This is a regression from Safari 2.0.4. Backtrace: #0 0x015e894c in WebCore::DeprecatedString::isEmpty (this=0x9c44c) at DeprecatedString.h:495 #1 0x01102a34 in WebCore::Document::completeURL (this=0x9c400, URL=@0xbfffd9b4) at /WebKit/WebCore/dom/Document.cpp:2619 #2 0x0147b43c in WebCore::HTMLFrameElementBase::isURLAllowed (this=0x7f853b0, URLString=@0x7f85420) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:63 #3 0x0147c280 in WebCore::HTMLFrameElementBase::openURL (this=0x7f853b0) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:96 #4 0x0147c998 in WebCore::HTMLFrameElementBase::openURLCallback (n=0x7f853b0) at /WebKit/WebCore/html/HTMLFrameElementBase.cpp:157 #5 0x011184f8 in WebCore::ContainerNode::attach (this=0x2937600) at /WebKit/WebCore/dom/ContainerNode.cpp:605 #6 0x011008d8 in WebCore::Document::attach (this=0x2937600) at /WebKit/WebCore/dom/Document.cpp:1101 #7 0x010f06ec in WebCore::Frame::setDocument (this=0x7cb8760, newDoc=@0xbfffde74) at /WebKit/WebCore/page/Frame.cpp:276 #8 0x01497000 in WebCore::FrameLoader::begin (this=0x29ab800, url=@0x29ab9d8) at /WebKit/WebCore/loader/FrameLoader.cpp:860 #9 0x0149731c in WebCore::FrameLoader::receivedFirstData (this=0x29ab800) at /WebKit/WebCore/loader/FrameLoader.cpp:803 #10 0x01497578 in WebCore::FrameLoader::setEncoding (this=0x29ab800, name=@0xbfffe1c4, userChosen=false) at /WebKit/WebCore/loader/FrameLoader.cpp:1583 #11 0x0111ebf8 in -[WebCoreFrameBridge receivedData:textEncodingName:] (self=0x74a90f0, _cmd=0x90aa9a94, data=0x7979c60, textEncodingName=0x7993ad0) at /WebKit/WebCore/page/mac/WebCoreFrameBridge.mm:1426 #12 0x00343b8c in -[WebHTMLRepresentation receivedData:withDataSource:] (self=0x7719c40, _cmd=0x90aa9ab4, data=0x7979c60, dataSource=0x7c59400) at /WebKit/WebKit/WebView/WebHTMLRepresentation.mm:173 #13 0x0033cbc8 in -[WebDataSource(WebInternal) _receivedData:] (self=0x7c59400, _cmd=0x90a72a2c, data=0x7979c60) at /WebKit/WebKit/WebView/WebDataSource.mm:176 #14 0x003c7164 in WebFrameLoaderClient::committedLoad (this=0x7c0eba0, loader=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebKit/WebCoreSupport/WebFrameLoaderClient.mm:716 #15 0x01492510 in WebCore::FrameLoader::committedLoad (this=0x29ab800, loader=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/FrameLoader.cpp:3039 #16 0x014a77fc in WebCore::DocumentLoader::commitLoad (this=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/DocumentLoader.cpp:347 #17 0x014a7884 in WebCore::DocumentLoader::receivedData (this=0x2984e00, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/DocumentLoader.cpp:359 #18 0x01491004 in WebCore::FrameLoader::receivedData (this=0x29ab800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604) at /WebKit/WebCore/loader/FrameLoader.cpp:2037 #19 0x014a9858 in WebCore::MainResourceLoader::addData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, allAtOnce=false) at /WebKit/WebCore/loader/MainResourceLoader.cpp:136 #20 0x014ac46c in WebCore::ResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109, allAtOnce=false) at /WebKit/WebCore/loader/ResourceLoader.cpp:208 #21 0x014a9aa0 in WebCore::MainResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109, allAtOnce=false) at /WebKit/WebCore/loader/MainResourceLoader.cpp:292 #22 0x014abdcc in WebCore::ResourceLoader::didReceiveData (this=0x280c800, data=0x2933200 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><html><head><style>body,table,div,ul,li{font-size:10px;margin:0px;padding:0px}body{background-color:transparen"..., length=2604, lengthReceived=1109) at /WebKit/WebCore/loader/ResourceLoader.cpp:332 #23 0x01480db0 in -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] (self=0x797f5c0, _cmd=0x90a8c9b8, con=0x7702960, data=0x70d0590, lengthReceived=1109) at /WebKit/WebCore/platform/network/mac/ResourceHandleMac.mm:351 #24 0x92c15624 in -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] () #25 0x92c13ac4 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] () #26 0x92c13860 in _sendCallbacks () #27 0x907df4fc in __CFRunLoopDoSources0 () #28 0x907dea2c in __CFRunLoopRun () #29 0x907de4ac in CFRunLoopRunSpecific () #30 0x9329bb20 in RunCurrentEventLoopInMode () #31 0x9329b1b4 in ReceiveNextEventCommon () #32 0x9329b020 in BlockUntilNextEventMatchingListInMode () #33 0x937a1ae4 in _DPSNextEvent () #34 0x937a17a8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #35 0x00006740 in ?? () #36 0x9379dcec in -[NSApplication run] () #37 0x9388e87c in NSApplicationMain () #38 0x0005c77c in ?? () #39 0x0005c624 in ?? ()

Created attachment 14697 [details] Reduction for the crash. Will crash the next time you open a document The reduction queues up post-attach callback which is not dispatched. When you open another document and it attaches, the callback is dispatched, but its target has already been deleted, and you crash. The way the reduction manages to queue the callback but avoid dispatch is that the body element changes from being in the document to not being in the document during dispatchChildInsertionEvents() in appendChild(). This means that the appended children get insertedIntoDocument() (so the iframe element queues up the callback), but never attached.

Created attachment 14708 [details] Simpler reduction for the crash Made the removal explicit instead of using document.write(). To trigger the crash, it is important to close the reduction before opening the new document.

Created attachment 14731 [details] Fix for the crash One strange thing that I noticed while making this patch is that the HTMLFrameElementBase methods call up to HTMLElement rather than HTMLFrameOwnerElement, which is the parent class. I followed this practice in removedFromDocument() but I don't understand it.

(In reply to comment #4) > One strange thing that I noticed while making this patch is that the > HTMLFrameElementBase methods call up to HTMLElement rather than > HTMLFrameOwnerElement, which is the parent class. I followed this practice in > removedFromDocument() but I don't understand it. There's probably no reason to follow that practice. It's just a mistake that needs to be fixed. Are there any cases where it's actually skipping over a function in HTMLFrameOwnerElement? If so, we'd need to study those carefully before changing them.

Comment on attachment 14731 [details] Fix for the crash Going to make a new patch.

Created attachment 14737 [details] Fix for the crash Corrected the parent class in overrides that call up. Did the same in HTMLPluginElement. HTMLFrameOwnerElement does not implement any of the functions being called.

Comment on attachment 14737 [details] Fix for the crash r=me

Landed in r21862.

Another bug is needed to track the "WebKit doesn't show this javascript screenshot page" part of the bug.

It isn't functional yet, it doesn't crash but after clicking on the screenshot you cannot go back to the screenshot page as works in firefox

It would probably have been better to use a separate bug report for the non-crashing half.

Comment on attachment 14737 [details] Fix for the crash Cleared the review flag on tis patch since it was landed.

The problem seems to be giving this error message: TypeError: Result of expression 'd.postMessage' [undefined] is not a function. It seems that this might just be a site problem, looking for postMessage on the 'document' rather than 'window'.

it's strange because works fine on firefox

There could be some unintended browser sniffing going on. I'll try to take a closer look. The actual problem is in a Google Ads JS file, so it is probably a good idea to figure out what is wrong.

The site has been redesigned, and the "screenshots don't appear" part no longer happens.