If a menu (such as the bookmarks menu) is opened before a WebViewFrame is created, then wkSetUpFontCache will be a NULL pointer. As the menu rendering calls +[WebStringTruncator centerTruncateString:toWidth:] which then calls +[WebTextRendererFactory sharedFactory] the wkSetUpFontCache pointer won't have a chance to be "connected" and thus will cause a crash. Thread 0 Crashed: 0 <<00000000>> 0x00000000 0 + 0 1 com.apple.WebCore 0x01b19068 +[WebTextRendererFactory sharedFactory] + 124 (WebTextRendererFactory.mm:236) 2 com.apple.WebCore 0x01b0f404 truncateString(NSString*, float, NSFont*, unsigned (*)(NSString*, unsigned, unsigned, unsigned short*)) + 520 (WebCoreStringTruncator.mm:119) 3 com.apple.WebCore 0x01b0fa34 +[WebCoreStringTruncator centerTruncateString:toWidth:] + 72 (WebCoreStringTruncator.mm:207) 4 com.apple.WebKit 0x00319448 +[WebStringTruncator centerTruncateString:toWidth:] + 92 (WebStringTruncator.m:37) 5 com.apple.Safari 0x00012948 0x1000 + 72008 6 com.apple.Safari 0x00049344 0x1000 + 295748 7 com.apple.Safari 0x00049fd0 0x1000 + 298960 8 com.apple.Safari 0x00049448 0x1000 + 296008 9 com.apple.Safari 0x00049fd0 0x1000 + 298960 10 com.apple.Safari 0x00049f18 0x1000 + 298776 11 com.apple.Safari 0x00049d5c 0x1000 + 298332 12 com.apple.Safari 0x00049c44 0x1000 + 298052 13 com.apple.AppKit 0x93818dac -[NSMenu _populate:] + 120 14 com.apple.AppKit 0x93818990 AppKitMenuEventHandler + 512
Hyatt has a fix for this on his machine. We just need to set up the connection in the "WebStringTruncator" APIs.
I'm not sure this bug can be reproduced without some kind of hack installed in Safari. As far as I know, normally there's no way to bring up the Bookmarks menu before the first WebFrameView is created.
In certain circumstances it is possible to reproduce this with accessibility. Although I wonder if that matters since this is both a regression and "easy fix". Especially since hyatt has the fix already. But I ultimately wonder why the menus are using WebStringTruncator at all.