Created attachment 64634 [details] Simple test case to repro the bug Navigating back/forward during a modal dialog causes a crash when the modal dialog is dismissed. Of course, it shouldn't normally be possible to travel back/forward while a modal dialog is showing. But enforcing this is up to to the WebKit application itself. This crash can be seen in Safari, for example: 1 - Visit any page (such as this bugzilla) 2 - Visit the attached example 3 - Note the back button is enabled, but you can't click it. 4 - Getting around that by using a trackpad, Magic Trackpad, or Magic Mouse, navigate back using a two fingered swipe. 5 - Note the page navigates in the background behind the modal dialog 6 - Dismiss the modal dialog 7 - Crash > 1 com.apple.WebCore 0x7fff83601284 WebCore::Document::ownerElement() const + 0x4 2 com.apple.WebCore 0x7fff8364d482 WebCore::DOMWindow::dispatchLoadEvent() + 0xc2 3 com.apple.WebCore 0x7fff835e624f WebCore::Document::implicitClose() + 0x13f 4 com.apple.WebCore 0x7fff835e5ee6 WebCore::FrameLoader::checkCompleted() + 0xa6 5 com.apple.WebCore 0x7fff835e6737 WebCore::FrameLoader::completed() + 0x97 6 com.apple.WebCore 0x7fff835e5efe WebCore::FrameLoader::checkCompleted() + 0xbe 7 com.apple.WebCore 0x7fff83706fbf WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 0xdf 8 com.apple.WebCore 0x7fff83706e41 WebCore::SubresourceLoader::didFinishLoading() + 0x31 9 com.apple.Foundation 0x7fff851bfb6c _NSURLConnectionDidFinishLoading + 0x71 10 com.apple.CFNetwork 0x7fff85a7306e URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 0xae 11 com.apple.CFNetwork 0x7fff85ad83e2 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 0xfe 12 com.apple.CFNetwork 0x7fff85a5f79f URLConnectionClient::processEvents() + 0x79 13 com.apple.CFNetwork 0x7fff85a5f57c MultiplexerSource::perform() + 0xa0 14 com.apple.CoreFoundation 0x7fff87ec7e91 __CFRunLoopDoSources0 + 0x551 15 com.apple.CoreFoundation 0x7fff87ec6089 __CFRunLoopRun + 0x369 16 com.apple.CoreFoundation 0x7fff87ec584f CFRunLoopRunSpecific + 0x23f 17 com.apple.HIToolbox 0x7fff85f3691a RunCurrentEventLoopInMode + 0x14d 18 com.apple.HIToolbox 0x7fff85f3671f ReceiveNextEventCommon + 0x136 19 com.apple.HIToolbox 0x7fff85f365d8 BlockUntilNextEventMatchingListInMode + 0x3b 20 com.apple.AppKit 0x7fff8803429e _DPSNextEvent + 0x2c4 21 com.apple.AppKit 0x7fff88033bed -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x9b 22 com.apple.Safari 0x100015940 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x0 (/SourceCache/WebBrowser/WebBrowser-7533.17.8/mac/BrowserApplication.mm:411) 23 com.apple.AppKit 0x7fff87ff98d3 -[NSApplication run] + 0x18b 24 com.apple.AppKit 0x7fff87ff25f8 NSApplicationMain + 0x16c 25 com.apple.Safari 0x10000980c start + 0x0 Sadly, due to the variance of the ways an app might implement a modal dialog, it's not possible for WebKit/WebCore to directly know that the app is spinning an inner runloop. But if a PageGroupLoadDeferrer is in place and the Page's loads are deferred, this is a good enough hint that we shouldn't be navigating. A patch based on this notion is coming soon.