RESOLVED FIXED 45833
Crash in WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions 
https://bugs.webkit.org/show_bug.cgi?id=45833
Summary Crash in WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions
Tony Gentilcore
Reported 2010-09-15 13:56:45 PDT
Reliably reproduces on http://blog.cnyes.com/My/itamian/article316071, but much more common with facebook.com + certain extensions. I'm distilling a repro now. 0x017b00e8 [Google Chrome Framework - FrameLoader.cpp:3072] WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions 0x01565a5d [Google Chrome Framework - Document.cpp:2528] WebCore::Document::processHttpEquiv 0x016c17a3 [Google Chrome Framework - HTMLMetaElement.cpp:76] WebCore::HTMLMetaElement::process 0x0154b2d7 [Google Chrome Framework - ContainerNode.cpp:632] WebCore::ContainerNode::parserAddChild 0x016ff038 [Google Chrome Framework - HTMLConstructionSite.cpp:98] WebCore::HTMLConstructionSite::attach<WebCore::Element> 0x016feba8 [Google Chrome Framework - HTMLConstructionSite.cpp:233] WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement 0x0171bfa1 [Google Chrome Framework - HTMLTreeBuilder.cpp:2735] WebCore::HTMLTreeBuilder::processStartTagForInHead 0x0171de9e [Google Chrome Framework - HTMLTreeBuilder.cpp:747] WebCore::HTMLTreeBuilder::processStartTagForInBody 0x0171f7cd [Google Chrome Framework - HTMLTreeBuilder.cpp:1337] WebCore::HTMLTreeBuilder::processStartTag 0x0172159c [Google Chrome Framework - HTMLTreeBuilder.cpp:485] WebCore::HTMLTreeBuilder::processToken 0x0172164f [Google Chrome Framework - HTMLTreeBuilder.cpp:466] WebCore::HTMLTreeBuilder::constructTreeFromToken 0x016ff423 [Google Chrome Framework - HTMLDocumentParser.cpp:234] WebCore::HTMLDocumentParser::pumpTokenizer 0x017009be [Google Chrome Framework - HTMLDocumentParser.cpp:183] WebCore::HTMLDocumentParser::insert 0x0170043e [Google Chrome Framework - HTMLDocumentParser.cpp:518] WebCore::HTMLDocumentParser::parseDocumentFragment 0x01691762 [Google Chrome Framework - HTMLElement.cpp:353] WebCore::createFragmentFromSource 0x016920f1 [Google Chrome Framework - HTMLElement.cpp:375] WebCore::HTMLElement::setInnerHTML 0x01bd6c84 [Google Chrome Framework - V8HTMLElement.cpp:168] WebCore::HTMLElementInternal::innerHTMLAttrSetter 0x00e3416e [Google Chrome Framework - objects.cc:1580] v8::internal::JSObject::SetPropertyWithCallback 0x00e487f4 [Google Chrome Framework - objects.cc:1865] v8::internal::JSObject::SetProperty 0x00e48d27 [Google Chrome Framework - objects.cc:1538] v8::internal::JSObject::SetProperty 0x00e01465 [Google Chrome Framework - ic.cc:1305] v8::internal::StoreIC::Store 0x00e01926 [Google Chrome Framework - ic.cc:1610] v8::internal::StoreIC_Miss
Attachments
Testcase (258 bytes, text/html)
2010-09-15 15:07 PDT, Tony Gentilcore 		no flags
Details
Patch (4.43 KB, patch)
2010-09-15 15:17 PDT, Tony Gentilcore 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Tony Gentilcore
Comment 1 2010-09-15 15:07:28 PDT
Created attachment 67724 [details] Testcase
Tony Gentilcore
Comment 2 2010-09-15 15:17:49 PDT
Created attachment 67727 [details] Patch
Adam Barth
Comment 3 2010-09-15 15:22:47 PDT
Comment on attachment 67727 [details] Patch Precisely.
WebKit Commit Bot
Comment 4 2010-09-16 09:12:34 PDT
Comment on attachment 67727 [details] Patch Clearing flags on attachment: 67727 Committed r67627: <http://trac.webkit.org/changeset/67627>
WebKit Commit Bot
Comment 5 2010-09-16 09:12:40 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.