Bug 50200 - Crash when iframe transfers from one page to another and has child frames.
Summary: Crash when iframe transfers from one page to another and has child frames.
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Dmitry Titov
Depends on:
Reported: 2010-11-29 18:41 PST by Dmitry Titov
Modified: 2010-12-14 15:22 PST (History)
3 users (show)

See Also:

Patch. (1.13 KB, patch)
2010-11-29 18:44 PST, Dmitry Titov
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Titov 2010-11-29 18:41:24 PST
The crash happens due to lack of FrameLoaderClient updates for children of the Frame that was transferred from one page to another. This leaves the children of transferred Frame using the clients associated with the old Page, and once that one goes away and some GC'ing happens, the operations requiring FrameLoaderClient can cause crash.

The code avoids unnecessary updates by accumulating 'didTransfer' bool. The change http://trac.webkit.org/changeset/71962 introduced code that overrides the boolean rather then accumulates the result.

Patch is coming shortly. I can't figure out simple test for this, but I'm still working on it. Want to put the fix through before I can do the test since the crash blocks other developers at the moment.
Comment 1 Dmitry Titov 2010-11-29 18:44:54 PST
Created attachment 75098 [details]
Comment 2 David Levin 2010-11-29 18:48:58 PST
OK, but I'm expecting a test soon!
Comment 3 Dmitry Titov 2010-11-29 19:10:16 PST
Landed: http://trac.webkit.org/changeset/72863
Comment 4 Dmitry Titov 2010-11-29 19:10:53 PST
Still working on a test so keeping bug open.
Comment 5 Eric Seidel (no email) 2010-12-14 01:31:07 PST
Comment on attachment 75098 [details]

Any updates?  Obsoleting this patch since it was landed.
Comment 6 Eric Seidel (no email) 2010-12-14 15:22:20 PST
Comment on attachment 75098 [details]

Cleared David Levin's review+ from obsolete attachment 75098 [details] so that this bug does not appear in http://webkit.org/pending-commit.