Bug 14705 - REGRESSION (r24484-r24509): Windows Safari crashes when loading a page containing an iframe
Summary: REGRESSION (r24484-r24509): Windows Safari crashes when loading a page contai...
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 523.x (Safari 3)
Hardware: PC Windows XP
: P1 Critical
Assignee: Darin Adler
URL: data:text/html,<iframe></iframe>
Keywords: InRadar, PlatformOnly, Regression
: 14720 (view as bug list)
Depends on:
Reported: 2007-07-21 14:02 PDT by mitz
Modified: 2007-08-29 17:05 PDT (History)
6 users (show)

See Also:

Crash log (115.72 KB, text/plain)
2007-07-22 16:22 PDT, Charles Gaudette
no flags Details
User Dump (29.34 KB, text/plain)
2007-07-22 19:24 PDT, Charles Gaudette
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mitz 2007-07-21 14:02:22 PDT
Opening the URL crashes in Safari.exe code under WebFrame::dispatchDidCommitLoad().
Comment 1 David Kilzer (:ddkilzer) 2007-07-21 16:40:07 PDT
Comment 2 Charles Gaudette 2007-07-22 16:22:03 PDT
Created attachment 15633 [details]
Crash log

Comment 3 Adam Roben (:aroben) 2007-07-22 17:56:24 PDT
Comment on attachment 15633 [details]
Crash log

Thanks for the log, Charles. It would be even more helpful to see the accompanying drwtsn32.dmp file. Could you upload that as well, please?
Comment 4 Charles Gaudette 2007-07-22 19:24:49 PDT
Created attachment 15638 [details]
User Dump

This is the User Dump (usr.dmp) file for my previously posted Crash Log.

Here you go Adam, I'll remember to send this along in future such reports.
Comment 5 mitz 2007-07-23 13:28:08 PDT
Probably caused by <http://trac.webkit.org/projects/webkit/changeset/24490>.
Comment 6 Amit Gupta 2007-07-24 23:57:45 PDT

This is the call stack, 

 	[Frames below may be incorrect and/or missing, no symbols loaded for Safari.exe]	
>	WebKit_debug.dll!WebFrame::dispatchDidCommitLoad()  Line 1541 + 0x2c bytes	C++
 	WebKit_debug.dll!WebCore::FrameLoader::dispatchDidCommitLoad()  Line 4467 + 0x1a bytes	C++
 	WebKit_debug.dll!WebCore::FrameLoader::receivedFirstData()  Line 823	C++
 	WebKit_debug.dll!WebCore::FrameLoader::setEncoding(const WebCore::String & name={...}, bool userChosen=false)  Line 1622	C++
 	WebKit_debug.dll!WebFrame::receivedData(const char * data=0x00000000, int length=0, const WebCore::String & textEncoding={...})  Line 1896	C++
 	WebKit_debug.dll!WebFrame::committedLoad(WebCore::DocumentLoader * loader=0x04ab3ab0, const char * data=0x00000000, int length=0)  Line 1935	C++
 	WebKit_debug.dll!WebFrame::finishedLoading(WebCore::DocumentLoader * loader=0x04ab3ab0)  Line 1644 + 0x1a bytes	C++
 	WebKit_debug.dll!WebCore::FrameLoader::finishedLoadingDocument(WebCore::DocumentLoader * loader=0x04ab3ab0)  Line 2696 + 0x1c bytes	C++
 	WebKit_debug.dll!WebCore::DocumentLoader::finishedLoading()  Line 319	C++
 	WebKit_debug.dll!WebCore::FrameLoader::init()  Line 267	C++
 	WebKit_debug.dll!WebCore::Frame::init()  Line 213	C++
 	WebKit_debug.dll!WebFrame::createFrame(const WebCore::KURL & URL={...}, const WebCore::String & name={...}, WebCore::HTMLFrameOwnerElement * ownerElement=0x02767eb8, const WebCore::String & referrer={...})  Line 1270	C++
 	WebKit_debug.dll!WebFrame::createFrame(const WebCore::KURL & url={...}, const WebCore::String & name={...}, WebCore::HTMLFrameOwnerElement * ownerElement=0x02767eb8, const WebCore::String & referrer={...}, bool __formal=true, bool __formal=true, bool __formal=true)  Line 2209 + 0x23 bytes	C++
 	WebKit_debug.dll!WebCore::FrameLoader::loadSubframe(WebCore::HTMLFrameOwnerElement * ownerElement=0x02767eb8, const WebCore::KURL & url={...}, const WebCore::String & name={...}, const WebCore::String & referrer={...})  Line 455 + 0x6e bytes	C++
 	WebKit_debug.dll!WebCore::FrameLoader::requestFrame(WebCore::HTMLFrameOwnerElement * ownerElement=0x02767eb8, const WebCore::String & urlString={...}, const WebCore::AtomicString & frameName={...})  Line 425 + 0x25 bytes	C++
 	WebKit_debug.dll!WebCore::HTMLFrameElementBase::openURL()  Line 110	C++
 	WebKit_debug.dll!WebCore::HTMLFrameElementBase::setNameAndOpenURL()  Line 168	C++
 	WebKit_debug.dll!WebCore::HTMLFrameElementBase::setNameAndOpenURLCallback(WebCore::Node * n=0x02767eb8)  Line 173	C++
 	WebKit_debug.dll!WebCore::ContainerNode::attach()  Line 605 + 0x9 bytes	C++
 	WebKit_debug.dll!WebCore::Element::attach()  Line 665	C++
 	WebKit_debug.dll!WebCore::HTMLFrameElementBase::attach()  Line 201	C++
 	WebKit_debug.dll!WebCore::HTMLIFrameElement::attach()  Line 123	C++
 	WebKit_debug.dll!WebCore::HTMLParser::insertNode(WebCore::Node * n=0x02767eb8, bool flat=false)  Line 325 + 0x12 bytes	C++
 	WebKit_debug.dll!WebCore::HTMLParser::parseToken(WebCore::Token * t=0x02761cec)  Line 250 + 0x18 bytes	C++
 	WebKit_debug.dll!WebCore::HTMLTokenizer::processToken()  Line 1648 + 0x1c bytes	C++
 	WebKit_debug.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...})  Line 1213 + 0xf bytes	C++
 	WebKit_debug.dll!WebCore::HTMLTokenizer::write(const WebCore::SegmentedString & str={...}, bool appendData=true)  Line 1444 + 0x1d bytes	C++
 	WebKit_debug.dll!WebCore::HTMLTokenizer::timerFired(WebCore::Timer<WebCore::HTMLTokenizer> * __formal=0x02761db0)  Line 1524 + 0x1d bytes	C++
 	WebKit_debug.dll!WebCore::Timer<WebCore::HTMLTokenizer>::fired()  Line 96 + 0x3d bytes	C++
 	WebKit_debug.dll!WebCore::TimerBase::fireTimers(double fireTime=1185343979.4424171, const WTF::Vector<WebCore::TimerBase *,0> & firingTimers={...})  Line 336 + 0xf bytes	C++
 	WebKit_debug.dll!WebCore::TimerBase::sharedTimerFired()  Line 353 + 0x12 bytes	C++
 	WebKit_debug.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd=0x002606ba, unsigned int message=49840, unsigned int wParam=0, long lParam=0)  Line 49 + 0x8 bytes	C++
Comment 7 Darin Adler 2007-07-26 17:51:50 PDT
I've got a handle on what's going on here. And a fix in progress.
Comment 8 Matt Lilek 2007-07-29 17:25:09 PDT
Adele landed a temp fix for this in r24749
Comment 9 Adam Roben (:aroben) 2007-08-20 22:03:43 PDT
*** Bug 14720 has been marked as a duplicate of this bug. ***
Comment 10 Matt Lilek 2007-08-29 16:59:58 PDT
Adele's "temp" fix has been in the tree for a month and we haven't noticed any horrible side effects, does this still need to be P1 or am I missing some horrible side effects?
Comment 11 Darin Adler 2007-08-29 17:05:54 PDT
We could close this and just open a new bug about the internal badness. There's no symptom, but it's crazy that we need that platform-specific code.