48708 2010-10-29 20:06:32 -0700 REGRESSION (r70847): Reproducible crashes in Safari and Mail when editing text 2010-10-29 20:42:33 -0700 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) PC OS X 10.6 RESOLVED FIXED http://maps.google.com InRadar, Regression P1 Normal --- 1 mrowe webkit-unassigned mitz morrita oldest_to_newest 302242 0 mrowe 2010-10-29 20:06:32 -0700 Safari crashes reproducibly when editing text fields after r70847. I reported this as <rdar://problem/8612962> with the following steps to reproduce: 1) Load <http://maps.google.com/>. 2) Click "Get Directions". 3) Click in the B field and start typing "Luxor Hotel". Safari crashes during step 3. This crash also occurs in Mail when composing messages. I also hit it when trying to file this bug in Bugzilla (typing in the Summary field) and was forced to switch to Firefox. 302244 1 mrowe 2010-10-29 20:07:42 -0700 That change was from bug 48287. 302245 2 mrowe 2010-10-29 20:08:43 -0700 Relevant snippet from the crash log: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010 Thread 0 Crashed: 0 com.apple.WebCore 0x0000000103860df2 WebCore::Range::cloneRange(int&) const + 18 (RefPtr.h:59) 1 com.apple.WebCore 0x0000000103fb6e27 WebCore::TextCheckingHelper::paragraphAlignedRange(int&, WTF::String&) const + 73 (PassRefPtr.h:185) 2 com.apple.WebCore 0x0000000103ba3af3 WebCore::Editor::markAllMisspellingsAndBadGrammarInRanges(unsigned int, WebCore::Range*, WebCore::Range*) + 877 (PassRefPtr.h:185) 3 com.apple.WebCore 0x0000000103ba1e45 WebCore::Editor::correctionPanelTimerFired(WebCore::Timer<WebCore::Editor>*) + 219 (PassRefPtr.h:74) 4 com.apple.WebCore 0x00000001037793be WebCore::ThreadTimers::sharedTimerFiredInternal() + 130 (ThreadTimers.cpp:115) 302246 3 mrowe 2010-10-29 20:10:12 -0700 This crash appears to occur when typing in any text area that has spell checking enabled. That makes tip of tree unlivable. For that reason I'm going to roll out the patch that introduced this crash. 302248 4 mitz 2010-10-29 20:15:28 -0700 *** Bug 48646 has been marked as a duplicate of this bug. *** 302249 5 mrowe 2010-10-29 20:22:08 -0700 Bug 48646 has info about an assertion that is hit in debug builds. 302250 6 mrowe 2010-10-29 20:42:33 -0700 Rolled out in r70970.