RESOLVED FIXED 144597
Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185 
https://bugs.webkit.org/show_bug.cgi?id=144597
Summary Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWin...
Chris Dumez
Reported 2015-05-04 14:46:17 PDT
Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185: Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x00000000000002e0) [ 0] 0x000000010c685d79 WebCore`WebCore::createWindow(WebCore::Frame*, WebCore::Frame*, WebCore::FrameLoadRequest const&, WebCore::WindowFeatures const&, bool&) [inlined] WTF::RefPtr<WebCore::Document>::get() const at RefPtr.h:57 0x000000010c685d62: leaq -0x1b8(%rbp), %rdi 0x000000010c685d69: callq 0xed016e ; symbol stub for: WTF::AtomicString::addSlowCase(WTF::StringImpl&) 0x000000010c685d6e: movq -0x1b8(%rbp), %rsi 0x000000010c685d75: movq %rsi, -0x38(%rbp) -> 0x000000010c685d79: movq 0x2e0(%r12), %rbx 0x000000010c685d81: movq 0x90(%r15), %rdi 0x000000010c685d88: addq $0x40, %rdi 0x000000010c685d8c: leaq -0x38(%rbp), %rsi 0x000000010c685d90: callq 0x1a1ea0 ; WebCore::FrameTree::find at FrameTree.cpp:268 [ 0] 0x000000010c685d79 WebCore`WebCore::createWindow(WebCore::Frame*, WebCore::Frame*, WebCore::FrameLoadRequest const&, WebCore::WindowFeatures const&, bool&) [inlined] WebCore::Frame::document() const at Frame.h:347 343 } 344 345 inline Document* Frame::document() const 346 { -> 347 return m_doc.get(); 348 } 349 350 inline FrameSelection& Frame::selection() const 351 { [ 0] 0x000000010c685d79 WebCore`WebCore::createWindow(WebCore::Frame*, WebCore::Frame*, WebCore::FrameLoadRequest const&, WebCore::WindowFeatures const&, bool&) + 185 at FrameLoader.cpp:3445 3441 3442 created = false; 3443 3444 if (!request.frameName().isEmpty() && request.frameName() != "_blank") { -> 3445 if (RefPtr<Frame> frame = lookupFrame->loader().findFrameForNavigation(request.frameName(), openerFrame->document())) { 3446 if (request.frameName() != "_self") { 3447 if (Page* page = frame->page()) 3448 page->chrome().focus(); 3449 } [ 1] 0x000000010c850621 WebCore`WebCore::DOMWindow::createWindow(WTF::String const&, WTF::AtomicString const&, WebCore::WindowFeatures const&, WebCore::DOMWindow&, WebCore::Frame*, WebCore::Frame*, std::__1::function<void (WebCore::DOMWindow&)>) + 1457 at DOMWindow.cpp:2100 2096 2097 // We pass the opener frame for the lookupFrame in case the active frame is different from 2098 // the opener frame, and the name references a frame relative to the opener frame. 2099 bool created; -> 2100 RefPtr<Frame> newFrame = WebCore::createWindow(activeFrame, openerFrame, frameRequest, windowFeatures, created); 2101 if (!newFrame) 2102 return 0; 2103 2104 newFrame->loader().setOpener(openerFrame); [ 2] 0x000000010c850d0e WebCore`WebCore::DOMWindow::open(WTF::String const&, WTF::AtomicString const&, WTF::String const&, WebCore::DOMWindow&, WebCore::DOMWindow&) + 702 at DOMWindow.cpp:2178 [ 3] 0x000000010c68553a WebCore`WebCore::JSDOMWindow::open(JSC::ExecState*) + 458 at JSDOMWindowCustom.cpp:487 [ 4] 0x000000010c685352 WebCore`WebCore::jsDOMWindowPrototypeFunctionOpen(JSC::ExecState*) + 178 at JSDOMWindow.cpp:21707 [ 5] 0x00005fbb35801034 0 + 105257661108276 [ 6] 0x000000010c0c573d JavaScriptCore`llint_entry + 22743 [ 7] 0x000000010c0c573d JavaScriptCore`llint_entry + 22743 [ 8] 0x000000010c0bfc40 JavaScriptCore`callToJavaScript + 310 [ 9] 0x000000010c044fa2 JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 34 at JITCode.cpp:47 [ 10] 0x000000010bd07fcd JavaScriptCore`JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 461 at Interpreter.cpp:1000 [ 11] 0x000000010bedea5e JavaScriptCore`JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) [inlined] JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 35 at CallData.cpp:39 [ 11] 0x000000010bedea3b JavaScriptCore`JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 27 at CallData.cpp:44 [ 12] 0x000000010c48c4c7 WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) [inlined] JSC::ArgList::ArgList(JSC::MarkedArgumentBuffer const&) + 93 at JSMainThreadExecState.h:56 [ 12] 0x000000010c48c46a WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 858 at JSEventListener.cpp:127 [ 13] 0x000000010c48bf83 WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 691 at EventTarget.cpp:246 [ 14] 0x000000010c360646 WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 166 at EventTarget.cpp:197 [ 15] 0x000000010c888b7d WebCore`WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const [inlined] WebCore::EventContext::handleLocalEvents(WebCore::Event&) const + 69 at EventContext.cpp:54 [ 15] 0x000000010c888b38 WebCore`WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const + 120 at EventContext.cpp:86 [ 16] 0x000000010c8890e4 WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) [inlined] WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&, WebCore::WindowEventContext&) + 375 at EventDispatcher.cpp:319 [ 16] 0x000000010c888f6d WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 685 at EventDispatcher.cpp:363 [ 17] 0x000000010c36045c WebCore`WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 28 at Node.cpp:2017 [ 18] 0x000000010c87fdca WebCore`WebCore::Element::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Element*) + 266 at Element.cpp:238 [ 19] 0x000000010c503636 WebCore`WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 118 at EventHandler.cpp:2451 [ 20] 0x000000010c50b5d1 WebCore`WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 1073 at EventHandler.cpp:1963 [ 21] 0x000000010b4f5467 WebKit`WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) + 102 at WebPage.cpp:1852 [ 22] 0x000000010b4f53c6 WebKit`WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) + 182 at WebPage.cpp:1894 [ 23] 0x000000010b67aa76 WebKit`void IPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(IPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) [inlined] void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::__1::tuple<WebKit::WebMouseEvent>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::__1::tuple<WebKit::WebMouseEvent>&&, std::index_sequence<0ul>) + 27 at HandleMessage.h:16 Radar: <rdar://problem/20361579>
Attachments
Patch (13.79 KB, patch)
2015-05-04 15:01 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2015-05-04 15:01:52 PDT
Created attachment 252335 [details] Patch
Andreas Kling
Comment 2 2015-05-04 16:58:05 PDT
Comment on attachment 252335 [details] Patch r=me. Nice test :)
Chris Dumez
Comment 3 2015-05-04 16:59:49 PDT
Comment on attachment 252335 [details] Patch Clearing flags on attachment: 252335 Committed r183781: <http://trac.webkit.org/changeset/183781>
Chris Dumez
Comment 4 2015-05-04 16:59:54 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.