Bug 11863

Summary: REGRESSION: Reproducible crash in GMail after composing new message, clicking in body, then closing window
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal Keywords: GoogleBug, Regression
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://mail.google.com/mail/

David Kilzer (:ddkilzer)
Reported 2006-12-17 16:27:54 PST
Summary: Logging into GMail, composing a new message, clicking in the body textarea, then immediately closing the window causes a crash a few seconds after the window closes. Steps to reproduce (taken from Bug 11859 Comment #2): 1. Start WebKit nightly r18244 or r18260. 2. Log into GMail. 3. Click "Compose Mail" link. 4. Click once in the message body textarea. 5. Close the window immediately after clicking. 6. Wait about 5 seconds. 7. WebKit crashes. Expected results: WebKit should not crash. Actual results: WebKit crashes. Regression: Regression from earlier WebKit builds that worked with GMail's wysiwyg editor. Notes: The "top" of the stack trace appears to varie (e.g. where the crash occurs), but it always occurs. Here's a stack trace from a locally-built debug build of WebKit r18269 with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8L127). Date/Time: 2006-12-17 18:07:12.628 -0600 OS Version: 10.4.8 (Build 8L127) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: bash [16966] Version: 2.0.4 (419.3) Build Version: 1 Project Name: WebBrowser Source Version: 4190300 PID: 27003 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x0fad7723 Thread 0 Crashed: 0 com.apple.WebCore 0x0149b690 WebCore::Editor::isContinuousSpellCheckingEnabled() + 88 (Editor.cpp:1131) 1 com.apple.WebCore 0x0112e0d4 WebCore::FrameMac::respondToChangedSelection(WebCore::Selection const&, bool) + 108 (FrameMac.mm:839) 2 com.apple.WebCore 0x01296aac WebCore::SelectionController::setSelection(WebCore::Selection const&, bool, bool, bool) + 1612 (SelectionController.cpp:139) 3 com.apple.WebCore 0x01297270 WebCore::SelectionController::clear() + 56 (SelectionController.cpp:667) 4 com.apple.WebCore 0x014b9520 WebCore::FrameLoader::clear(bool) + 360 (FrameLoader.cpp:736) 5 com.apple.WebCore 0x014bc410 WebCore::FrameLoader::cancelAndClear() + 76 (FrameLoader.cpp:705) 6 com.apple.WebCore 0x0112f760 WebCore::FrameMac::~FrameMac [in-charge deleting]() + 184 (FrameMac.mm:151) 7 com.apple.WebCore 0x015c7914 WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52) 8 com.apple.WebCore 0x0164b394 WTF::RefPtr<WebCore::Frame>::operator=(WebCore::Frame*) + 108 (RefPtr.h:107) 9 com.apple.WebCore 0x014e88e0 WebCore::EventHandler::clear() + 112 (EventHandler.cpp:117) 10 com.apple.WebCore 0x014b953c WebCore::FrameLoader::clear(bool) + 388 (FrameLoader.cpp:737) 11 com.apple.WebCore 0x014bc410 WebCore::FrameLoader::cancelAndClear() + 76 (FrameLoader.cpp:705) 12 com.apple.WebCore 0x0112f760 WebCore::FrameMac::~FrameMac [in-charge deleting]() + 184 (FrameMac.mm:151) 13 com.apple.WebCore 0x015c7914 WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52) 14 com.apple.WebCore 0x01128120 WebCore::Frame::lifeSupportTimerFired(WebCore::Timer<WebCore::Frame>*) + 76 (Frame.cpp:904) 15 com.apple.WebCore 0x0164dd3c WebCore::Timer<WebCore::Frame>::fired() + 152 (Timer.h:96) 16 com.apple.WebCore 0x012aa820 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 236 (Timer.cpp:322) 17 com.apple.WebCore 0x012aa8ec WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:355) 18 com.apple.WebCore 0x012a9c98 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47) 19 com.apple.CoreFoundation 0x907f0550 __CFRunLoopDoTimer + 184 20 com.apple.CoreFoundation 0x907dcec8 __CFRunLoopRun + 1680 21 com.apple.CoreFoundation 0x907dc47c CFRunLoopRunSpecific + 268 22 com.apple.HIToolbox 0x93208740 RunCurrentEventLoopInMode + 264 23 com.apple.HIToolbox 0x93207d4c ReceiveNextEventCommon + 244 24 com.apple.HIToolbox 0x93207c40 BlockUntilNextEventMatchingListInMode + 96 25 com.apple.AppKit 0x9370bae4 _DPSNextEvent + 384 26 com.apple.AppKit 0x9370b7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 27 com.apple.Safari 0x00006740 0x1000 + 22336 28 com.apple.AppKit 0x93707cec -[NSApplication run] + 472 29 com.apple.AppKit 0x937f887c NSApplicationMain + 452 30 com.apple.Safari 0x0005c77c 0x1000 + 374652 31 com.apple.Safari 0x0005c624 0x1000 + 374308
Attachments
Matt Lilek
Comment 1 2006-12-17 17:42:46 PST
I'm pretty sure this is a dupe of bug 11729. The new message "textarea" is actually a contenteditable iframe which would explain why it crashes and the backtrace is nearly identical (the one attached to 11729 is from a nightly which is why its shorter).
David Kilzer (:ddkilzer)
Comment 2 2006-12-17 18:04:48 PST
Thanks, Matt! *** This bug has been marked as a duplicate of 11729 ***
Note You need to log in before you can comment on or make changes to this bug.