Bug 9833

Summary: REGRESSION: Reproducible crash: RenderMenuList.cpp:58: failed assertion `!m_first'
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: FormsAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Critical CC: adele, darin
Priority: P1 Keywords: Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Reduction
none
patch, including change log and Mitz's reduction as a manual test andersca: review+

David Kilzer (:ddkilzer)
Reported 2006-07-10 07:42:02 PDT
In a debug build of WebKit r15300 (plus Patch v4 from Bug 9179) on Safari 2.0.4 (419.3) on Mac OS X 10.4.7 (8J135/PowerPC), I get a reproducible assertion failure when changing the "Review" popup to "?" on the "Create attachment" web page: /Users/ddkilzer/Projects/Cocoa/WebKit/WebCore/rendering/RenderMenuList.cpp:58: failed assertion `!m_first' Abort trap Steps to reproduce: 1. Start debug build of WebKit+Safari with NativePopUps. 2. Access a "Create attachment" link: http://bugzilla.opendarwin.org/attachment.cgi?bugid=9833&action=enter 3. On the "Flags review" popup, change the value to "?". Expected results: Flags review popup changes to "?". Actual results: Assertion failure an crash (not even a crash log generated).
Attachments
Reduction (98 bytes, text/html)
2006-07-10 07:44 PDT, mitz 		no flags
Details
patch, including change log and Mitz's reduction as a manual test (4.68 KB, patch)
2006-07-10 08:41 PDT, Darin Adler 		andersca: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2006-07-10 07:44:46 PDT
Created attachment 9340 [details] Reduction
Timothy Hatcher
Comment 2 2006-07-10 07:45:00 PDT
This does not end up crashing in a release build, so this might not block our submission today. The page works as expected.
Timothy Hatcher
Comment 3 2006-07-10 07:49:55 PDT
There is a way to crash this under Release. 0) Release build. 1) Go to the attached reduction. 2) Select "Click Me" 3) Then select the blank item. 4) Close the window and it will crash. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x000000a8 Thread 0 Crashed: 0 com.apple.WebCore 0x01182882 WebCore::RenderContainer::destroyLeftoverChildren() + 22 (RenderContainer.cpp:64) 1 com.apple.WebCore 0x0118926c WebCore::RenderFlow::destroy() + 44 (RenderFlow.cpp:188) 2 com.apple.WebCore 0x01243765 WebCore::Node::detach() + 41 (Node.cpp:721) 3 com.apple.WebCore 0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92) 4 com.apple.WebCore 0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92) 5 com.apple.WebCore 0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92) 6 com.apple.WebCore 0x010ed194 WebCore::Document::detach() + 216 (Document.cpp:987) 7 com.apple.WebCore 0x010d6422 WebCore::FrameMac::setView(WebCore::FrameView*) + 282 (FrameMac.mm:574) 8 com.apple.WebCore 0x010f9b50 -[WebCoreFrameBridge close] + 34 (WebCoreFrameBridge.mm:503) 9 com.apple.WebKit 0x00320eb8 -[WebFrameBridge close] + 49 (WebFrameBridge.m:658) 10 com.apple.WebKit 0x0032e05c -[WebFrame(WebPrivate) _detachFromParent] + 359 (WebFrame.m:580) 11 com.apple.WebKit 0x00357214 -[WebView(WebPrivate) _close] + 135 (WebView.m:603)
Darin Adler
Comment 4 2006-07-10 08:41:15 PDT
Created attachment 9345 [details] patch, including change log and Mitz's reduction as a manual test
Anders Carlsson
Comment 5 2006-07-10 08:45:33 PDT
Comment on attachment 9345 [details] patch, including change log and Mitz's reduction as a manual test r=me
Darin Adler
Comment 6 2006-07-10 08:48:14 PDT
Committed revision 15303.
Note You need to log in before you can comment on or make changes to this bug.