Bug 11863
Summary: | REGRESSION: Reproducible crash in GMail after composing new message, clicking in body, then closing window | ||
---|---|---|---|
Product: | WebKit | Reporter: | David Kilzer (:ddkilzer) <ddkilzer> |
Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Normal | Keywords: | GoogleBug, Regression |
Priority: | P1 | ||
Version: | 420+ | ||
Hardware: | Mac | ||
OS: | OS X 10.4 | ||
URL: | http://mail.google.com/mail/ |
David Kilzer (:ddkilzer)
Summary:
Logging into GMail, composing a new message, clicking in the body textarea, then immediately closing the window causes a crash a few seconds after the window closes.
Steps to reproduce (taken from Bug 11859 Comment #2):
1. Start WebKit nightly r18244 or r18260.
2. Log into GMail.
3. Click "Compose Mail" link.
4. Click once in the message body textarea.
5. Close the window immediately after clicking.
6. Wait about 5 seconds.
7. WebKit crashes.
Expected results:
WebKit should not crash.
Actual results:
WebKit crashes.
Regression:
Regression from earlier WebKit builds that worked with GMail's wysiwyg editor.
Notes:
The "top" of the stack trace appears to varie (e.g. where the crash occurs), but it always occurs. Here's a stack trace from a locally-built debug build of WebKit r18269 with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8L127).
Date/Time: 2006-12-17 18:07:12.628 -0600
OS Version: 10.4.8 (Build 8L127)
Report Version: 4
Command: Safari
Path: /Applications/Safari.app/Contents/MacOS/Safari
Parent: bash [16966]
Version: 2.0.4 (419.3)
Build Version: 1
Project Name: WebBrowser
Source Version: 4190300
PID: 27003
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x0fad7723
Thread 0 Crashed:
0 com.apple.WebCore 0x0149b690 WebCore::Editor::isContinuousSpellCheckingEnabled() + 88 (Editor.cpp:1131)
1 com.apple.WebCore 0x0112e0d4 WebCore::FrameMac::respondToChangedSelection(WebCore::Selection const&, bool) + 108 (FrameMac.mm:839)
2 com.apple.WebCore 0x01296aac WebCore::SelectionController::setSelection(WebCore::Selection const&, bool, bool, bool) + 1612 (SelectionController.cpp:139)
3 com.apple.WebCore 0x01297270 WebCore::SelectionController::clear() + 56 (SelectionController.cpp:667)
4 com.apple.WebCore 0x014b9520 WebCore::FrameLoader::clear(bool) + 360 (FrameLoader.cpp:736)
5 com.apple.WebCore 0x014bc410 WebCore::FrameLoader::cancelAndClear() + 76 (FrameLoader.cpp:705)
6 com.apple.WebCore 0x0112f760 WebCore::FrameMac::~FrameMac [in-charge deleting]() + 184 (FrameMac.mm:151)
7 com.apple.WebCore 0x015c7914 WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52)
8 com.apple.WebCore 0x0164b394 WTF::RefPtr<WebCore::Frame>::operator=(WebCore::Frame*) + 108 (RefPtr.h:107)
9 com.apple.WebCore 0x014e88e0 WebCore::EventHandler::clear() + 112 (EventHandler.cpp:117)
10 com.apple.WebCore 0x014b953c WebCore::FrameLoader::clear(bool) + 388 (FrameLoader.cpp:737)
11 com.apple.WebCore 0x014bc410 WebCore::FrameLoader::cancelAndClear() + 76 (FrameLoader.cpp:705)
12 com.apple.WebCore 0x0112f760 WebCore::FrameMac::~FrameMac [in-charge deleting]() + 184 (FrameMac.mm:151)
13 com.apple.WebCore 0x015c7914 WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52)
14 com.apple.WebCore 0x01128120 WebCore::Frame::lifeSupportTimerFired(WebCore::Timer<WebCore::Frame>*) + 76 (Frame.cpp:904)
15 com.apple.WebCore 0x0164dd3c WebCore::Timer<WebCore::Frame>::fired() + 152 (Timer.h:96)
16 com.apple.WebCore 0x012aa820 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 236 (Timer.cpp:322)
17 com.apple.WebCore 0x012aa8ec WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:355)
18 com.apple.WebCore 0x012a9c98 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47)
19 com.apple.CoreFoundation 0x907f0550 __CFRunLoopDoTimer + 184
20 com.apple.CoreFoundation 0x907dcec8 __CFRunLoopRun + 1680
21 com.apple.CoreFoundation 0x907dc47c CFRunLoopRunSpecific + 268
22 com.apple.HIToolbox 0x93208740 RunCurrentEventLoopInMode + 264
23 com.apple.HIToolbox 0x93207d4c ReceiveNextEventCommon + 244
24 com.apple.HIToolbox 0x93207c40 BlockUntilNextEventMatchingListInMode + 96
25 com.apple.AppKit 0x9370bae4 _DPSNextEvent + 384
26 com.apple.AppKit 0x9370b7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
27 com.apple.Safari 0x00006740 0x1000 + 22336
28 com.apple.AppKit 0x93707cec -[NSApplication run] + 472
29 com.apple.AppKit 0x937f887c NSApplicationMain + 452
30 com.apple.Safari 0x0005c77c 0x1000 + 374652
31 com.apple.Safari 0x0005c624 0x1000 + 374308
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Matt Lilek
I'm pretty sure this is a dupe of bug 11729. The new message "textarea" is actually a contenteditable iframe which would explain why it crashes and the backtrace is nearly identical (the one attached to 11729 is from a nightly which is why its shorter).
David Kilzer (:ddkilzer)
Thanks, Matt!
*** This bug has been marked as a duplicate of 11729 ***