UNCONFIRMED 29339
Reproducible crash from webView:unableToImplementPolicyWithError:frame: 
https://bugs.webkit.org/show_bug.cgi?id=29339
Summary Reproducible crash from webView:unableToImplementPolicyWithError:frame:
Jeff Johnson
Reported 2009-09-17 11:26:07 PDT
Overview: The WebFrame class reference suggests that you can call -[WebFrame loadAlternateHTMLString:baseURL:forUnreachableURL:] in the WebPolicyDelegate method webView:unableToImplementPolicyWithError:frame:. However, doing so can cause a crash during a page load. Steps to Reproduce: 1. On a web server running Apache, create an .htaccess file with the following line, replacing /path/to/ with an actual path: RedirectMatch ^/path/to/redirect-crash.html httypo://bugs.webkit.org/ 2. Download, unzip, build, and run the attached sample Xcode project WebPolicyCrash. 3. In the text field, enter http://my.apache.web.server/path/to/redirect-crash.html and press return. Actual Results: Crash Expected Results: No crash (duh). Build Date & Platform: git commit c3f23b6f9e374dec5ddd54a645c05cf06f4ceb03 corresponding to svn revision 48472 Additional Builds and Platforms: Mac OS X 10.5.8 Build 9L30 Additional Information: I've also attached a crash log and a gdb backtrace. The crash occurs after calling -[WebFrame loadAlternateHTMLString:baseURL:forUnreachableURL:] in the WebPolicyDelegate method webView:unableToImplementPolicyWithError:frame:. This should definitely not occur, because the documentation at http://developer.apple.com/mac/library/documentation/Cocoa/Reference/WebKit/Classes/WebFrame_Class/Reference/Reference.html#//apple_ref/occ/instm/WebFrame/loadAlternateHTMLString:baseURL:forUnreachableURL: specifically mentions that this method can be called in webView:unableToImplementPolicyWithError:frame:. The crash also occurs if you call -[WebFrame stopLoading] instead of -[WebFrame loadAlternateHTMLString:baseURL:forUnreachableURL:].
Attachments
Sample Xcode project (48.54 KB, application/octet-stream)
2009-09-17 11:27 PDT, Jeff Johnson 		no flags
Details
Crash log (23.13 KB, text/plain)
2009-09-17 11:28 PDT, Jeff Johnson 		no flags
Details
gdb backtrace (5.63 KB, text/plain)
2009-09-17 11:28 PDT, Jeff Johnson 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Jeff Johnson
Comment 1 2009-09-17 11:27:02 PDT
Created attachment 39710 [details] Sample Xcode project
Jeff Johnson
Comment 2 2009-09-17 11:28:03 PDT
Created attachment 39713 [details] Crash log
Jeff Johnson
Comment 3 2009-09-17 11:28:39 PDT
Created attachment 39714 [details] gdb backtrace
Mark Rowe (bdash)
Comment 4 2009-09-17 11:33:06 PDT
<rdar://problem/6284617>
Jeff Johnson
Comment 5 2009-09-17 13:23:34 PDT
I should note that I discovered this bug in the 'wild' with the page http://www.cnn.com/2009/POLITICS/09/15/borger.gop.obama.bluff/index.html?eref=rss_us It's not 100% reproducible with that page, though, probably depends on what the server is doing at the time. It seems that one of the ads in the page was giving a bad redirect: $ curl -i 'http://view.atdmt.com/MGM/iview/146090593/direct/01/dwjeltz,bfldtnReyioAi?click=http://ads.cnn.com/event.ng/Type%3dclick%26FlightID%3d198575%26AdID%3d279116%26TargetID%3d6933%26Segments%3d968,2247,2274,2607,2743,3285,4008,4898,9496,9784,9853,10371,13105,13106,13107,13108,13109,13110,13112,14036,15605,16113,16338,17251,18517,18823,18857,18888,18902,18982,20139,21801,22902,23029,23724,25536,25539,25545,25546,25547,25548,25549,25551,26167,26447,26581,28572,28789%26Values%3d1588%26Redirect%3d' HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: c:\atlas\html\t\MGMGMMGMMMGM/728x90_sig_e_ver4_090809_js.tpl P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001253166663-11722323; expires=Saturday, 17-Sep-2011 00:00:00 GMT; path=/; domain=.atdmt.com Set-Cookie: MUID=EC73B371F1AB4326991462BEF9ABAF1E; expires=Monday, 05-Apr-2010 00:00:00 GMT; path=/; domain=.atdmt.com Connection: close Date: Thu, 17 Sep 2009 05:51:02 GMT
Note You need to log in before you can comment on or make changes to this bug.