Bug 14201 - REGRESSION (r21367): WebKit Nightly on Safari 3.0beta crashes on startup with "Empty Page" as "New windows open with" setting
Summary: REGRESSION (r21367): WebKit Nightly on Safari 3.0beta crashes on startup with...
Status: RESOLVED DUPLICATE of bug 13880
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Nobody
URL:
Keywords: InRadar, Regression
: 14278 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-06-17 13:00 PDT by Daniel Höpfl
Modified: 2007-06-22 09:46 PDT (History)
5 users (show)

See Also:

Attachments
Crash log (23.51 KB, text/plain)
2007-06-17 23:48 PDT, Daniel Höpfl 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Höpfl 2007-06-17 13:00:57 PDT 
Since I updated to the Safari 3 beta all nightly builds of WebKit crash on startup.

- Safari 3 beta itself does not crash.
- Having set "New windows open with" to anything else but an empty page works (note: "Home Page" + empty URL also crashes).
- Starting WebKit with an URL does not crash.

Stacktrace is:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0xfffeff20 in objc_msgSend_rtp ()
(gdb) bt
#0  0xfffeff20 in objc_msgSend_rtp ()
#1  0x0035cc50 in -[WebView(WebViewInternal) _addObject:forIdentifier:] ()
#2  0x0037d250 in WebFrameLoaderClient::assignIdentifierToInitialRequest ()
#3  0x0147a810 in WebCore::ResourceLoader::willSendRequest ()
#4  0x0147cd90 in WebCore::SubresourceLoader::willSendRequest ()
#5  0x0147c0d0 in WebCore::ResourceLoader::load ()
#6  0x0147d3e4 in WebCore::SubresourceLoader::load ()
#7  0x0147db54 in WebCore::SubresourceLoader::create ()
#8  0x011138f4 in WebCore::Loader::servePendingRequests ()
#9  0x0110f83c in WebCore::CachedCSSStyleSheet::CachedCSSStyleSheet ()
#10 0x0110e738 in WebCore::Cache::requestResource ()
#11 0x01112f48 in WebCore::DocLoader::requestResource ()
#12 0x010d9eb8 in WebCore::Frame::setUserStyleSheetLocation ()
#13 0x010da250 in WebCore::Frame::reparseConfiguration ()
#14 0x0110af08 in -[WebCoreFrameBridge reapplyStylesForDeviceType:] ()
#15 0x00332474 in -[WebHTMLView reapplyStyles] ()
#16 0x003324dc in -[WebHTMLView layoutToMinimumPageWidth:maximumPageWidth:adjustingViewSize:] ()
#17 0x00328250 in -[WebDynamicScrollBarsView updateScrollers] ()
#18 0x00328504 in -[WebDynamicScrollBarsView reflectScrolledClipView:] ()
#19 0x93a94c0c in -[NSClipView _reflectDocumentViewFrameChange] ()
#20 0x937d0074 in -[NSView _postFrameChangeNotification] ()
#21 0x937cdf24 in -[NSView setFrameSize:] ()
#22 0x937e27e8 in -[NSControl setFrameSize:] ()
#23 0x01253530 in WebCore::ScrollView::resizeContents ()
#24 0x010e6164 in WebCore::FrameView::layout ()
#25 0x01241644 in WebCore::TimerBase::fireTimers ()
#26 0x012416e0 in WebCore::TimerBase::sharedTimerFired ()
#27 0x907f2578 in __CFRunLoopDoTimer ()
#28 0x907deef8 in __CFRunLoopRun ()
#29 0x907de4ac in CFRunLoopRunSpecific ()
#30 0x9329bb20 in RunCurrentEventLoopInMode ()
#31 0x9329b1b4 in ReceiveNextEventCommon ()
#32 0x9329b020 in BlockUntilNextEventMatchingListInMode ()
#33 0x937a1ae4 in _DPSNextEvent ()
#34 0x937a17a8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#35 0x00006770 in receive_samples ()
#36 0x9379dcec in -[NSApplication run] ()
#37 0x9388e87c in NSApplicationMain ()
#38 0x0000244c in ?? ()
#39 0x0004f1b0 in ?? ()
Comment 1 Mark Rowe (bdash) 2007-06-17 13:08:45 PDT 
Can you please attach the full crash log?
Comment 2 Daniel Höpfl 2007-06-17 23:48:55 PDT 
Created attachment 15096 [details]
Crash log

I have no Safari extensions installed and APE was disabled for this logfile.

One more important info I just found: The crash depends on the user stylesheet!

Even a minimal user stylesheet (like "p { color:red; }") triggers the crash for the empty page.
Comment 3 Mark Rowe (bdash) 2007-06-18 01:39:32 PDT 
Thanks for the update Daniel!  I asked someone on #webkit to test your theory and they confirmed that a nightly build crashes on startup with the "Empty page" preference set and an empty user stylesheet.  Removing the user stylesheet or changing the preference prevented the crash.
Comment 4 David Kilzer (:ddkilzer) 2007-06-18 05:53:01 PDT 
(In reply to comment #2)
> One more important info I just found: The crash depends on the user stylesheet!

This sounds similar to Bug 13880 that Brady and Anders fixed just before WWDC.  Hmm...the stack trace looks different, though.
Comment 5 Mark Rowe (bdash) 2007-06-18 10:55:56 PDT 
<rdar://problem/5276257>
Comment 6 mitz 2007-06-21 23:56:23 PDT 
Regressed in <http://trac.webkit.org/projects/webkit/changeset/21367>.

I think the root cause is a Safari bug, though: Safari's implementation of -webView:identifierForInitialRequest:fromDataSource: returns the freed object when it's called from WebFrameLoaderClient::assignIdentifierToInitialRequest() for the user stylesheet. The regression is probably due to the fact that the delegate method is called sooner than it used to be, which exposed the Safari bug.
Comment 7 Andrew Wellington 2007-06-22 04:50:38 PDT 
*** Bug 14278 has been marked as a duplicate of this bug. ***
Comment 8 John Sullivan 2007-06-22 09:46:50 PDT 
This is bug 13880, which has been fixed in TOT but not in the beta branch.

*** This bug has been marked as a duplicate of 13880 ***