[Webkit-unassigned] [Bug 54219] Crash in WebCore::FrameLoader::continueLoadAfterNavigationPolicy
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 14 15:32:44 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=54219
--- Comment #7 from Charles Reis <creis at chromium.org> 2011-02-14 15:32:44 PST ---
(In reply to comment #6)
> Normally all page-initiated location changes are asynchronous, so we don't end up in this state of having more than one navigation in progress. One possible fix is to remove this special-casing of fragment changes here, and let them be handled like other navigations (which involves enqueuing a task on the NavigationScheduler queue, by the time that fires the previous navigation will be complete).
I can confirm that change would avoid the crash, but I'm not sure it'll catch all the ways we might get there. For example, about:blank does a similar shortcut.
Nate and I were considering returning early from FrameLoader::loadURL if m_inStopAllLoaders is true. There's already a check like that in FrameLoader::load, and it would be a good sanity check.
The biggest problem I'm facing right now is not being able to boil this down to a reduced test case. The Ebay URL in comment 3 works reliably, but only on Windows. I've written a test that puts an onload handler on a slow iframe, navigating to #foo once onload fires. I can't seem to get it to fire, though. Instead, FrameLoader::m_isComplete is true when we get to FrameLoader::checkCompleted (unlike in the Ebay example), so we never call FrameLoader::checkCallImplicitClose. (See frame 1f in comment 3.)
I should have a patch as soon as I get the test working.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list