[Webkit-unassigned] [Bug 52819] Crash in WebCore::HistoryController::itemsAreClones
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 21 11:57:42 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=52819
--- Comment #4 from Charles Reis <creis at chromium.org> 2011-01-21 11:57:41 PST ---
Here's what we know so far.
The crash happens when recursiveSetProvisionalItem passes null for either "item" or "fromItem" (but not both) to itemsAreClones. (If both were null, itemsAreClones would just return false before crashing.)
The crash only happens on recursive calls of depth 2 or more, meaning there has to be at least one subframe involved. For example, we'll see this stack trace if we go back or forward to a page with frames (or on a subframe navigation).
If "item" is null, that means the original destination item had a null value in its HistoryItemVector of children. Maybe that's possible?
If "fromItem" is null, that means fromItem->childItemWithTarget(frameName) returned null in the previous call. That seems unlikely, because we know from the previous call to itemsAreClones that the frame trees of the current and destination item match.
Either way, I'm surprised we're not seeing crashes from debug builds due to recursiveSetProvisionalItem's ASSERTs. I haven't figured out how to reproduce the crash yet, but I could put in some defensive code to help us find it.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list