Bug 9833 - REGRESSION: Reproducible crash: RenderMenuList.cpp:58: failed assertion `!m_first'
Summary: REGRESSION: Reproducible crash: RenderMenuList.cpp:58: failed assertion `!m_f...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Critical
Assignee: Darin Adler
URL:
Keywords: Regression
Depends on:
Blocks:
 
Reported: 2006-07-10 07:42 PDT by David Kilzer (:ddkilzer)
Modified: 2006-07-10 08:48 PDT (History)
2 users (show)

See Also:

Attachments
Reduction (98 bytes, text/html)
2006-07-10 07:44 PDT, mitz 		no flags Details
patch, including change log and Mitz's reduction as a manual test (4.68 KB, patch)
2006-07-10 08:41 PDT, Darin Adler 		andersca: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2006-07-10 07:42:02 PDT 
In a debug build of WebKit r15300 (plus Patch v4 from Bug 9179) on Safari 2.0.4 (419.3) on Mac OS X 10.4.7 (8J135/PowerPC), I get a reproducible assertion failure when changing the "Review" popup to "?" on the "Create attachment" web page:

/Users/ddkilzer/Projects/Cocoa/WebKit/WebCore/rendering/RenderMenuList.cpp:58: failed assertion `!m_first'
Abort trap

Steps to reproduce:

1. Start debug build of WebKit+Safari with NativePopUps.
2. Access a "Create attachment" link: http://bugzilla.opendarwin.org/attachment.cgi?bugid=9833&action=enter
3. On the "Flags review" popup, change the value to "?".

Expected results:

Flags review popup changes to "?".

Actual results:

Assertion failure an crash (not even a crash log generated).
Comment 1 mitz 2006-07-10 07:44:46 PDT 
Created attachment 9340 [details]
Reduction
Comment 2 Timothy Hatcher 2006-07-10 07:45:00 PDT 
This does not end up crashing in a release build, so this might not block our submission today. The page works as expected.
Comment 3 Timothy Hatcher 2006-07-10 07:49:55 PDT 
There is a way to crash this under Release.

0) Release build.
1) Go to the attached reduction.
2) Select "Click Me"
3) Then select the blank item.
4) Close the window and it will crash.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x000000a8

Thread 0 Crashed:
0   com.apple.WebCore        	0x01182882 WebCore::RenderContainer::destroyLeftoverChildren() + 22 (RenderContainer.cpp:64)
1   com.apple.WebCore        	0x0118926c WebCore::RenderFlow::destroy() + 44 (RenderFlow.cpp:188)
2   com.apple.WebCore        	0x01243765 WebCore::Node::detach() + 41 (Node.cpp:721)
3   com.apple.WebCore        	0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92)
4   com.apple.WebCore        	0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92)
5   com.apple.WebCore        	0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92)
6   com.apple.WebCore        	0x010ed194 WebCore::Document::detach() + 216 (Document.cpp:987)
7   com.apple.WebCore        	0x010d6422 WebCore::FrameMac::setView(WebCore::FrameView*) + 282 (FrameMac.mm:574)
8   com.apple.WebCore        	0x010f9b50 -[WebCoreFrameBridge close] + 34 (WebCoreFrameBridge.mm:503)
9   com.apple.WebKit         	0x00320eb8 -[WebFrameBridge close] + 49 (WebFrameBridge.m:658)
10  com.apple.WebKit         	0x0032e05c -[WebFrame(WebPrivate) _detachFromParent] + 359 (WebFrame.m:580)
11  com.apple.WebKit         	0x00357214 -[WebView(WebPrivate) _close] + 135 (WebView.m:603)
Comment 4 Darin Adler 2006-07-10 08:41:15 PDT 
Created attachment 9345 [details]
patch, including change log and Mitz's reduction as a manual test
Comment 5 Anders Carlsson 2006-07-10 08:45:33 PDT 
Comment on attachment 9345 [details]
patch, including change log and Mitz's reduction as a manual test

r=me
Comment 6 Darin Adler 2006-07-10 08:48:14 PDT 
Committed revision 15303.