[Webkit-unassigned] [Bug 38928] Repro crash at http://www.sears.com

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 11 12:48:35 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=38928





--- Comment #2 from Brady Eidson <beidson at apple.com>  2010-05-11 12:48:35 PST ---
Sears.com scripts have bizarre Safari specific code paths that do this.

The anchor element they create within their onbeforeunload handler and then dispatch a click to actually activates the policy delegate to consult about the navigation.

When the policy delegate says "use", we call onbeforeunload again, which does the same thing with the anchor, consulting the policy delegate, etc etc etc.

All the way till we blow out the stack and javascript aborts.

Here's a cut of a single iteration of the stack blowing out:

#0    0x1026c550e in WebCore::FrameLoader::continueLoadAfterNavigationPolicy at FrameLoader.cpp:3425
#1    0x1026c561c in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy at FrameLoader.cpp:3366
#2    0x102b6e063 in WebCore::PolicyCallback::call at PolicyCallback.cpp:101
#3    0x102b6ebb3 in WebCore::PolicyChecker::continueAfterNavigationPolicy at PolicyChecker.cpp:160
#4    0x101e3b999 in WebFrameLoaderClient::receivedPolicyDecison at WebFrameLoaderClient.mm:1271
#5    0x101e3ba2e in -[WebFramePolicyListener receivedPolicyDecision:] at WebFrameLoaderClient.mm:1864
#6    0x101e38066 in -[WebFramePolicyListener use] at WebFrameLoaderClient.mm:1879
#7    Browser policy delegate
#8    Browser policy delegate
#9    Browser policy delegate
#10    0x7fff88026d8c in __invoking___
#11    0x7fff88026c5d in -[NSInvocation invoke]
#12    0x7fff88042a71 in -[NSInvocation invokeWithTarget:]
#13    0x101ed9f3e in -[_WebSafeForwarder forwardInvocation:] at WebView.mm:2467
#14    0x7fff88023dac in ___forwarding___
#15    0x7fff8801fe88 in __forwarding_prep_0___
#16    0x101e3cc30 in WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction at WebFrameLoaderClient.mm:750
#17    0x102b6f130 in WebCore::PolicyChecker::checkNavigationPolicy at PolicyChecker.cpp:88
#18    0x1026c5a34 in WebCore::FrameLoader::loadWithDocumentLoader at FrameLoader.cpp:1992
#19    0x1026c680a in WebCore::FrameLoader::loadWithNavigationAction at FrameLoader.cpp:1916
#20    0x1026c7c9e in WebCore::FrameLoader::loadURL at FrameLoader.cpp:1859
#21    0x1026c819d in WebCore::FrameLoader::loadFrameRequest at FrameLoader.cpp:1795
#22    0x1026c8545 in WebCore::FrameLoader::urlSelected at FrameLoader.cpp:361
#23    0x10273842d in WebCore::HTMLAnchorElement::defaultEventHandler at HTMLAnchorElement.cpp:199
#24    0x102b193a9 in WebCore::Node::dispatchGenericEvent at Node.cpp:2683
#25    0x102b19607 in WebCore::Node::dispatchEvent at Node.cpp:2567
#26    0x102678278 in WebCore::EventTarget::dispatchEvent at EventTarget.cpp:268
#27    0x102974c23 in WebCore::jsNodePrototypeFunctionDispatchEvent at JSNode.cpp:664
#28    0x33828e4001b4 in ??
#29    0x1017acca4 in JSC::JITCode::execute at JITCode.h:77
#30    0x1017974f0 in JSC::Interpreter::execute at Interpreter.cpp:758
#31    0x1017f2298 in JSC::JSFunction::call at JSFunction.cpp:139
#32    0x10173f45b in JSC::call at CallData.cpp:39
#33    0x1028e8392 in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:116
#34    0x10267818a in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:329
#35    0x102678877 in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:290
#36    0x102630f44 in WebCore::DOMWindow::dispatchEvent at DOMWindow.cpp:1444
#37    0x1026ad413 in WebCore::Frame::shouldClose at Frame.cpp:1684
#38    0x1026c52ff in WebCore::FrameLoader::continueLoadAfterNavigationPolicy at FrameLoader.cpp:3383

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list