Bug 13059 - REGRESSION: Crash in HTMLFormElement when clicking link trying to open in same window.
Summary: REGRESSION: Crash in HTMLFormElement when clicking link trying to open in sam...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac (PowerPC) OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://www.maclife.com/forums
Keywords: InRadar, NeedsReduction, Regression
: 13069 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-03-13 12:40 PDT by Jon
Modified: 2007-03-15 12:35 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jon 2007-03-13 12:40:48 PDT 
As of r20152, ToT crashes when clicking one of the forum links at http://www.maclife.com/forums which would open in the same window or tab. Command-clicking the link to open it in a new tab and copy-pasting the link into a new tab does not crash. This does not occur in the latest nightly (r20136) and so I think it may be caused by the changes in r20148.


Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   <<00000000>> 	0x00000000 0 + 0
1   com.apple.WebCore              	0x010aba08 WebCore::HTMLFormElement::~HTMLFormElement [in-charge deleting]() + 72 (HashTable.h:272)
2   com.apple.WebCore              	0x010d8824 WebCore::ContainerNode::removeAllChildren() + 292 (ContainerNode.cpp:94)
3   com.apple.WebCore              	0x010d1d4c WebCore::Document::removedLastRef() + 540 (HashMap.h:345)
4   com.apple.WebCore              	0x01304c60 WebCore::Event::~Event [in-charge deleting]() + 144 (RefPtr.h:41)
5   com.apple.WebCore              	0x0125a764 KJS::DOMEvent::~DOMEvent [not-in-charge]() + 116 (Shared.h:52)
6   com.apple.JavaScriptCore       	0x004745b0 KJS::Collector::collect() + 464 (collector.cpp:662)
7   com.apple.WebCore              	0x012671ec WebCore::KJSProxy::~KJSProxy [in-charge]() + 108 (JSLock.h:59)
8   com.apple.WebCore              	0x010beb90 WebCore::FramePrivate::~FramePrivate [in-charge]() + 48 (FastMalloc.h:65)
9   com.apple.WebCore              	0x010bf208 WebCore::Frame::~Frame [in-charge deleting]() + 424 (FastMalloc.h:65)
10  com.apple.WebCore              	0x0120014c WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 156 (Timer.cpp:322)
11  com.apple.WebCore              	0x012001e0 WebCore::TimerBase::sharedTimerFired() + 112 (Timer.cpp:355)
12  com.apple.CoreFoundation       	0x907f2578 __CFRunLoopDoTimer + 184
13  com.apple.CoreFoundation       	0x907deef8 __CFRunLoopRun + 1680
14  com.apple.CoreFoundation       	0x907de4ac CFRunLoopRunSpecific + 268
15  com.apple.HIToolbox            	0x93298b20 RunCurrentEventLoopInMode + 264
16  com.apple.HIToolbox            	0x932981b4 ReceiveNextEventCommon + 380
17  com.apple.HIToolbox            	0x93298020 BlockUntilNextEventMatchingListInMode + 96
18  com.apple.AppKit               	0x9379eae4 _DPSNextEvent + 384
19  com.apple.AppKit               	0x9379e7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
20  com.apple.SafariDev            	0x00006740 0x1000 + 22336
21  com.apple.AppKit               	0x9379acec -[NSApplication run] + 472
22  com.apple.AppKit               	0x9388b87c NSApplicationMain + 452
23  com.apple.SafariDev            	0x0005c77c 0x1000 + 374652
24  com.apple.SafariDev            	0x0005c624 0x1000 + 374308
Comment 1 Mark Rowe (bdash) 2007-03-14 00:21:31 PDT 
I can reproduce this with ToT.  Malloc logs an error to the console complaining about freeing an unalligned pointer.
Comment 2 Mark Rowe (bdash) 2007-03-14 00:58:54 PDT 
<rdar://problem/5062040>
Comment 3 mitz 2007-03-14 10:44:00 PDT 
*** Bug 13069 has been marked as a duplicate of this bug. ***
Comment 4 mitz 2007-03-15 12:35:11 PDT 
Apparently fixed in <http://trac.webkit.org/projects/webkit/changeset/20214>.