50200 – Crash when iframe transfers from one page to another and has child frames.

Bug 50200 - Crash when iframe transfers from one page to another and has child frames.

Summary: Crash when iframe transfers from one page to another and has child frames.

Status:	ASSIGNED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Dmitry Titov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-11-29 18:41 PST by Dmitry Titov
Modified:	2010-12-14 15:22 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Patch. (1.13 KB, patch) 2010-11-29 18:44 PST, Dmitry Titov	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dmitry Titov 2010-11-29 18:41:24 PST

The crash happens due to lack of FrameLoaderClient updates for children of the Frame that was transferred from one page to another. This leaves the children of transferred Frame using the clients associated with the old Page, and once that one goes away and some GC'ing happens, the operations requiring FrameLoaderClient can cause crash.

The code avoids unnecessary updates by accumulating 'didTransfer' bool. The change http://trac.webkit.org/changeset/71962 introduced code that overrides the boolean rather then accumulates the result.

Patch is coming shortly. I can't figure out simple test for this, but I'm still working on it. Want to put the fix through before I can do the test since the crash blocks other developers at the moment.

Comment 1 Dmitry Titov 2010-11-29 18:44:54 PST

Created attachment 75098 [details]
Patch.

Comment 2 David Levin 2010-11-29 18:48:58 PST

OK, but I'm expecting a test soon!

Comment 3 Dmitry Titov 2010-11-29 19:10:16 PST

Landed: http://trac.webkit.org/changeset/72863

Comment 4 Dmitry Titov 2010-11-29 19:10:53 PST

Still working on a test so keeping bug open.

Comment 5 Eric Seidel (no email) 2010-12-14 01:31:07 PST

Comment on attachment 75098 [details]
Patch.

Any updates?  Obsoleting this patch since it was landed.

Comment 6 Eric Seidel (no email) 2010-12-14 15:22:20 PST

Comment on attachment 75098 [details]
Patch.

Cleared David Levin's review+ from obsolete attachment 75098 [details] so that this bug does not appear in http://webkit.org/pending-commit.