[Webkit-unassigned] [Bug 31446] New: crash in chromium when loading multipart/x-mixed-replace data

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 12 16:34:24 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=31446

           Summary: crash in chromium when loading
                    multipart/x-mixed-replace data
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tony at chromium.org


Here's what's happening:

1) We get some multipart/x-mixed-replace data from the server, parse the header
out of it, then call WebCore::ResourceLoader::didReceiveResponse.
2) This calls through to FrameLoader::setupForReplace(), which nulls out
m_documentLoader.
3) User stops the load and tries to navigate to a different page.
4) When navigating to a different page, we call through to
ResourceLoadNotifier::dispatchWillSendRequest which then 
tries to access the document loader, which is null, so we crash.

This doesn't crash in Safari because CFNetwork seems to ensures that during
multipart data, 
calls to WebCore::ResourceLoader::didReceiveResponse are immediately followed
by 
calls to WebCore::ResourceLoader::didReceiveData.  Since it's not possible to
cancel a load between these two calls, we don't end up with the null document
loader.

In Chromium, we could match CFNetwork and postpone the call to
didReceiveResponse until we have some data to send with it.  This works around
the crash, but WebCore seems to buffer on didReceiveData up to 1024 bytes
(maybe in the document loader?  I'm not sure).  This means that you never see
content if each multipart chunk is less than 1024 bytes.  This doesn't impact
Safari because CFNetwork just doesn't handle multipart chunks less than 1024
bytes (it merges chunks until you get at least 1024 bytes), so maybe that's
expected behavior for WebCore.

I'm not sure what the right fix for this is, but I'll upload a patch for
discussion.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list