Bug 13059
Summary: | REGRESSION: Crash in HTMLFormElement when clicking link trying to open in same window. | ||
---|---|---|---|
Product: | WebKit | Reporter: | Jon <jon> |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | CC: | mrowe, spam |
Priority: | P1 | Keywords: | InRadar, NeedsReduction, Regression |
Version: | 523.x (Safari 3) | ||
Hardware: | Mac (PowerPC) | ||
OS: | OS X 10.4 | ||
URL: | http://www.maclife.com/forums |
Jon
As of r20152, ToT crashes when clicking one of the forum links at http://www.maclife.com/forums which would open in the same window or tab. Command-clicking the link to open it in a new tab and copy-pasting the link into a new tab does not crash. This does not occur in the latest nightly (r20136) and so I think it may be caused by the changes in r20148.
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
Thread 0 Crashed:
0 <<00000000>> 0x00000000 0 + 0
1 com.apple.WebCore 0x010aba08 WebCore::HTMLFormElement::~HTMLFormElement [in-charge deleting]() + 72 (HashTable.h:272)
2 com.apple.WebCore 0x010d8824 WebCore::ContainerNode::removeAllChildren() + 292 (ContainerNode.cpp:94)
3 com.apple.WebCore 0x010d1d4c WebCore::Document::removedLastRef() + 540 (HashMap.h:345)
4 com.apple.WebCore 0x01304c60 WebCore::Event::~Event [in-charge deleting]() + 144 (RefPtr.h:41)
5 com.apple.WebCore 0x0125a764 KJS::DOMEvent::~DOMEvent [not-in-charge]() + 116 (Shared.h:52)
6 com.apple.JavaScriptCore 0x004745b0 KJS::Collector::collect() + 464 (collector.cpp:662)
7 com.apple.WebCore 0x012671ec WebCore::KJSProxy::~KJSProxy [in-charge]() + 108 (JSLock.h:59)
8 com.apple.WebCore 0x010beb90 WebCore::FramePrivate::~FramePrivate [in-charge]() + 48 (FastMalloc.h:65)
9 com.apple.WebCore 0x010bf208 WebCore::Frame::~Frame [in-charge deleting]() + 424 (FastMalloc.h:65)
10 com.apple.WebCore 0x0120014c WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 156 (Timer.cpp:322)
11 com.apple.WebCore 0x012001e0 WebCore::TimerBase::sharedTimerFired() + 112 (Timer.cpp:355)
12 com.apple.CoreFoundation 0x907f2578 __CFRunLoopDoTimer + 184
13 com.apple.CoreFoundation 0x907deef8 __CFRunLoopRun + 1680
14 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268
15 com.apple.HIToolbox 0x93298b20 RunCurrentEventLoopInMode + 264
16 com.apple.HIToolbox 0x932981b4 ReceiveNextEventCommon + 380
17 com.apple.HIToolbox 0x93298020 BlockUntilNextEventMatchingListInMode + 96
18 com.apple.AppKit 0x9379eae4 _DPSNextEvent + 384
19 com.apple.AppKit 0x9379e7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
20 com.apple.SafariDev 0x00006740 0x1000 + 22336
21 com.apple.AppKit 0x9379acec -[NSApplication run] + 472
22 com.apple.AppKit 0x9388b87c NSApplicationMain + 452
23 com.apple.SafariDev 0x0005c77c 0x1000 + 374652
24 com.apple.SafariDev 0x0005c624 0x1000 + 374308
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Mark Rowe (bdash)
I can reproduce this with ToT. Malloc logs an error to the console complaining about freeing an unalligned pointer.
Mark Rowe (bdash)
<rdar://problem/5062040>
mitz
*** Bug 13069 has been marked as a duplicate of this bug. ***
mitz
Apparently fixed in <http://trac.webkit.org/projects/webkit/changeset/20214>.