[Webkit-unassigned] [Bug 26230] JavascriptURL as frame src crasher.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 8 13:22:06 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=26230





------- Comment #7 from michaeln at google.com  2009-06-08 13:22 PDT -------
(In reply to comment #6)
>  From reading the bug it seems it only occurs in Chromium?

I can't speak to other platforms (although per david's comments it seems there
have been patches creeping in to cancel these pending requests at other
callsites).

I also don't know all of the circumstances in which chrome may trip on this.
The one I know of for certain is the javascript url that constructs a document
which has some resource loads initiated on its behalf. After that doc is torn
down (in the act of replacing it with the simple string), chrome crashes. I
think the number of crashes we're seeing indicate there are other circumstances
as well.

I didn't know a one line crashing bug fix needed a new test case (as no new
functionality is being added). "If no layout test can be (or needs to be)
constructed for the fix, you must explain why a new test isn't necessary to the
reviewer." Is it not readily apparent that pending requests at DocLoader dtor
time are a recipe for crashes?

Will add one, I haven't added a layout-test yet (ever), may take me some
hunting around to figure out how to plug what in where.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list