[Webkit-unassigned] [Bug 12634] Regression: crash loading web archive

Fri Feb 9 07:23:25 PST 2007

http://bugs.webkit.org/show_bug.cgi?id=12634

------- Comment #13 from jim.correia at pobox.com  2007-02-09 07:23 PDT -------
Like mjs and ddkilzer, I was finally able to *not* reproduce the problem.

Digging into this further, it appears that it happens on a reload if there is
an unsafe javascript attempt to access a different frame. This depends on which
the current ad rotation is at cnn.com.

When this happens, the following is logged to the console (with javascript
exception logging turned on):

Unsafe JavaScript attempt to access frame with URL http://www.cnn.com/ from
frame with URL
http://ad.doubleclick.net/adi/N3285.cnn/B1872795.20;dcadv=895178;sz=336x280;click=http://ads.cnn.com/event.ng/Type=click&FlightID=38677&AdID=49897&TargetID=913&Segments=730,2259,2725,2743,2813,3030,3285,3506,3549,3800,4960,5516,5854,6298,6520,6582,6810,7049,7051,7203,7303,7324,7373&Targets=913,8450,1515,3297,3392,8112,10403,10705,10880,10885,10920,10983&Values=30,46,50,61,73,82,91,100,110,150,682,685,686,917,972,1285,1557,1588,1601,1647,1669,1691,1722,2677,2732,2746,4413,4418,4441,5401,47181,47456,47739,49553&RawValues=TLD%2C%253F%2CZIP%2C03101&Redirect=;ord=bftsfid,bcNrpkRmxwtcv?.
Domains must match.

After that happens, we crash.

Running a debug build yields:

ASSERTION FAILED: m_state == FrameStateProvisional
(/Users/correia/tmp/WebKit/WebCore/loader/FrameLoader.cpp:2330
transitionToCommitted)
Segmentation fault

I don't (yet) have a simpler reduction of the problem. Hopefully the additional
information is useful.

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.