[Webkit-unassigned] [Bug 52819] Crash in WebCore::HistoryController::itemsAreClones
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 28 13:08:15 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=52819
--- Comment #10 from Charles Reis <creis at chromium.org> 2011-01-28 13:08:15 PST ---
I found a plausible way this bug could be happening, but I haven't found exact repro steps yet.
>From the crash dumps, it turns out that item2 (i.e., fromItem) is actually null, not item1. In comment #4, I noted this was unlikely because the previous call to itemsAreClones told us the frame tree match, but it turns out that logic is buggy.
HistoryItem::hasSameFrames(otherItem) checks that the target name of every child in the current HistoryItem shows up in one of the children of otherItem. It does not check the reverse, meaning that the current HistoryItem could have two children with target "foo" and otherItem could have one child with "foo" and another with "bar".
If we get into that state, we'll see this crash when we go back in frame "foo". In that case, we'll try to call recursiveSetProvisionalItem on frame "bar", end up with NULL for fromItem, and crash in itemsAreClones.
Now we just need to figure out how the target of the current HistoryItem's children could get corrupted.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list