Bug 9833 - REGRESSION: Reproducible crash: RenderMenuList.cpp:58: failed assertion `!m_first'
: REGRESSION: Reproducible crash: RenderMenuList.cpp:58: failed assertion `!m_f...
Status: RESOLVED FIXED
: WebKit
Forms
: 420+
: Macintosh Mac OS X 10.4
: P1 Critical
Assigned To:
:
: Regression
:
:
  Show dependency treegraph
 
Reported: 2006-07-10 07:42 PST by
Modified: 2006-07-10 08:48 PST (History)


Attachments
Reduction (98 bytes, text/html)
2006-07-10 07:44 PST, mitz@webkit.org
no flags Details
patch, including change log and Mitz's reduction as a manual test (4.68 KB, patch)
2006-07-10 08:41 PST, Darin Adler
andersca: review+
Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2006-07-10 07:42:02 PST
In a debug build of WebKit r15300 (plus Patch v4 from Bug 9179) on Safari 2.0.4 (419.3) on Mac OS X 10.4.7 (8J135/PowerPC), I get a reproducible assertion failure when changing the "Review" popup to "?" on the "Create attachment" web page:

/Users/ddkilzer/Projects/Cocoa/WebKit/WebCore/rendering/RenderMenuList.cpp:58: failed assertion `!m_first'
Abort trap

Steps to reproduce:

1. Start debug build of WebKit+Safari with NativePopUps.
2. Access a "Create attachment" link: http://bugzilla.opendarwin.org/attachment.cgi?bugid=9833&action=enter
3. On the "Flags review" popup, change the value to "?".

Expected results:

Flags review popup changes to "?".

Actual results:

Assertion failure an crash (not even a crash log generated).
------- Comment #1 From 2006-07-10 07:44:46 PST -------
Created an attachment (id=9340) [details]
Reduction
------- Comment #2 From 2006-07-10 07:45:00 PST -------
This does not end up crashing in a release build, so this might not block our submission today. The page works as expected.
------- Comment #3 From 2006-07-10 07:49:55 PST -------
There is a way to crash this under Release.

0) Release build.
1) Go to the attached reduction.
2) Select "Click Me"
3) Then select the blank item.
4) Close the window and it will crash.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x000000a8

Thread 0 Crashed:
0   com.apple.WebCore            0x01182882 WebCore::RenderContainer::destroyLeftoverChildren() + 22 (RenderContainer.cpp:64)
1   com.apple.WebCore            0x0118926c WebCore::RenderFlow::destroy() + 44 (RenderFlow.cpp:188)
2   com.apple.WebCore            0x01243765 WebCore::Node::detach() + 41 (Node.cpp:721)
3   com.apple.WebCore            0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92)
4   com.apple.WebCore            0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92)
5   com.apple.WebCore            0x010f6be1 WebCore::ContainerNode::detach() + 29 (Node.h:92)
6   com.apple.WebCore            0x010ed194 WebCore::Document::detach() + 216 (Document.cpp:987)
7   com.apple.WebCore            0x010d6422 WebCore::FrameMac::setView(WebCore::FrameView*) + 282 (FrameMac.mm:574)
8   com.apple.WebCore            0x010f9b50 -[WebCoreFrameBridge close] + 34 (WebCoreFrameBridge.mm:503)
9   com.apple.WebKit             0x00320eb8 -[WebFrameBridge close] + 49 (WebFrameBridge.m:658)
10  com.apple.WebKit             0x0032e05c -[WebFrame(WebPrivate) _detachFromParent] + 359 (WebFrame.m:580)
11  com.apple.WebKit             0x00357214 -[WebView(WebPrivate) _close] + 135 (WebView.m:603)
------- Comment #4 From 2006-07-10 08:41:15 PST -------
Created an attachment (id=9345) [details]
patch, including change log and Mitz's reduction as a manual test
------- Comment #5 From 2006-07-10 08:45:33 PST -------
(From update of attachment 9345 [details])
r=me
------- Comment #6 From 2006-07-10 08:48:14 PST -------
Committed revision 15303.