshot page as works in firefox
Comment 12 Darin Adler 2008-03-28 09:09:05 PDT
It would probably have been better to use a separate bug report for the non-crashing half.
Comment 13 Darin Adler 2008-03-28 09:09:26 PDT
Comment on attachment 14737 [details]
Fix for the crash

Cleared the review flag on tis patch since it was landed.
Comment 14 Cameron Zwarich (cpst) 2009-04-18 19:48:03 PDT
The problem seems to be giving this error message:

TypeError: Result of expression 'd.postMessage' [undefined] is not a function.

It seems that this might just be a site problem, looking for postMessage on the 'document' rather than 'window'.
Comment 15 Rodrigo Recio 2009-04-19 00:04:50 PDT
it's strange because works fine on firefox
Comment 16 Cameron Zwarich (cpst) 2009-04-19 00:14:57 PDT
There could be some unintended browser sniffing going on. I'll try to take a closer look. The actual problem is in a Google Ads JS file, so it is probably a good idea to figure out what is wrong.
Comment 17 Alexey Proskuryakov 2011-01-12 00:34:46 PST
The site has been redesigned, and the "screenshots don't appear" part no longer happens.