WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
13059
REGRESSION: Crash in HTMLFormElement when clicking link trying to open in same window.
https://bugs.webkit.org/show_bug.cgi?id=13059
Summary
REGRESSION: Crash in HTMLFormElement when clicking link trying to open in sam...
Jon
Reported
2007-03-13 12:40:48 PDT
As of
r20152
, ToT crashes when clicking one of the forum links at
http://www.maclife.com/forums
which would open in the same window or tab. Command-clicking the link to open it in a new tab and copy-pasting the link into a new tab does not crash. This does not occur in the latest nightly (
r20136
) and so I think it may be caused by the changes in
r20148
. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 <<00000000>> 0x00000000 0 + 0 1 com.apple.WebCore 0x010aba08 WebCore::HTMLFormElement::~HTMLFormElement [in-charge deleting]() + 72 (HashTable.h:272) 2 com.apple.WebCore 0x010d8824 WebCore::ContainerNode::removeAllChildren() + 292 (ContainerNode.cpp:94) 3 com.apple.WebCore 0x010d1d4c WebCore::Document::removedLastRef() + 540 (HashMap.h:345) 4 com.apple.WebCore 0x01304c60 WebCore::Event::~Event [in-charge deleting]() + 144 (RefPtr.h:41) 5 com.apple.WebCore 0x0125a764 KJS::DOMEvent::~DOMEvent [not-in-charge]() + 116 (Shared.h:52) 6 com.apple.JavaScriptCore 0x004745b0 KJS::Collector::collect() + 464 (collector.cpp:662) 7 com.apple.WebCore 0x012671ec WebCore::KJSProxy::~KJSProxy [in-charge]() + 108 (JSLock.h:59) 8 com.apple.WebCore 0x010beb90 WebCore::FramePrivate::~FramePrivate [in-charge]() + 48 (FastMalloc.h:65) 9 com.apple.WebCore 0x010bf208 WebCore::Frame::~Frame [in-charge deleting]() + 424 (FastMalloc.h:65) 10 com.apple.WebCore 0x0120014c WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 156 (Timer.cpp:322) 11 com.apple.WebCore 0x012001e0 WebCore::TimerBase::sharedTimerFired() + 112 (Timer.cpp:355) 12 com.apple.CoreFoundation 0x907f2578 __CFRunLoopDoTimer + 184 13 com.apple.CoreFoundation 0x907deef8 __CFRunLoopRun + 1680 14 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 15 com.apple.HIToolbox 0x93298b20 RunCurrentEventLoopInMode + 264 16 com.apple.HIToolbox 0x932981b4 ReceiveNextEventCommon + 380 17 com.apple.HIToolbox 0x93298020 BlockUntilNextEventMatchingListInMode + 96 18 com.apple.AppKit 0x9379eae4 _DPSNextEvent + 384 19 com.apple.AppKit 0x9379e7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 20 com.apple.SafariDev 0x00006740 0x1000 + 22336 21 com.apple.AppKit 0x9379acec -[NSApplication run] + 472 22 com.apple.AppKit 0x9388b87c NSApplicationMain + 452 23 com.apple.SafariDev 0x0005c77c 0x1000 + 374652 24 com.apple.SafariDev 0x0005c624 0x1000 + 374308
Attachments
Add attachment
proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1
2007-03-14 00:21:31 PDT
I can reproduce this with ToT. Malloc logs an error to the console complaining about freeing an unalligned pointer.
Mark Rowe (bdash)
Comment 2
2007-03-14 00:58:54 PDT
<
rdar://problem/5062040
>
mitz
Comment 3
2007-03-14 10:44:00 PDT
***
Bug 13069
has been marked as a duplicate of this bug. ***
mitz
Comment 4
2007-03-15 12:35:11 PDT
Apparently fixed in <
http://trac.webkit.org/projects/webkit/changeset/20214
>.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug