Bug 13365

Summary:

ASSERT in WebDocumentLoaderMac::decreaseLoadCount() un-discarding Gmail message

Product:

WebKit

Reporter:

Brady Eidson <beidson>

Component:

Page Loading

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Major

CC:

mbritto, sroret

Priority:

Keywords:

InRadar, Regression

Version:

523.x (Safari 3)

Hardware:

Mac (Intel)

OS:

OS X 10.4

URL:

http://gmail.com

Attachments:

Description	Flags
proposed patch	mjs: review-

Description Brady Eidson 2007-04-16 11:20:46 PDT

* SUMMARY
I hit an assertion failure when I un-do the discard of a message in Gmail. I am not sure what happens in release builds.

* STEPS TO REPRODUCE
1. Log into Gmail
2. Click on a message in your inbox.
3. Begin typing a reply.
4. Click the "Discard" button below the message. (Next to "Send" and "Save Now")
5. A message will appear that reads, "Your message have been discarded. Undo discard." Click, "Undo Discard"
6. CRASH!

NOTE: This crash does NOT occur if you un-do the discard of a NEW message. You must un-do the discard of a REPLY message.

Date/Time:      2007-04-13 12:13:48.220 -0700
OS Version:     10.4.9 (Build 8P2137)
Report Version: 4

Command: Safari
Path:    /Build/symroots/Debug/Safari.app/Contents/MacOS/Safari
Parent:  WindowServer [61]

Version: 3.0 (4522.4)

PID:    4975
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef

Thread 0 Crashed:
0   com.apple.WebKit         	0x00490e65 WebDocumentLoaderMac::decreaseLoadCount(unsigned long) + 89 (WebDocumentLoaderMac.mm:93)
1   com.apple.WebKit         	0x00494130 WebFrameLoaderClient::dispatchDidFailLoading(WebCore::DocumentLoader*, unsigned long, WebCore::ResourceError const&) + 210 (WebFrameLoaderClient.mm:365)
2   com.apple.WebCore        	0x0137635b WebCore::FrameLoader::didFailToLoad(WebCore::ResourceLoader*, WebCore::ResourceError const&) + 167 (FrameLoader.cpp:3091)
3   com.apple.WebCore        	0x0138a773 WebCore::ResourceLoader::didCancel(WebCore::ResourceError const&) + 331
4   com.apple.WebCore        	0x0138857a WebCore::MainResourceLoader::didCancel(WebCore::ResourceError const&) + 226 (MainResourceLoader.cpp:92)
5   com.apple.WebCore        	0x0138a2e1 WebCore::ResourceLoader::cancel(WebCore::ResourceError const&) + 111
6   com.apple.WebCore        	0x0138a363 WebCore::ResourceLoader::cancel() + 43
7   com.apple.WebCore        	0x013875db WebCore::DocumentLoader::stopLoading() + 247 (DocumentLoader.cpp:279)
8   com.apple.WebCore        	0x0137d89b WebCore::FrameLoader::stopAllLoaders() + 101 (FrameLoader.cpp:2150)
9   com.apple.WebCore        	0x01382a17 WebCore::FrameLoader::frameDetached() + 17 (FrameLoader.cpp:2882)
10  com.apple.WebCore        	0x01364fa6 WebCore::HTMLFrameElementBase::willRemove() + 56 (HTMLFrameElementBase.cpp:193)
11  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
12  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
13  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
14  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
15  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
16  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
17  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
18  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
19  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
20  com.apple.WebCore        	0x010d2ee9 WebCore::ContainerNode::willRemove() + 37 (ContainerNode.cpp:331)
21  com.apple.WebCore        	0x010d4803 WebCore::willRemoveChild(WebCore::Node*) + 77 (ContainerNode.cpp:348)
22  com.apple.WebCore        	0x010d4837 WebCore::ContainerNode::removeChildren() + 39 (ContainerNode.cpp:446)
23  com.apple.WebCore        	0x01013d43 WebCore::HTMLElement::setInnerHTML(WebCore::String const&, int&) + 101 (HTMLElement.cpp:291)
24  com.apple.WebCore        	0x012431c1 KJS::JSHTMLElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 315 (kjs_html.cpp:1385)
25  com.apple.WebCore        	0x01543992 bool KJS::lookupPut<KJS::JSHTMLElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, KJS::JSHTMLElement*) + 162 (lookup.h:254)
26  com.apple.WebCore        	0x015439d4 void KJS::lookupPut<KJS::JSHTMLElement, WebCore::JSHTMLElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, KJS::JSHTMLElement*) + 52 (lookup.h:268)
27  com.apple.WebCore        	0x012434cc KJS::JSHTMLElement::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 468 (kjs_html.cpp:1184)
28  com.apple.WebCore        	0x0156642d void KJS::lookupPut<WebCore::JSHTMLDivElement, KJS::JSHTMLElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, WebCore::JSHTMLDivElement*) + 97 (lookup.h:269)
29  com.apple.WebCore        	0x012a2c7b WebCore::JSHTMLDivElement::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 61 (JSHTMLDivElement.cpp:131)
30  com.apple.JavaScriptCore 	0x0068a755 KJS::AssignDotNode::evaluate(KJS::ExecState*) + 1573 (nodes.cpp:1466)
31  com.apple.JavaScriptCore 	0x00683a8c KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
32  com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
33  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
34  com.apple.JavaScriptCore 	0x00680b8a KJS::TryNode::execute(KJS::ExecState*) + 154 (nodes.cpp:2303)
35  com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
36  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
37  com.apple.JavaScriptCore 	0x00673628 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
38  com.apple.JavaScriptCore 	0x006754ff KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
39  com.apple.JavaScriptCore 	0x0068f986 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
40  com.apple.JavaScriptCore 	0x00687056 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 716 (nodes.cpp:687)
41  com.apple.JavaScriptCore 	0x00683a8c KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
42  com.apple.JavaScriptCore 	0x006817ba KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
43  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
44  com.apple.JavaScriptCore 	0x00673628 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
45  com.apple.JavaScriptCore 	0x006754ff KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
46  com.apple.JavaScriptCore 	0x0068f986 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
47  com.apple.JavaScriptCore 	0x00687056 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 716 (nodes.cpp:687)
48  com.apple.JavaScriptCore 	0x00683a8c KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
49  com.apple.JavaScriptCore 	0x006817ba KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
50  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
51  com.apple.JavaScriptCore 	0x00683980 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700)
52  com.apple.JavaScriptCore 	0x006817ba KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
53  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
54  com.apple.JavaScriptCore 	0x00683980 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700)
55  com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
56  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
57  com.apple.JavaScriptCore 	0x00673628 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
58  com.apple.JavaScriptCore 	0x006754ff KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
59  com.apple.JavaScriptCore 	0x0068f986 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
60  com.apple.JavaScriptCore 	0x00687056 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 716 (nodes.cpp:687)
61  com.apple.JavaScriptCore 	0x00683a8c KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
62  com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
63  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
64  com.apple.JavaScriptCore 	0x006839e7 KJS::IfNode::execute(KJS::ExecState*) + 523 (nodes.cpp:1707)
65  com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
66  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
67  com.apple.JavaScriptCore 	0x00673628 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
68  com.apple.JavaScriptCore 	0x006754ff KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
69  com.apple.JavaScriptCore 	0x0068f986 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
70  com.apple.JavaScriptCore 	0x00687056 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 716 (nodes.cpp:687)
71  com.apple.JavaScriptCore 	0x00683a8c KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
72  com.apple.JavaScriptCore 	0x006817ba KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
73  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
74  com.apple.JavaScriptCore 	0x00683980 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700)
75  com.apple.JavaScriptCore 	0x006817ba KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
76  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
77  com.apple.JavaScriptCore 	0x00683980 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700)
78  com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
79  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
80  com.apple.JavaScriptCore 	0x00673628 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
81  com.apple.JavaScriptCore 	0x006754ff KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
82  com.apple.JavaScriptCore 	0x0068f986 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
83  com.apple.JavaScriptCore 	0x00686d71 KJS::FunctionCallBracketNode::evaluate(KJS::ExecState*) + 1155 (nodes.cpp:741)
84  com.apple.JavaScriptCore 	0x0067fe01 KJS::AssignExprNode::evaluate(KJS::ExecState*) + 41 (nodes.cpp:1537)
85  com.apple.JavaScriptCore 	0x00683e20 KJS::VarDeclNode::evaluate(KJS::ExecState*) + 90 (nodes.cpp:1554)
86  com.apple.JavaScriptCore 	0x00683d3e KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 52 (nodes.cpp:1602)
87  com.apple.JavaScriptCore 	0x00683c16 KJS::VarStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1626)
88  com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
89  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
90  com.apple.JavaScriptCore 	0x00680b8a KJS::TryNode::execute(KJS::ExecState*) + 154 (nodes.cpp:2303)
91  com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
92  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
93  com.apple.JavaScriptCore 	0x00682ba4 KJS::ForNode::execute(KJS::ExecState*) + 876 (nodes.cpp:1828)
94  com.apple.JavaScriptCore 	0x006817ba KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
95  com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
96  com.apple.JavaScriptCore 	0x00673628 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
97  com.apple.JavaScriptCore 	0x006754ff KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
98  com.apple.JavaScriptCore 	0x0068f986 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
99  com.apple.JavaScriptCore 	0x00687056 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 716 (nodes.cpp:687)
100 com.apple.JavaScriptCore 	0x00682743 KJS::ReturnNode::execute(KJS::ExecState*) + 295 (nodes.cpp:2030)
101 com.apple.JavaScriptCore 	0x006817ba KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
102 com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
103 com.apple.JavaScriptCore 	0x00680b8a KJS::TryNode::execute(KJS::ExecState*) + 154 (nodes.cpp:2303)
104 com.apple.JavaScriptCore 	0x00681684 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
105 com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
106 com.apple.JavaScriptCore 	0x00673628 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
107 com.apple.JavaScriptCore 	0x006754ff KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
108 com.apple.JavaScriptCore 	0x0068f986 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
109 com.apple.JavaScriptCore 	0x00687056 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 716 (nodes.cpp:687)
110 com.apple.JavaScriptCore 	0x0067fe01 KJS::AssignExprNode::evaluate(KJS::ExecState*) + 41 (nodes.cpp:1537)
111 com.apple.JavaScriptCore 	0x00683e20 KJS::VarDeclNode::evaluate(KJS::ExecState*) + 90 (nodes.cpp:1554)
112 com.apple.JavaScriptCore 	0x00683d3e KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 52 (nodes.cpp:1602)
113 com.apple.JavaScriptCore 	0x00683c16 KJS::VarStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1626)
114 com.apple.JavaScriptCore 	0x006817ba KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
115 com.apple.JavaScriptCore 	0x0067ffbc KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
116 com.apple.JavaScriptCore 	0x00673628 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
117 com.apple.JavaScriptCore 	0x006754ff KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
118 com.apple.JavaScriptCore 	0x0068f986 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
119 com.apple.WebCore        	0x0123aba6 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 574 (kjs_events.cpp:123)
120 com.apple.WebCore        	0x0120585a WebCore::EventTargetNode::handleLocalEvents(WebCore::Event*, bool) + 352 (EventTargetNode.cpp:166)
121 com.apple.WebCore        	0x01206131 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 1381 (EventTargetNode.cpp:240)
122 com.apple.WebCore        	0x01207ccd WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool, WebCore::EventTarget*) + 329 (EventTargetNode.cpp:308)
123 com.apple.WebCore        	0x01207d49 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 75 (EventTargetNode.cpp:292)
124 com.apple.WebCore        	0x01206b01 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::AtomicString const&, int, int, int, int, int, int, bool, bool, bool, bool, bool, WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 691 (EventTargetNode.cpp:470)
125 com.apple.WebCore        	0x0120720e WebCore::EventTargetNode::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WebCore::AtomicString const&, int, WebCore::Node*) + 496 (EventTargetNode.cpp:397)
126 com.apple.WebCore        	0x013acdb2 WebCore::EventHandler::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 146 (EventHandler.cpp:1153)
127 com.apple.WebCore        	0x013adb4b WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 951 (EventHandler.cpp:812)
128 com.apple.WebCore        	0x013a8a2c WebCore::EventHandler::mouseDown(NSEvent*) + 556 (EventHandlerMac.mm:470)
129 com.apple.WebKit         	0x0043c997 -[WebHTMLView mouseDown:] + 413 (WebHTMLView.mm:2975)
130 com.apple.WebCore        	0x013a768b WebCore::EventHandler::passMouseDownEventToWidget(WebCore::Widget*) + 1413 (EventHandlerMac.mm:264)
131 com.apple.WebCore        	0x013a776a WebCore::EventHandler::passWidgetMouseDownEventToWidget(WebCore::RenderWidget*) + 32 (EventHandlerMac.mm:181)
132 com.apple.WebCore        	0x013a85c7 WebCore::EventHandler::passSubframeEventToSubframe(WebCore::MouseEventWithHitTestResults&, WebCore::Frame*) + 621 (EventHandlerMac.mm:390)
133 com.apple.WebCore        	0x013a8f39 WebCore::EventHandler::passMousePressEventToSubframe(WebCore::MouseEventWithHitTestResults&, WebCore::Frame*) + 31 (EventHandlerMac.mm:613)
134 com.apple.WebCore        	0x013ad94a WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 438 (EventHandler.cpp:790)
135 com.apple.WebCore        	0x013a8a2c WebCore::EventHandler::mouseDown(NSEvent*) + 556 (EventHandlerMac.mm:470)
136 com.apple.WebKit         	0x0043c997 -[WebHTMLView mouseDown:] + 413 (WebHTMLView.mm:2975)
137 com.apple.WebCore        	0x013a768b WebCore::EventHandler::passMouseDownEventToWidget(WebCore::Widget*) + 1413 (EventHandlerMac.mm:264)
138 com.apple.WebCore        	0x013a776a WebCore::EventHandler::passWidgetMouseDownEventToWidget(WebCore::RenderWidget*) + 32 (EventHandlerMac.mm:181)
139 com.apple.WebCore        	0x013a85c7 WebCore::EventHandler::passSubframeEventToSubframe(WebCore::MouseEventWithHitTestResults&, WebCore::Frame*) + 621 (EventHandlerMac.mm:390)
140 com.apple.WebCore        	0x013a8f39 WebCore::EventHandler::passMousePressEventToSubframe(WebCore::MouseEventWithHitTestResults&, WebCore::Frame*) + 31 (EventHandlerMac.mm:613)
141 com.apple.WebCore        	0x013ad94a WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 438 (EventHandler.cpp:790)
142 com.apple.WebCore        	0x013a8a2c WebCore::EventHandler::mouseDown(NSEvent*) + 556 (EventHandlerMac.mm:470)
143 com.apple.WebKit         	0x0043c997 -[WebHTMLView mouseDown:] + 413 (WebHTMLView.mm:2975)
144 com.apple.AppKit         	0x933613af -[NSWindow sendEvent:] + 5279
145 com.apple.Safari         	0x000adfa8 -[Window sendEvent:] + 363 (Window.m:85)
146 com.apple.AppKit         	0x93353350 -[NSApplication sendEvent:] + 5023
147 com.apple.Safari         	0x000221a5 -[BrowserApplication sendEvent:] + 463 (BrowserApplication.m:143)
148 com.apple.AppKit         	0x9327ddfe -[NSApplication run] + 547
149 com.apple.AppKit         	0x93271d2f NSApplicationMain + 573
150 com.apple.Safari         	0x000a8f63 main + 95 (main.m:27)
151 com.apple.Safari         	0x00002772 _start + 216
152 com.apple.Safari         	0x00002699 start + 41

Thread 1:
0   libSystem.B.dylib        	0x900247e7 semaphore_wait_signal_trap + 7
1   com.apple.Foundation     	0x9284626c -[NSConditionLock lockWhenCondition:] + 39
2   com.apple.Syndication    	0x9a789052 -[AsyncDB _run:] + 181
3   com.apple.Foundation     	0x927f02e0 forkThreadForFunction + 123
4   libSystem.B.dylib        	0x90024147 _pthread_body + 84

Thread 2:
0   libSystem.B.dylib        	0x90009bf7 mach_msg_trap + 7
1   com.apple.CoreFoundation 	0x9082e2b3 CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation 	0x9082dace CFRunLoopRunInMode + 61
3   com.apple.Foundation     	0x92825a0f +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 259
4   com.apple.Foundation     	0x927f02e0 forkThreadForFunction + 123
5   libSystem.B.dylib        	0x90024147 _pthread_body + 84

Thread 3:
0   libSystem.B.dylib        	0x90009bf7 mach_msg_trap + 7
1   com.apple.CoreFoundation 	0x9082e2b3 CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation 	0x9082dace CFRunLoopRunInMode + 61
3   com.apple.Foundation     	0x9284cbc2 +[NSURLCache _diskCacheSyncLoop:] + 206
4   com.apple.Foundation     	0x927f02e0 forkThreadForFunction + 123
5   libSystem.B.dylib        	0x90024147 _pthread_body + 84

Thread 4:
0   libSystem.B.dylib        	0x9001a0ec select + 12
1   libSystem.B.dylib        	0x90024147 _pthread_body + 84

Thread 5:
0   libSystem.B.dylib        	0x900247e7 semaphore_wait_signal_trap + 7
1   com.apple.Foundation     	0x9284626c -[NSConditionLock lockWhenCondition:] + 39
2   com.apple.AppKit         	0x9335b270 -[NSUIHeartBeat _heartBeatThread:] + 377
3   com.apple.Foundation     	0x927f02e0 forkThreadForFunction + 123
4   libSystem.B.dylib        	0x90024147 _pthread_body + 84

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0xbbadbeef  ebx: 0x00490e18  ecx: 0xa0001e80  edx: 0x00000000
  edi: 0x184489a0  esi: 0x184489a0  ebp: 0xbfffc4d8  esp: 0xbfffc4c0
   ss: 0x0000001f  efl: 0x00010286  eip: 0x00490e65   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037

Comment 1 Brady Eidson 2007-04-16 11:21:25 PDT

<rdar://problem/5133420>

also, this seems almost certainly related to http://bugs.webkit.org/show_bug.cgi?id=13360

Comment 2 Maxime BRITTO 2007-06-14 08:20:50 PDT

(In reply to comment #1)
> <rdar://problem/5133420>
> 
> also, this seems almost certainly related to
> http://bugs.webkit.org/show_bug.cgi?id=13360
> 
The bug 13360 is fixed now but this one still occurs.
I think the problem is in the HTMLFrameElementBase::willRemove() call because :
 - if we "undo discard" on Gmail with a new message contentFrame() returns 0
 - if we "undo discard" on Gmail with a reply message (the one which leads to the crash) the contentFrame() returns something so we get in the "if" condition and then we crash.

I've also tried to comment everything inside the if and I can no longer reproduce the crash ; obviously that is not the solution but it shows it's related to this fonction and maybe we need to modify the condition by adding something to handle this particulary case.

Comment 3 Maxime BRITTO 2007-06-19 01:44:48 PDT

Created attachment 15116 [details]
proposed patch

If a provisionnal frame loader never gets committed, this patch is dropping it if it's still alive when trying to detach the frame.
The bug is no longer reproductible and no test cases are affected by this.
Though I can't produce a layout test because I don't know why this provisionnal frame loader never gets committed.

Comment 4 Maciej Stachowiak 2007-06-25 19:48:14 PDT

Comment on attachment 15116 [details]
proposed patch

It should be impossible for the provisional document loader and the regular document loader to ever be the same:
> +    if ((m_provisionalDocumentLoader && m_documentLoader) && (m_provisionalDocumentLoader != m_documentLoader)) {

Also, is the bug reproducible now or not? If the bug no longer happens, I'm not sure we should make a change. If it does, then it needs a test case.

r- until these comments are addressed.

Comment 5 Maxime BRITTO 2007-06-26 01:36:06 PDT

When I said the bug was no longer reproductible, I meant with this patch. If I remove the patch, I can reproduce the assertion error, so the bug stills exists.
My main problem with this bug is the fact that I don't know why this frame loader never gets commited.
This patch fixes the bug, but I think I can find out a more effective solution if I understand why it's happening.

Comment 6 Adele Peterson 2007-08-30 14:05:48 PDT

committed in r24087