[Webkit-unassigned] [Bug 54219] Crash in WebCore::FrameLoader::continueLoadAfterNavigationPolicy

Fri Feb 11 14:12:38 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=54219

Charles Reis <creis at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |eroman at chromium.org

--- Comment #3 from Charles Reis <creis at chromium.org>  2011-02-11 14:12:38 PST ---
Eric Roman found a way to repro (posted on the corresponding Chrome bug, http://crbug.com/72458):
1. Visit http://shop.ebay.com/quickshipwarehouse/m.html?_nkw=&_armrs=1&_from=&_ipg=&_trksid=p3686
2. Click any product link and let it load fully.
3. Click the blue "Place Bid" button.
4. Click Back, then click Back again after the page has started to render but before it finishes.

It turns out the product page (from step 2) does a DOMWindow::setLocation to a hash, which makes us call FrameLoader::loadInSameDocument.  I recently updated that to clear the history's provisional item as part of http://trac.webkit.org/changeset/77705, since we don't want to leave it dangling in a normal same-document navigation.  That leads to the crash.

However, it's surprising that this can happen *within* a call to loadDifferentDocumentItem (via stopAllLoaders), as you can see deep within the stack trace below.  In other words, as part of doing a back navigation, we stop the current loaders, which somehow lets the DOMWindow dispatch an event, where it then manages to set the location (even though we already have a navigation in progress).  We then proceed with the back navigation logic that's already on the call stack, ending up with the crash.

This nested navigation seems broken to me, but I'll admit that I don't understand enough of this flow to know whether this is the intended behavior.  Even if we weren't clearing the provisional item in recursiveUpdateForSameDocumentNavigation, we'll end up confused due to the nested navigation.

Any thoughts on the right way to fix this?

00 chrome_1210000!WebCore::HistoryController::recursiveUpdateForSameDocumentNavigation
01 chrome_1210000!WebCore::FrameLoader::loadInSameDocument+0x157
02 chrome_1210000!WebCore::FrameLoader::callContinueFragmentScrollAfterNavigationPolicy+0x37
03 chrome_1210000!WebCore::PolicyCallback::call+0x2b
04 chrome_1210000!WebCore::PolicyChecker::continueAfterNavigationPolicy+0xe7
05 chrome_1210000!WebKit::FrameLoaderClientImpl::dispatchDecidePolicyForNavigationAction+0x217
06 chrome_1210000!WebCore::PolicyChecker::checkNavigationPolicy+0x192
07 chrome_1210000!WebCore::FrameLoader::loadURL+0x2a9
08 chrome_1210000!WebCore::FrameLoader::loadFrameRequest+0x153
09 chrome_1210000!WebCore::FrameLoader::urlSelected+0x114
0a chrome_1210000!WebCore::FrameLoader::changeLocation+0x75
0b chrome_1210000!WebCore::NavigationScheduler::scheduleLocationChange+0xad
0c chrome_1210000!WebCore::DOMWindow::setLocation+0xe7
0d chrome_1210000!WebCore::V8Location::replaceCallback+0x65
0e chrome_1210000!v8::internal::HandleApiCallHelper<0>+0x16a
0f chrome_1210000!v8::internal::Builtin_HandleApiCall+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
10 0x1e1b028e
11 0x6c23af7
12 chrome_1210000!v8::internal::Invoke+0xf9
13 chrome_1210000!v8::internal::Execution::Call+0x25
14 chrome_1210000!v8::Function::Call+0xea
15 chrome_1210000!WebCore::V8Proxy::callFunction+0x13d
16 chrome_1210000!WebCore::V8EventListener::callListenerFunction+0x55
17 chrome_1210000!WebCore::V8AbstractEventListener::invokeEventHandler+0xdf
18 chrome_1210000!WebCore::V8AbstractEventListener::handleEvent+0x4f
19 chrome_1210000!WebCore::EventTarget::fireEventListeners+0xb6
1a chrome_1210000!WebCore::EventTarget::fireEventListeners+0x47
1b chrome_1210000!WebCore::DOMWindow::dispatchEvent+0x99
1c chrome_1210000!WebCore::DOMWindow::dispatchTimedEvent+0x31
1d chrome_1210000!WebCore::DOMWindow::dispatchLoadEvent+0x85
1e chrome_1210000!WebCore::Document::implicitClose+0xf4
1f chrome_1210000!WebCore::FrameLoader::checkCallImplicitClose+0x4d
20 chrome_1210000!WebCore::FrameLoader::checkCompleted+0x82
21 chrome_1210000!WebCore::FrameLoader::completed+0x59
22 chrome_1210000!WebCore::FrameLoader::checkCompleted+0x96
23 chrome_1210000!WebCore::FrameLoader::mainReceivedCompleteError+0x29
24 chrome_1210000!WebCore::DocumentLoader::mainReceivedError+0x41
25 chrome_1210000!WebCore::FrameLoader::receivedMainResourceError+0xd1
26 chrome_1210000!WebCore::MainResourceLoader::didCancel+0x50
27 chrome_1210000!WebCore::ResourceLoader::cancel+0x4a
28 chrome_1210000!WebCore::ResourceLoader::cancel+0x25
29 chrome_1210000!WebCore::DocumentLoader::stopLoading+0x7b
2a chrome_1210000!WebCore::FrameLoader::stopAllLoaders+0x68
2b chrome_1210000!WebCore::FrameLoader::stopLoadingSubframes+0x1d
2c chrome_1210000!WebCore::FrameLoader::stopAllLoaders+0x56
2d chrome_1210000!WebCore::FrameLoader::stopLoadingSubframes+0x1d
2e chrome_1210000!WebCore::FrameLoader::stopAllLoaders+0x56
2f chrome_1210000!WebCore::FrameLoader::continueLoadAfterNavigationPolicy+0xc8
30 chrome_1210000!WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy+0x1e
31 chrome_1210000!WebCore::PolicyCallback::call+0x2b
32 chrome_1210000!WebCore::PolicyChecker::continueAfterNavigationPolicy+0xe7
33 chrome_1210000!WebKit::FrameLoaderClientImpl::dispatchDecidePolicyForNavigationAction+0x217
34 chrome_1210000!WebCore::PolicyChecker::checkNavigationPolicy+0x192
35 chrome_1210000!WebCore::FrameLoader::loadWithDocumentLoader+0x209
36 chrome_1210000!WebCore::FrameLoader::loadWithNavigationAction+0x135
37 chrome_1210000!WebCore::FrameLoader::loadDifferentDocumentItem+0x2bc
38 chrome_1210000!WebCore::HistoryController::recursiveGoToItem+0x100
39 chrome_1210000!WebCore::HistoryController::goToItem+0x82
3a chrome_1210000!WebKit::WebFrameImpl::loadHistoryItem+0x88
3b chrome_1210000!RenderView::OnNavigate+0x1a2

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.