Changeset 76406 in webkit

Timestamp:

Jan 21, 2011 3:47:01 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

2011-01-21 Charlie Reis <​creis@chromium.org>

Reviewed by Darin Fisher.

Crash in WebCore::HistoryController::itemsAreClones
​https://bugs.webkit.org/show_bug.cgi?id=52819

Adds sanity checks to help diagnose the crash.

• loader/HistoryController.cpp:

2011-01-21 Charlie Reis <​creis@chromium.org>

Reviewed by Darin Fisher.

Crash in WebCore::HistoryController::itemsAreClones
​https://bugs.webkit.org/show_bug.cgi?id=52819

Adds sanity checks to help diagnose the crash.

• src/WebFrameImpl.cpp:

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/loader/HistoryController.cpp (modified) (1 diff)
• WebKit/chromium/ChangeLog (modified) (1 diff)
• WebKit/chromium/src/WebFrameImpl.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-01-21  Charlie Reis  <creis@chromium.org>
+
+        Reviewed by Darin Fisher.
+
+        Crash in WebCore::HistoryController::itemsAreClones
+        https://bugs.webkit.org/show_bug.cgi?id=52819
+
+        Adds sanity checks to help diagnose the crash.
+
+        * loader/HistoryController.cpp:
+
 2011-01-21  Andreas Kling  <kling@webkit.org>
 

trunk/Source/WebCore/loader/HistoryController.cpp

@@ -659 +659 @@
 bool HistoryController::itemsAreClones(HistoryItem* item1, HistoryItem* item2) const
 {
+    // It appears that one of the items can be null in release builds, leading
+    // to the crashes seen in http://webkit.org/b/52819.  For now, try to
+    // narrow it down with a more specific crash.
+    if (!item1)
+        CRASH();
+    if (!item2)
+        CRASH();
+
     // If the item we're going to is a clone of the item we're at, then we do
     // not need to load it again.  The current frame tree and the frame tree

trunk/Source/WebKit/chromium/ChangeLog

@@ +1 @@
+2011-01-21  Charlie Reis  <creis@chromium.org>
+
+        Reviewed by Darin Fisher.
+
+        Crash in WebCore::HistoryController::itemsAreClones
+        https://bugs.webkit.org/show_bug.cgi?id=52819
+
+        Adds sanity checks to help diagnose the crash.
+
+        * src/WebFrameImpl.cpp:
+
 2011-01-21  Chris Rogers  <crogers@google.com>
 

trunk/Source/WebKit/chromium/src/WebFrameImpl.cpp

@@ -885 +885 @@
     ASSERT(historyItem.get());
 
+    // Sanity check for http://webkit.org/b/52819.  It appears that some child
+    // items of this item might be null.  Try validating just the first set of
+    // children in an attempt to catch it early.
+    const HistoryItemVector& childItems = historyItem->children();
+    int size = childItems.size();
+    for (int i = 0; i < size; ++i) {
+      RefPtr<HistoryItem> childItem = childItems[i].get();
+      if (!childItem.get())
+        CRASH();
+    }
+
     // If there is no currentItem, which happens when we are navigating in
     // session history after a crash, we need to manufacture one otherwise WebKit