esprehn: rniwa: I'd suggest rolling out r148092, r148026 and r147942 esprehn: unless you think you can fix removeChildren to be safe

Working on it. Hopefully I can find a proper fix by tomorrow morning your time. Otherwise I'll do the rollbacks.

This is the call stack causing the use after free: #0 0x000000010cc8da1e in WebCore::ScrollView::~ScrollView() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/platform/ScrollView.cpp:66 #1 0x000000010bc0d10d in WebCore::FrameView::~FrameView() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/page/FrameView.cpp:261 #2 0x000000010bc0cbe5 in WebCore::FrameView::~FrameView() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/page/FrameView.cpp:236 #3 0x000000010bc0cbb9 in WebCore::FrameView::~FrameView() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/page/FrameView.cpp:236 #4 0x000000010b4d84e3 in WTF::RefCounted<WebCore::Widget>::deref() at /Volumes/HDD/NonPerforce/WebKit/WebKitBuild/b114488/Debug/usr/local/include/wtf/RefCounted.h:202 #5 0x000000010b61625b in void WTF::derefIfNotNull<WebCore::FrameView>(WebCore::FrameView*) at /Volumes/HDD/NonPerforce/WebKit/WebKitBuild/b114488/Debug/usr/local/include/wtf/PassRefPtr.h:53 #6 0x000000010bbd8ed8 in WTF::RefPtr<WebCore::FrameView>::operator=(WTF::PassRefPtr<WebCore::FrameView> const&) at /Volumes/HDD/NonPerforce/WebKit/WebKitBuild/b114488/Debug/usr/local/include/wtf/RefPtr.h:134 #7 0x000000010bbd5085 in WebCore::Frame::setView(WTF::PassRefPtr<WebCore::FrameView>) at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/page/Frame.cpp:268 #8 0x000000010bbedef1 in WebCore::FrameLoader::closeAndRemoveChild(WebCore::Frame*) at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/loader/FrameLoader.cpp:2318 #9 0x000000010bbede25 in WebCore::FrameLoader::detachFromParent() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/loader/FrameLoader.cpp:2398 #10 0x000000010bbee147 in WebCore::FrameLoader::frameDetached() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/loader/FrameLoader.cpp:2376 #11 0x000000010bdafdd5 in WebCore::HTMLFrameOwnerElement::disconnectContentFrame() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/html/HTMLFrameOwnerElement.cpp:84 #12 0x000000010b6e3497 in WebCore::ChildFrameDisconnector::disconnectCollectedFrameOwners() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/dom/ContainerNodeAlgorithms.h:316 #13 0x000000010b6e06b1 in WebCore::ChildFrameDisconnector::disconnect(WebCore::ChildFrameDisconnector::DisconnectPolicy) at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/dom/ContainerNodeAlgorithms.h:336 #14 0x000000010b6dd75a in WebCore::ContainerNode::removeChildren() at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/dom/ContainerNode.cpp:596 #15 0x000000010c707476 in WebCore::replaceChildrenWithFragment(WebCore::ContainerNode*, WTF::PassRefPtr<WebCore::DocumentFragment>, int&) at /Volumes/HDD/NonPerforce/WebKit/Source/WebCore/editing/markup.cpp:1110 At first sight, it seems one of the children of the ScrollView is not properly reparented before the ScrollView is destroyed. I'll keep investigating.

Created attachment 197863 [details] Patch

*** Bug 114413 has been marked as a duplicate of this bug. ***

<rdar://problem/13632610>

*** This bug has been marked as a duplicate of bug 114521 ***