Bug 24992 - crash at http://browserspy.dk/browser.php
Summary: crash at http://browserspy.dk/browser.php
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Major
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-01 12:13 PDT by Robert Hogan
Modified: 2009-05-08 00:58 PDT (History)
2 users (show)

See Also:


Attachments
patch ensures document object is non-null (712 bytes, patch)
2009-04-01 12:14 PDT, Robert Hogan
no flags Details | Formatted Diff | Diff
and another one (1.21 KB, patch)
2009-04-01 12:53 PDT, Robert Hogan
no flags Details | Formatted Diff | Diff
alternative patch (701 bytes, patch)
2009-04-20 12:31 PDT, Robert Hogan
no flags Details | Formatted Diff | Diff
better patch (509 bytes, patch)
2009-04-20 13:05 PDT, Robert Hogan
no flags Details | Formatted Diff | Diff
patch for FrameLoader::didOpenURL (1.52 KB, patch)
2009-05-07 13:01 PDT, Robert Hogan
ap: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Hogan 2009-04-01 12:13:15 PDT
webkit svn crashes when loading the above url. patch fixes it.
Comment 1 Robert Hogan 2009-04-01 12:14:59 PDT
Created attachment 29171 [details]
patch ensures document object is non-null
Comment 2 Robert Hogan 2009-04-01 12:53:49 PDT
Created attachment 29175 [details]
and another one
Comment 3 Alexey Proskuryakov 2009-04-02 01:13:44 PDT
This doesn't look like the right approach to me - frames always have documents in them, except for a very short time during construction. So, the real question to answer is: why is there no document in this frame?

Opening this page doesn't cause a crash on Mac - what port are you seeing it with?
Comment 4 Robert Hogan 2009-04-07 13:04:40 PDT
it crashes when running arora against webkit svn on linux. i haven't tried webkit svn against any other browser.
Comment 5 Robert Hogan 2009-04-12 15:54:06 PDT
(gdb) bt
bt
#0  0xb64fede8 in WebCore::Node::hasChangedChild (this=0x0) at ../../../WebCore/dom/Node.h:270
#1  0xb67f2b6e in WebCore::FrameView::needsLayout (this=0x8c964c0) at ../../../WebCore/page/FrameView.cpp:966
#2  0xb67f4c3e in WebCore::FrameView::layoutIfNeededRecursive (this=0x8c964c0) at ../../../WebCore/page/FrameView.cpp:1390
#3  0xb67f4cc1 in WebCore::FrameView::layoutIfNeededRecursive (this=0x8428a50) at ../../../WebCore/page/FrameView.cpp:1397
#4  0xb6a4dd15 in QWebFramePrivate::renderPrivate (this=0x83f9268, painter=0xbffe8708, clip=@0xbffe8bb8, contents=false) at ../../../WebKit/qt/Api/qwebframe.cpp:216
#5  0xb6a4e054 in QWebFrame::render (this=0x83f9300, painter=0xbffe8708, clip=@0xbffe8bb8) at ../../../WebKit/qt/Api/qwebframe.cpp:864
#6  0xb6a5c90a in QWebView::paintEvent (this=0x83f92b8, ev=0xbffe8b9c) at ../../../WebKit/qt/Api/qwebview.cpp:684
#7  0xb4b1461a in QWidget::event (this=0x83f92b8, event=0xbffe8b9c) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qwidget.cpp:7654
#8  0xb6a5cc2c in QWebView::event (this=0x83f92b8, e=0xbffe8b9c) at ../../../WebKit/qt/Api/qwebview.cpp:589
#9  0xb4ab8a7f in QApplicationPrivate::notify_helper (this=0x81425e8, receiver=0x83f92b8, e=0xbffe8b9c) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qapplication.cpp:4084
#10 0xb4abc7be in QApplication::notify (this=0xbffef17c, receiver=0x83f92b8, e=0xbffe8b9c) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qapplication.cpp:4049
#11 0xb455681b in QCoreApplication::notifyInternal (this=0xbffef17c, receiver=0x83f92b8, event=0xbffe8b9c) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qcoreapplication.cpp:602
#12 0xb4b0bd82 in QWidgetPrivate::drawWidget (this=0x8412510, pdev=0x82ad16c, rgn=@0xbffe8de8, offset=@0xbffe8dd0, flags=68, sharedPainter=0x0, backingStore=0x82aceb0) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:216
#13 0xb4cdffd8 in QWidgetBackingStore::sync (this=0x82aceb0) at /var/tmp/qt-x11-src-4.5.0/src/gui/painting/qbackingstore.cpp:1258
#14 0xb4b042b5 in QWidgetPrivate::syncBackingStore (this=0x81a4598) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qwidget.cpp:1603
#15 0xb4b1440d in QWidget::event (this=0x81a4470, event=0xbffe93c4) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qwidget.cpp:7794
#16 0xb4f2b43f in QMainWindow::event (this=0x81a4470, event=0xbffe93c4) at /var/tmp/qt-x11-src-4.5.0/src/gui/widgets/qmainwindow.cpp:1396
#17 0xb4ab8a7f in QApplicationPrivate::notify_helper (this=0x81425e8, receiver=0x81a4470, e=0xbffe93c4) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qapplication.cpp:4084
#18 0xb4abc7be in QApplication::notify (this=0xbffef17c, receiver=0x81a4470, e=0xbffe93c4) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qapplication.cpp:4049
#19 0xb455681b in QCoreApplication::notifyInternal (this=0xbffef17c, receiver=0x81a4470, event=0xbffe93c4) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qcoreapplication.cpp:602
#20 0xb4ce0fd8 in QWidgetBackingStore::markDirty (this=0x82aceb0, rect=@0xbffe945c, widget=0x819f6b8, updateImmediately=true, invalidateBuffer=false) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:213
#21 0xb4b05dd9 in QWidget::repaint (this=0x819f6b8, rect=@0xbffe945c) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qwidget.cpp:9413
#22 0xb4f7e5db in QStatusBar::hideOrShow (this=0x819f6b8) at /var/tmp/qt-x11-src-4.5.0/src/gui/widgets/qstatusbar.cpp:695
#23 0xb4f7e746 in QStatusBar::showMessage (this=0x819f6b8, message=@0xbffe980c, timeout=0) at /var/tmp/qt-x11-src-4.5.0/src/gui/widgets/qstatusbar.cpp:614
#24 0xb518c839 in QStatusBar::qt_metacall (this=0x819f6b8, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbffe9590) at /var/tmp/qt-x11-src-4.5.0/src/gui/.moc/release-shared/moc_qstatusbar.cpp:83
#25 0xb456c63b in QMetaObject::activate (sender=0x81a1898, from_signal_index=<value optimized out>, to_signal_index=42, argv=0xbffe9590) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qobject.cpp:3060
#26 0xb456cd12 in QMetaObject::activate (sender=0x81a1898, m=0x8103a60, local_signal_index=3, argv=0xbffe9590) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qobject.cpp:3134
#27 0x080f3155 in TabWidget::showStatusBarMessage (this=0x81a1898, _t1=@0xbffe980c) at .moc/moc_tabwidget.cpp:227
#28 0x080f3342 in TabWidget::qt_metacall (this=0x81a1898, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbffe968c) at .moc/moc_tabwidget.cpp:152
#29 0xb456c63b in QMetaObject::activate (sender=0x83f92b8, from_signal_index=<value optimized out>, to_signal_index=31, argv=0xbffe968c) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qobject.cpp:3060
#30 0xb456cd12 in QMetaObject::activate (sender=0x83f92b8, m=0x8140f70, local_signal_index=4, argv=0xbffe968c) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qobject.cpp:3134
#31 0xb6f4390c in QWebView::statusBarMessage (this=0x83f92b8, _t1=@0xbffe980c) at moc_qwebview.cpp:186
#32 0xb6f43b35 in QWebView::qt_metacall (this=0x83f92b8, _c=QMetaObject::InvokeMetaMethod, _id=4, _a=0xbffe97cc) at moc_qwebview.cpp:103
#33 0x080f3bcf in WebView::qt_metacall (this=0x83f92b8, _c=QMetaObject::InvokeMetaMethod, _id=31, _a=0xbffe97cc) at .moc/moc_webview.cpp:152
#34 0xb456c63b in QMetaObject::activate (sender=0x84126c8, from_signal_index=<value optimized out>, to_signal_index=8, argv=0xbffe97cc) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qobject.cpp:3060
#35 0xb456cd12 in QMetaObject::activate (sender=0x84126c8, m=0x8140cb8, local_signal_index=4, argv=0xbffe97cc) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qobject.cpp:3134
#36 0xb6a51472 in QWebPage::statusBarMessage (this=0x84126c8, _t1=@0xbffe980c) at ./moc_qwebpage.cpp:361
#37 0xb6a3a2bf in WebCore::ChromeClientQt::setStatusbarText (this=0x84128d8, msg=@0xbffe984c) at ../../../WebKit/qt/WebCoreSupport/ChromeClientQt.cpp:286
#38 0xb67beade in WebCore::Chrome::setStatusbarText (this=0x84129e8, frame=0x8c72cf8, status=@0x8c72fd0) at ../../../WebCore/page/Chrome.cpp:295
#39 0xb67e7fe9 in WebCore::Frame::setJSStatusBarText (this=0x8c72cf8, text=@0xbffe98cc) at ../../../WebCore/page/Frame.cpp:765
#40 0xb674c01c in WebCore::FrameLoader::didOpenURL (this=0x8c72d24, url=@0xbffe99b0) at ../../../WebCore/loader/FrameLoader.cpp:722
#41 0xb674c8ed in WebCore::FrameLoader::commitProvisionalLoad (this=0x8c72d24, prpCachedPage=@0xbffe9a4c) at ../../../WebCore/loader/FrameLoader.cpp:2803
#42 0xb6725179 in WebCore::DocumentLoader::commitIfReady (this=0x8c73658) at ../../../WebCore/loader/DocumentLoader.cpp:339
#43 0xb67270f5 in WebCore::DocumentLoader::finishedLoading (this=0x8c73658) at ../../../WebCore/loader/DocumentLoader.cpp:346
#44 0xb67467a1 in WebCore::FrameLoader::init (this=0x8c72d24) at ../../../WebCore/loader/FrameLoader.cpp:321
#45 0xb67ea52e in WebCore::Frame::init (this=0x8c72cf8) at ../../../WebCore/page/Frame.cpp:212
#46 0xb6a4e263 in QWebFramePrivate::init (this=0x8c92160, qframe=0x89e46a0, webcorePage=0x8412958, frameData=0xbffe9db4) at ../../../WebKit/qt/Api/qwebframe.cpp:189
#47 0xb6a4e326 in QWebFrame (this=0x89e46a0, parent=0x83f9300, frameData=0xbffe9db4) at ../../../WebKit/qt/Api/qwebframe.cpp:294
#48 0xb6a42631 in WebCore::FrameLoaderClientQt::createFrame (this=0x8412310, url=@0xbffe9f3c, name=@0x8c9447c, ownerElement=0x8c94438, referrer=@0xbffe9e78, allowsScrolling=false, marginWidth=0, marginHeight=0) at ../../../WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:976
#49 0xb674ce20 in WebCore::FrameLoader::loadSubframe (this=0x8417bfc, ownerElement=0x8c94438, url=@0xbffe9f3c, name=@0x8c9447c, referrer=@0x8417cdc) at ../../../WebCore/loader/FrameLoader.cpp:479
#50 0xb674d4c2 in WebCore::FrameLoader::requestFrame (this=0x8417bfc, ownerElement=0x8c94438, urlString=@0x8c94478, frameName=@0x8c9447c) at ../../../WebCore/loader/FrameLoader.cpp:450
#51 0xb666bf0b in WebCore::HTMLFrameElementBase::openURL (this=0x8c94438) at ../../../WebCore/html/HTMLFrameElementBase.cpp:104
#52 0xb666c534 in WebCore::HTMLFrameElementBase::setNameAndOpenURL (this=0x8c94438) at ../../../WebCore/html/HTMLFrameElementBase.cpp:160
#53 0xb666c559 in WebCore::HTMLFrameElementBase::setNameAndOpenURLCallback (n=0x8c94438) at ../../../WebCore/html/HTMLFrameElementBase.cpp:165
#54 0xb64e3f57 in WebCore::ContainerNode::dispatchPostAttachCallbacks () at ../../../WebCore/dom/ContainerNode.cpp:572
#55 0xb64e4084 in WebCore::ContainerNode::resumePostAttachCallbacks (this=0x8c94438) at ../../../WebCore/dom/ContainerNode.cpp:545
#56 0xb64e4202 in WebCore::ContainerNode::attach (this=0x8c94438) at ../../../WebCore/dom/ContainerNode.cpp:585
#57 0xb6531d50 in WebCore::Element::attach (this=0x8c94438) at ../../../WebCore/dom/Element.cpp:710
#58 0xb666bbb7 in WebCore::HTMLFrameElementBase::attach (this=0x8c94438) at ../../../WebCore/html/HTMLFrameElementBase.cpp:192
#59 0xb6671b69 in WebCore::HTMLIFrameElement::attach (this=0x8c94438) at ../../../WebCore/html/HTMLIFrameElement.cpp:117
#60 0xb6693a70 in WebCore::HTMLParser::insertNode (this=0x8506ac8, n=0x8c94438, flat=false) at ../../../WebCore/html/HTMLParser.cpp:363
#61 0xb66963a6 in WebCore::HTMLParser::parseToken (this=0x8506ac8, t=0x85f9e28) at ../../../WebCore/html/HTMLParser.cpp:267
#62 0xb66af86f in WebCore::HTMLTokenizer::processToken (this=0x85f9e10) at ../../../WebCore/html/HTMLTokenizer.cpp:1886
#63 0xb66b60d6 in WebCore::HTMLTokenizer::parseTag (this=0x85f9e10, src=@0x85fa764, state={m_bits = 4194304}) at ../../../WebCore/html/HTMLTokenizer.cpp:1471
#64 0xb66b6f37 in WebCore::HTMLTokenizer::write (this=0x85f9e10, str=@0xbffea4ec, appendData=false) at ../../../WebCore/html/HTMLTokenizer.cpp:1717
#65 0xb64f4cc1 in WebCore::Document::write (this=0x85a9da0, text=@0xbffea4ec, ownerDocument=0x85a9da0) at ../../../WebCore/dom/Document.cpp:1701
#66 0xb639f4c2 in documentWrite (exec=0xb1bf1360, args=@0xbffea65c, document=0x85a9da0, addNewline=WebCore::DoNotAddNewline) at ../../../WebCore/bindings/js/JSHTMLDocumentCustom.cpp:154
#67 0xb639f5af in WebCore::JSHTMLDocument::write (this=0xb1bd12e0, exec=0xb1bf1360, args=@0xbffea65c) at ../../../WebCore/bindings/js/JSHTMLDocumentCustom.cpp:159
#68 0xb6d7e6ec in WebCore::jsHTMLDocumentPrototypeFunctionWrite (exec=0xb1bf1360, thisValue={m_ptr = 0xb1bd12e0}, args=@0xbffea65c) at tmp/JSHTMLDocument.cpp:359
#69 0xb62bcf93 in JSC::Interpreter::privateExecute (this=0x855a3d0, flag=JSC::Interpreter::Normal, registerFile=0x855a3d8, callFrame=0xb1bf1280, exception=0xbffec0ec) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:2960
#70 0xb62c020e in JSC::Interpreter::execute (this=0x855a3d0, programNode=0x89e4590, callFrame=0x855aafc, scopeChain=0x8640640, thisObj=0xb1bd0000, exception=0xbffec0ec) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:625
#71 0xb62f65d9 in JSC::evaluate (exec=0x855aafc, scopeChain=@0x855aab8, source=@0xbffec4b8, thisValue={m_ptr = 0xb1bd0000}) at ../../../JavaScriptCore/runtime/Completion.cpp:67
#72 0xb63d5319 in WebCore::ScriptController::evaluate (this=0x8417e70, sourceCode=@0xbffec4b8) at ../../../WebCore/bindings/js/ScriptController.cpp:104
#73 0xb6744393 in WebCore::FrameLoader::executeScript (this=0x8417bfc, sourceCode=@0xbffec4b8) at ../../../WebCore/loader/FrameLoader.cpp:796
#74 0xb66b2bd3 in WebCore::HTMLTokenizer::scriptExecution (this=0x85f9e10, sourceCode=@0xbffec4b8, state={m_bits = 4194304}) at ../../../WebCore/html/HTMLTokenizer.cpp:554
#75 0xb66b39f4 in WebCore::HTMLTokenizer::scriptHandler (this=0x85f9e10, state={m_bits = 4194304}) at ../../../WebCore/html/HTMLTokenizer.cpp:496
#76 0xb66b41ac in WebCore::HTMLTokenizer::parseSpecial (this=0x85f9e10, src=@0x85fa764, state={m_bits = 4194432}) at ../../../WebCore/html/HTMLTokenizer.cpp:347
#77 0xb66b6373 in WebCore::HTMLTokenizer::parseTag (this=0x85f9e10, src=@0x85fa764, state={m_bits = 4194432}) at ../../../WebCore/html/HTMLTokenizer.cpp:1486
#78 0xb66b6f37 in WebCore::HTMLTokenizer::write (this=0x85f9e10, str=@0xbffec83c, appendData=false) at ../../../WebCore/html/HTMLTokenizer.cpp:1717
#79 0xb64f4cc1 in WebCore::Document::write (this=0x85a9da0, text=@0xbffec83c, ownerDocument=0x85a9da0) at ../../../WebCore/dom/Document.cpp:1701
#80 0xb639f4c2 in documentWrite (exec=0xb1bf0a98, args=@0xbffec9ac, document=0x85a9da0, addNewline=WebCore::DoNotAddNewline) at ../../../WebCore/bindings/js/JSHTMLDocumentCustom.cpp:154
#81 0xb639f5af in WebCore::JSHTMLDocument::write (this=0xb1bd12e0, exec=0xb1bf0a98, args=@0xbffec9ac) at ../../../WebCore/bindings/js/JSHTMLDocumentCustom.cpp:159
#82 0xb6d7e6ec in WebCore::jsHTMLDocumentPrototypeFunctionWrite (exec=0xb1bf0a98, thisValue={m_ptr = 0xb1bd12e0}, args=@0xbffec9ac) at tmp/JSHTMLDocument.cpp:359
#83 0xb62bcf93 in JSC::Interpreter::privateExecute (this=0x855a3d0, flag=JSC::Interpreter::Normal, registerFile=0x855a3d8, callFrame=0xb1bf09b0, exception=0xbffee43c) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:2960
#84 0xb62c020e in JSC::Interpreter::execute (this=0x855a3d0, programNode=0x8975298, callFrame=0x855aafc, scopeChain=0x8640640, thisObj=0xb1bd0000, exception=0xbffee43c) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:625
#85 0xb62f65d9 in JSC::evaluate (exec=0x855aafc, scopeChain=@0x855aab8, source=@0xbffee760, thisValue={m_ptr = 0xb1bd0000}) at ../../../JavaScriptCore/runtime/Completion.cpp:67
#86 0xb63d5319 in WebCore::ScriptController::evaluate (this=0x8417e70, sourceCode=@0xbffee760) at ../../../WebCore/bindings/js/ScriptController.cpp:104
#87 0xb6744393 in WebCore::FrameLoader::executeScript (this=0x8417bfc, sourceCode=@0xbffee760) at ../../../WebCore/loader/FrameLoader.cpp:796
#88 0xb66b2bd3 in WebCore::HTMLTokenizer::scriptExecution (this=0x85f9e10, sourceCode=@0xbffee760, state={m_bits = 4194304}) at ../../../WebCore/html/HTMLTokenizer.cpp:554
#89 0xb66b30af in WebCore::HTMLTokenizer::notifyFinished (this=0x85f9e10) at ../../../WebCore/html/HTMLTokenizer.cpp:1974
#90 0xb66af446 in WebCore::HTMLTokenizer::executeScriptsWaitingForStylesheets (this=0x85f9e10) at ../../../WebCore/html/HTMLTokenizer.cpp:1931
#91 0xb64f3dcb in WebCore::Document::removePendingSheet (this=0x85a9da0) at ../../../WebCore/dom/Document.cpp:2189
#92 0xb668146e in WebCore::HTMLLinkElement::sheetLoaded (this=0x8a8bb00) at ../../../WebCore/html/HTMLLinkElement.cpp:282
#93 0xb64c2c34 in WebCore::CSSStyleSheet::checkLoaded (this=0x89e6508) at ../../../WebCore/css/CSSStyleSheet.cpp:189
#94 0xb6681725 in WebCore::HTMLLinkElement::setCSSStyleSheet (this=0x8a8bb00, url=@0x8a7b1dc, charset=@0xbffee8b8, sheet=0x8a7b1b0) at ../../../WebCore/html/HTMLLinkElement.cpp:267
#95 0xb670d205 in WebCore::CachedCSSStyleSheet::checkNotify (this=0x8a7b1b0) at ../../../WebCore/loader/CachedCSSStyleSheet.cpp:116
#96 0xb670d45c in WebCore::CachedCSSStyleSheet::data (this=0x8a7b1b0, data=@0xbffee978, allDataReceived=true) at ../../../WebCore/loader/CachedCSSStyleSheet.cpp:104
#97 0xb6761535 in WebCore::Loader::Host::didFinishLoading (this=0x87df928, loader=0x8a8d650) at ../../../WebCore/loader/loader.cpp:304
#98 0xb677495d in WebCore::SubresourceLoader::didFinishLoading (this=0x8a8d650) at ../../../WebCore/loader/SubresourceLoader.cpp:183
#99 0xb6771a3c in WebCore::ResourceLoader::didFinishLoading (this=0x8a8d650) at ../../../WebCore/loader/ResourceLoader.cpp:416
#100 0xb6a1bd0e in WebCore::QNetworkReplyHandler::finish (this=0x8a8bd68) at ../../../WebCore/platform/network/qt/QNetworkReplyHandler.cpp:224
#101 0xb6a1bda4 in WebCore::QNetworkReplyHandler::qt_metacall (this=0x8a8bd68, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x87e8128) at ./moc_QNetworkReplyHandler.cpp:69
#102 0xb456637b in QMetaCallEvent::placeMetaCall (this=0x8910c40, object=0x8a8bd68) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qobject.cpp:489
#103 0xb4567ec8 in QObject::event (this=0x8a8bd68, e=0x8910c40) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qobject.cpp:1109
#104 0xb4ab8a7f in QApplicationPrivate::notify_helper (this=0x81425e8, receiver=0x8a8bd68, e=0x8910c40) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qapplication.cpp:4084
#105 0xb4abc6b9 in QApplication::notify (this=0xbffef17c, receiver=0x8a8bd68, e=0x8910c40) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qapplication.cpp:3631
#106 0xb455681b in QCoreApplication::notifyInternal (this=0xbffef17c, receiver=0x8a8bd68, event=0x8910c40) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qcoreapplication.cpp:602
#107 0xb455798e in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x81426b8) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qcoreapplication.h:213
#108 0xb4557c3d in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qcoreapplication.cpp:1132
#109 0xb4582c8f in postEventSourceDispatch (s=0x814af10) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qcoreapplication.h:218
#110 0xb4378cf6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#111 0xb437c0b3 in ?? () from /usr/lib/libglib-2.0.so.0
#112 0xb437c66e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#113 0xb458303e in QEventDispatcherGlib::processEvents (this=0x81483b8, flags=@0xbffef078) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qeventdispatcher_glib.cpp:323
#114 0xb4b52bd5 in QGuiEventDispatcherGlib::processEvents (this=0x81483b8, flags=@0xbffef0a8) at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qguieventdispatcher_glib.cpp:202
#115 0xb45559ed in QEventLoop::processEvents (this=0xbffef120, flags=@0xbffef0e8) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qeventloop.cpp:149
#116 0xb4555d5d in QEventLoop::exec (this=0xbffef120, flags=@0xbffef128) at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qeventloop.cpp:200
#117 0xb4557cfc in QCoreApplication::exec () at /var/tmp/qt-x11-src-4.5.0/src/corelib/kernel/qcoreapplication.cpp:880
#118 0xb4ab8217 in QApplication::exec () at /var/tmp/qt-x11-src-4.5.0/src/gui/kernel/qapplication.cpp:3553
#119 0x080eebef in main (argc=Cannot access memory at address 0x0
) at main.cpp:67
^done
Comment 6 Robert Hogan 2009-04-20 12:28:00 PDT
in FrameLoader.cpp:

    // this somewhat odd set of steps is needed to give the frame an initial empty document
    m_isDisplayingInitialEmptyDocument = false;
    m_creatingInitialEmptyDocument = true;
    setPolicyDocumentLoader(m_client->createDocumentLoader(ResourceRequest(KURL("")), SubstituteData()).get());
    setProvisionalDocumentLoader(m_policyDocumentLoader.get());
    setState(FrameStateProvisional);
    m_provisionalDocumentLoader->setResponse(ResourceResponse(KURL(), "text/html", 0, String(), String()));
    m_provisionalDocumentLoader->finishedLoading();


the crash originates from the last line. at this point there's still no document() available. however numerous calls later qt ends up trying to reference the document() while adjusting the frame's layout. i think the reason you don't see it in mac is because qtchromeclient.cpp emits a signal to update the status bar text, which eventually results in the crash-point expecting to have a document() to hand. i imagine only qt does this, though it is acting on a prompt from webcore itself:  WebCore::Chrome::setStatusbarText().

the only sane alternative that i can think of to the patch i previously posted is:

Index: WebCore/page/Chrome.cpp
===================================================================
--- WebCore/page/Chrome.cpp     (revision 42258)
+++ WebCore/page/Chrome.cpp     (working copy)
@@ -292,7 +292,10 @@
 void Chrome::setStatusbarText(Frame* frame, const String& status)
 {
     ASSERT(frame);
-    m_client->setStatusbarText(frame->displayStringModifiedByEncoding(status));
+    /* We may not have a document at this point because sometimes the process of creating an
+       empty one brings us here before the document has been created. */
+    if (frame->document())
+        m_client->setStatusbarText(frame->displayStringModifiedByEncoding(status));
 }

 bool Chrome::shouldInterruptJavaScript()
Comment 7 Robert Hogan 2009-04-20 12:31:00 PDT
Created attachment 29620 [details]
alternative patch
Comment 8 Robert Hogan 2009-04-20 13:05:50 PDT
Created attachment 29622 [details]
better patch

OK, I think this is the place to patch it. The problem is probably specific to Qt so Qt should check for a document() if it plans to start rendering pages.
Comment 9 Kenneth Rohde Christiansen 2009-05-06 12:00:29 PDT
Ok, I had a look at the backtrace posted on IRC, and apparently what happens is that a repaint is triggers by Qt (in Arora; everything works fine in the QtLauncher) as it acts on the statusBarMessage signal and sets the Arora status bar. 

Painting calls needsLayout() which assumes that a document() exits, but as it doesn't we experience a crash.

Now the question is, why doesn't a document exist - or - should we guard for repaints when do document exist?
Comment 10 Robert Hogan 2009-05-06 14:30:36 PDT
removing:

    connect(webView, SIGNAL(statusBarMessage(const QString&)),
            this, SIGNAL(showStatusBarMessage(const QString&)));

in line 296 of tabwidget.cpp in arora prevents the crash from happening.

long story short: the repaint of the status bar in qt cascades all the way up to the qmainwindow and then all the way down through the qwebview. given that the statusbar is getting repainted because a doc is getting initialized in WebCore::FrameLoader::init, once the rendering iterates through the frameviews in RenderView::updateWidgetPositions it eventually hits the frame that is still being constructed and still has an uninitialized/null doc in it and so crashes in WebCore::FrameView::layout.

none of my patches (except the first one) can actually prevent this crash, so as kenne suggests, the trick will be to catch it in qt and prevent the rendering from taking place. 'better patch' won't necessarily do this because the frame with the null doc is not at the top level of the qwebview.
Comment 11 Alexey Proskuryakov 2009-05-07 01:20:07 PDT
So, the problem is that a client call (setStatusbarText) is made when there is still no document in the frame. It happens so that Qt asks for repaint, but another client could ask for something else.

Instead of adding document null checks to all code paths a client could potentially trigger, I think that it would be better to ensure that the frame has a document before any client calls.

An obvious way to achieve this is to move "begin(KURL(), false);" one or two lines upwards in FrameLoader::init(). I don't know this code well enough to predict if that will cause any undesired consequences, but it seems worth experimenting with. If it works, please also add an ASSERT(m_doc) in Frame::setJSStatusBarText(), with a comment briefly explaining that we want the frame to be in a consistent state before handing off control to the client.
Comment 12 Alexey Proskuryakov 2009-05-07 01:26:17 PDT
And if changing FrameLoader::init() proves impractically difficult, you could add an m_doc null check before setStatusbarText() - that's worse than improving the guarantee of every frame having a document, but better than calling the client while the frame is in an inconsistent state.
Comment 13 Robert Hogan 2009-05-07 13:00:15 PDT
Moving begin() around results in either a crash or the following warnings:

ERROR: called Frame::paint with nil renderer
(../../../WebCore/page/FrameView.cpp:1328 virtual void WebCore::FrameView::paintContents(WebCore::GraphicsContext*, const WebCore::IntRect&))
ERROR: called Frame::paint with nil renderer
(../../../WebCore/page/FrameView.cpp:1328 virtual void WebCore::FrameView::paintContents(WebCore::GraphicsContext*, const WebCore::IntRect&))

So I've had to go with your last suggestion which is to prevent calls to setJSStatusBarText if a frame's document is still in the middle of intialization.
Comment 14 Robert Hogan 2009-05-07 13:01:56 PDT
Created attachment 30111 [details]
patch for FrameLoader::didOpenURL
Comment 15 Alexey Proskuryakov 2009-05-07 23:23:10 PDT
Comment on attachment 30111 [details]
patch for FrameLoader::didOpenURL

> +        Not sure how I would create a test case for this patch, sorry!
> +
> +        * loader/FrameLoader.cpp:
> +        (WebCore::FrameLoader::didOpenURL):

There should be a bug URL and title in the ChangeLog, so that one could easily find the associated discussion. Also, it's best to describe changes for each function - that's why the list of functions is generated.

As mentioned in a previous comment, we should have an ASSERT in Frame::setJSStatusBarText(), so that accidental undoing of this fix (or other similar issues) would be caught regardless of platform used. In fact, it would be useful to add such assertions before other client calls.

r=me - I'll address my nitpicks while landing.
Comment 16 Alexey Proskuryakov 2009-05-08 00:58:54 PDT
Committed <http://trac.webkit.org/changeset/43393>.