[Webkit-unassigned] [Bug 26230] New: JavascriptURL as frame src crasher.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 5 18:52:49 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=26230

           Summary: JavascriptURL as frame src crasher.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Blocker
          Priority: P1
         Component: Frames
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: michaeln at google.com


This is a blocking bug for chrome.
See http://code.google.com/p/chromium/issues/detail?id=12161

The incorrect javascript handling is a secondary issue. The blocker is the
crasher.

This webkit bug was split out of bug 16855, which is an umbrella for all manner
of issues related to javascript urls. I hijacked that umbrella too much for
this particular issue already, so have opened this new more focused bug. There
are comments (and preliminary patches) specific to chrome's issue in bug 16855
that I have not copied here (so please see them there).

As mentioned in the comments over there, I'm not so sure about the extra call
to stopLoader(false) in FrameLoader::executeIfJavaScriptURL. What seems like is
really missing is a call to cache()->loader()->cancelRequests(docLoader) for
the document being torn down in the act of replacing the document. The call to
stopLoader(false) gets that done and much much more. I'm concerned about what
side effects the much much more may have (although all layout tests do pass).

I took a few other stabs at it.

1) In DocumentLoader::stopLoading() call cancelRequests(). The method comments
sound like this would be appropiate for that method.
// Cancels the data source's pending loads.  Conceptually, a data source only
loads
// one document at a time, but one document may have many related resources. 
// stopLoading will stop all loads initiated by the data source, 
// but not loads initiated by child frames' data sources -- that's the
WebFrame's job.
But... a handful of layout tests fail as a result.

2) In FrameLoader::executeIfJavaScriptURL() replace the call to
stopLoading(false) with the more focused call to cancelRequests(). This alone
resolves the very specific crashing bug that I'm seeing with javascript urls
that construct the document programatically.

I'm concerned there are other scenarios where the Document/DocLoader will get
blown away while requests are still pending. We're seeing a number of stack
traces that indicate that has occurred sometime after the fact. I think its
unlikely that javascript urls in frameset documents are responsible for all of
them. We think differences in protective refcounting between jsc and v8
bindings and or differences in gc strategies may be involved.

Given the uncertainty, and the sevirity (CRASH!!!)... i took another stab at it
that casts a wider net.

3) In DocLoader::~DocLoader(), dont just ASSERT(!m_requestCount), proactively
cancel them... behind a PLATFORM(CHROMIUM) flag. This should not affect other
platforms as they should never have active requests at dtor time (per the
existing assertion).

I'm leaning towards option 3 (for m3) unless we can determine a better fix real
soon now.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list