Bug 13124 - REGRESSION: Reproducible crash in Widget::getView
Summary: REGRESSION: Reproducible crash in Widget::getView
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 523.x (Safari 3)
Hardware: All OS X 10.4
: P1 Major
Assignee: Nobody
URL:
Keywords: HasReduction, InRadar, Regression
Depends on:
Blocks:
 
Reported: 2007-03-19 17:08 PDT by Tom Brown
Modified: 2007-03-23 21:24 PDT (History)
3 users (show)

See Also:


Attachments
Two html files comprising reduction. (840 bytes, application/octet-stream)
2007-03-21 17:41 PDT, Tom Brown
no flags Details
Fix crash in getView() (375 bytes, patch)
2007-03-23 02:05 PDT, mitz
no flags Details | Formatted Diff | Diff
Fix crash in getView() (3.87 KB, patch)
2007-03-23 10:21 PDT, mitz
adele: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Brown 2007-03-19 17:08:55 PDT
Within my webapp, a certain interaction *always* causes a crash. It appears as though javascript code continues to execute in the context of a GC'd window. As of yet, I have not been able to create a reduction or successfully break before the crash in drosera.

The interaction involves 3 windows (1 outer window, 1 outer iframe, and 1 nested iframe):
1) The nested iframe initiates an AJAX request in the context of the outer window.
2) When the AJAX request completes, the outer window replaces the outer iframe with another iframe.
3) One of the iframe elements attempts to initiate another AJAX request in the context of the outer window.
4) The iframe has been cleaned up, and crashes attempting to call "Window::retrieveActive(exec)->frame()->document()" because there is no associated frame.
Comment 1 Tom Brown 2007-03-19 17:09:43 PDT
Backtrace from the crash.

Date/Time:      2007-03-19 18:05:20.095 -0600
OS Version:     10.4.8 (Build 8L2127)
Report Version: 4

Command: Safari
Path:    /Applications/Safari.app/Contents/MacOS/Safari
Parent:  bash [411]

Version:        2.0.4 (419.3)
Build Version:  2
Project Name:   WebBrowser
Source Version: 4190300

PID:    13286
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c

Thread 0 Crashed:
0   com.apple.WebCore        	0x010b5049 WebCore::Frame::document() const + 9 (Frame.cpp:297)
1   com.apple.WebCore        	0x0122c3b3 KJS::JSXMLHttpRequestPrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 789 (JSXMLHttpRequest.cpp:218)
2   com.apple.JavaScriptCore 	0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
3   com.apple.JavaScriptCore 	0x004f15cc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781)
4   com.apple.JavaScriptCore 	0x004ee784 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
5   com.apple.JavaScriptCore 	0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
6   com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
7   com.apple.JavaScriptCore 	0x004de320 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
8   com.apple.JavaScriptCore 	0x004e01f7 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
9   com.apple.JavaScriptCore 	0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
10  com.apple.JavaScriptCore 	0x004f15cc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781)
11  com.apple.JavaScriptCore 	0x004ee784 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
12  com.apple.JavaScriptCore 	0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
13  com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
14  com.apple.JavaScriptCore 	0x004de320 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
15  com.apple.JavaScriptCore 	0x004e01f7 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
16  com.apple.JavaScriptCore 	0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
17  com.apple.JavaScriptCore 	0x004f15cc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781)
18  com.apple.JavaScriptCore 	0x004ee784 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
19  com.apple.JavaScriptCore 	0x004ec37c KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
20  com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
21  com.apple.JavaScriptCore 	0x004ee678 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700)
22  com.apple.JavaScriptCore 	0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
23  com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
24  com.apple.JavaScriptCore 	0x004de320 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
25  com.apple.JavaScriptCore 	0x004e01f7 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
26  com.apple.JavaScriptCore 	0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
27  com.apple.JavaScriptCore 	0x004f15cc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781)
28  com.apple.JavaScriptCore 	0x004ee784 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681)
29  com.apple.JavaScriptCore 	0x004ec37c KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458)
30  com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
31  com.apple.JavaScriptCore 	0x004ee6df KJS::IfNode::execute(KJS::ExecState*) + 523 (nodes.cpp:1707)
32  com.apple.JavaScriptCore 	0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
33  com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
34  com.apple.JavaScriptCore 	0x004ee678 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700)
35  com.apple.JavaScriptCore 	0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
36  com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
37  com.apple.JavaScriptCore 	0x004ee678 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700)
38  com.apple.JavaScriptCore 	0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
39  com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
40  com.apple.JavaScriptCore 	0x004ee678 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700)
41  com.apple.JavaScriptCore 	0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464)
42  com.apple.JavaScriptCore 	0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657)
43  com.apple.JavaScriptCore 	0x004de320 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
44  com.apple.JavaScriptCore 	0x004e01f7 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
45  com.apple.JavaScriptCore 	0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
46  com.apple.WebCore        	0x012398c6 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 574 (kjs_events.cpp:123)
47  com.apple.WebCore        	0x011954eb WebCore::XMLHttpRequest::callReadyStateChangeListener() + 281 (xmlhttprequest.cpp:305)
48  com.apple.WebCore        	0x01195795 WebCore::XMLHttpRequest::changeState(WebCore::XMLHttpRequestState) + 43 (xmlhttprequest.cpp:297)
49  com.apple.WebCore        	0x01195b5a WebCore::XMLHttpRequest::didFinishLoading(WebCore::SubresourceLoader*) + 306 (xmlhttprequest.cpp:625)
50  com.apple.WebCore        	0x01389aac WebCore::SubresourceLoader::didFinishLoading() + 168 (SubresourceLoader.cpp:192)
51  com.apple.WebCore        	0x0138805a WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24
52  com.apple.WebCore        	0x01367343 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 79 (ResourceHandleMac.mm:370)
53  com.apple.Foundation     	0x9265be00 -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 176
54  com.apple.Foundation     	0x92659ea5 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 748
55  com.apple.Foundation     	0x92659b41 _sendCallbacks + 201
56  com.apple.CoreFoundation 	0x90829379 CFRunLoopRunSpecific + 1213
57  com.apple.CoreFoundation 	0x90828eb5 CFRunLoopRunInMode + 61
58  com.apple.HIToolbox      	0x92dcdb90 RunCurrentEventLoopInMode + 285
59  com.apple.HIToolbox      	0x92dcd1ce ReceiveNextEventCommon + 184
60  com.apple.HIToolbox      	0x92dcd0ee BlockUntilNextEventMatchingListInMode + 81
61  com.apple.AppKit         	0x9326f465 _DPSNextEvent + 572
62  com.apple.AppKit         	0x9326f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
63  com.apple.Safari         	0x00006f96 0x1000 + 24470
64  com.apple.AppKit         	0x93268ddb -[NSApplication run] + 512
65  com.apple.AppKit         	0x9325cd2f NSApplicationMain + 573
66  com.apple.Safari         	0x0005f7de 0x1000 + 387038
67  com.apple.Safari         	0x0005f6f9 0x1000 + 386809

Thread 1:
0   libSystem.B.dylib        	0x90009857 mach_msg_trap + 7
1   com.apple.CoreFoundation 	0x9082969a CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation 	0x90828eb5 CFRunLoopRunInMode + 61
3   com.apple.Foundation     	0x9262aa9b +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 259
4   com.apple.Foundation     	0x925f536c forkThreadForFunction + 123
5   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 2:
0   libSystem.B.dylib        	0x90009857 mach_msg_trap + 7
1   com.apple.CoreFoundation 	0x9082969a CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation 	0x90828eb5 CFRunLoopRunInMode + 61
3   com.apple.Foundation     	0x92651c4e +[NSURLCache _diskCacheSyncLoop:] + 206
4   com.apple.Foundation     	0x925f536c forkThreadForFunction + 123
5   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 3:
0   libSystem.B.dylib        	0x90019d3c select + 12
1   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 4:
0   libSystem.B.dylib        	0x90024427 semaphore_wait_signal_trap + 7
1   com.apple.Foundation     	0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39
2   com.apple.Syndication    	0x9a6d6052 -[AsyncDB _run:] + 181
3   com.apple.Foundation     	0x925f536c forkThreadForFunction + 123
4   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x00000000    ebx: 0x0122c0af ecx: 0x00000000 edx: 0x193a7a00
  edi: 0x00000002    esi: 0x004ee6f0 ebp: 0xbfffd8f8 esp: 0xbfffd8d0
   ss: 0x0000001f    efl: 0x00010282 eip: 0x010b5049  cs: 0x00000017
   ds: 0x0000001f     es: 0x0000001f  fs: 0x00000000  gs: 0x00000037

Binary Images Description:
    0x1000 -    0xdefff com.apple.Safari 2.0.4 (419.3)	/Applications/Safari.app/Contents/MacOS/Safari
  0x305000 -   0x3e2fff com.apple.WebKit 522+	/Users/tom/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit
  0x4d1000 -   0x576fff com.apple.JavaScriptCore 522+	/Users/tom/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore
 0x1008000 -  0x15e5fff com.apple.WebCore 522+	/Users/tom/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore
0x8fe00000 - 0x8fe49fff dyld 46.9	/usr/lib/dyld
0x90000000 - 0x9016ffff libSystem.B.dylib 	/usr/lib/libSystem.B.dylib
0x901bf000 - 0x901c1fff libmathCommon.A.dylib 	/usr/lib/system/libmathCommon.A.dylib
0x901c3000 - 0x901fffff com.apple.CoreText 1.1.1 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x90226000 - 0x902fcfff ATS 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x9031c000 - 0x90770fff com.apple.CoreGraphics 1.258.38 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
0x90807000 - 0x908cffff com.apple.CoreFoundation 6.4.6 (368.27)	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x9090d000 - 0x9090dfff com.apple.CoreServices 10.4 (???)	/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x9090f000 - 0x90a02fff libicucore.A.dylib 	/usr/lib/libicucore.A.dylib
0x90a52000 - 0x90ad1fff libobjc.A.dylib 	/usr/lib/libobjc.A.dylib
0x90afa000 - 0x90b5efff libstdc++.6.dylib 	/usr/lib/libstdc++.6.dylib
0x90bcd000 - 0x90bd4fff libgcc_s.1.dylib 	/usr/lib/libgcc_s.1.dylib
0x90bd9000 - 0x90c4cfff com.apple.framework.IOKit 1.4.6 (???)	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x90c61000 - 0x90c73fff libauto.dylib 	/usr/lib/libauto.dylib
0x90c79000 - 0x90f1ffff com.apple.CoreServices.CarbonCore 682.16	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
0x90f62000 - 0x90fcafff com.apple.CoreServices.OSServices 4.1	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
0x91002000 - 0x91040fff com.apple.CFNetwork 129.19	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x91053000 - 0x91063fff com.apple.WebServices 1.1.3 (1.1.0)	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore
0x9106e000 - 0x910ecfff com.apple.SearchKit 1.0.5	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x91121000 - 0x9113ffff com.apple.Metadata 10.4.4 (121.36)	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x9114b000 - 0x91159fff libz.1.dylib 	/usr/lib/libz.1.dylib
0x9115c000 - 0x912fbfff com.apple.security 4.5.2 (29774)	/System/Library/Frameworks/Security.framework/Versions/A/Security
0x913f9000 - 0x91401fff com.apple.DiskArbitration 2.1.1	/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x91408000 - 0x9142efff com.apple.SystemConfiguration 1.8.6	/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x91440000 - 0x91447fff libbsm.dylib 	/usr/lib/libbsm.dylib
0x9144b000 - 0x914c4fff com.apple.audio.CoreAudio 3.0.4	/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x91512000 - 0x91512fff com.apple.ApplicationServices 10.4 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x91514000 - 0x9153ffff com.apple.AE 314 (313)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x91552000 - 0x91626fff com.apple.ColorSync 4.4.8	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x91661000 - 0x916defff com.apple.print.framework.PrintCore 4.6 (177.13)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore
0x9170b000 - 0x917b4fff com.apple.QD 3.10.21 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x917da000 - 0x91825fff com.apple.HIServices 1.5.2 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x91844000 - 0x9185afff com.apple.LangAnalysis 1.6.3	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis
0x91866000 - 0x91880fff com.apple.FindByContent 1.5	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent
0x9188a000 - 0x918c7fff com.apple.LaunchServices 181	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
0x918db000 - 0x918e7fff com.apple.speech.synthesis.framework 3.5	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x918ee000 - 0x91929fff com.apple.ImageIO.framework 1.5.0	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x9193b000 - 0x919edfff libcrypto.0.9.7.dylib 	/usr/lib/libcrypto.0.9.7.dylib
0x91a33000 - 0x91a49fff libcups.2.dylib 	/usr/lib/libcups.2.dylib
0x91a4e000 - 0x91a6cfff libJPEG.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x91a71000 - 0x91acffff libJP2.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
0x91ae1000 - 0x91ae5fff libGIF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91ae7000 - 0x91b64fff libRaw.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib
0x91b68000 - 0x91ba5fff libTIFF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x91bab000 - 0x91bc5fff libPng.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x91bca000 - 0x91bccfff libRadiance.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib
0x91bce000 - 0x91bcefff com.apple.Accelerate 1.3.1 (Accelerate 1.3.1)	/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x91bd0000 - 0x91c5efff com.apple.vImage 2.5	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x91c65000 - 0x91c65fff com.apple.Accelerate.vecLib 3.3.1 (vecLib 3.3.1)	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib
0x91c67000 - 0x91cc0fff libvMisc.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x91cc9000 - 0x91cedfff libvDSP.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x91cf5000 - 0x920fefff libBLAS.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x92138000 - 0x924ecfff libLAPACK.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x92519000 - 0x92597fff com.apple.DesktopServices 1.3.5	/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x925d8000 - 0x92808fff com.apple.Foundation 6.4.7 (567.28)	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x92914000 - 0x929f2fff libxml2.2.dylib 	/usr/lib/libxml2.2.dylib
0x92a0f000 - 0x92afcfff libiconv.2.dylib 	/usr/lib/libiconv.2.dylib
0x92b0c000 - 0x92b23fff libGL.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib
0x92b2e000 - 0x92b86fff libGLU.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib
0x92b9a000 - 0x92b9afff com.apple.Carbon 10.4 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
0x92b9c000 - 0x92bacfff com.apple.ImageCapture 3.0.4	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x92bba000 - 0x92bc2fff com.apple.speech.recognition.framework 3.6	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition
0x92bc8000 - 0x92bcdfff com.apple.securityhi 2.0.1 (24742)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x92bd3000 - 0x92c64fff com.apple.ink.framework 101.2.1 (71)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink
0x92c78000 - 0x92c7bfff com.apple.help 1.0.3 (32.1)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help
0x92c7e000 - 0x92c9bfff com.apple.openscripting 1.2.5 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x92cab000 - 0x92cb1fff com.apple.print.framework.Print 5.2 (192.4)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print
0x92cb7000 - 0x92d1afff com.apple.htmlrendering 66.1 (1.1.3)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x92d3e000 - 0x92d7ffff com.apple.NavigationServices 3.4.4 (3.4.3)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices
0x92da6000 - 0x92db3fff com.apple.audio.SoundManager 3.9.1	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x92dba000 - 0x92dbffff com.apple.CommonPanels 1.2.3 (73)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels
0x92dc4000 - 0x930b6fff com.apple.HIToolbox 1.4.8 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x931bb000 - 0x931c6fff com.apple.opengl 1.4.12	/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
0x931cb000 - 0x931e6fff com.apple.DirectoryService.Framework 3.2	/System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService
0x93256000 - 0x93256fff com.apple.Cocoa 6.4 (???)	/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0x93258000 - 0x9390efff com.apple.AppKit 6.4.8 (824.42)	/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x93c8f000 - 0x93d09fff com.apple.CoreData 90	/System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
0x93d42000 - 0x93e03fff com.apple.audio.toolbox.AudioToolbox 1.4.3	/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x93e43000 - 0x93e43fff com.apple.audio.units.AudioUnit 1.4.2	/System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x93e45000 - 0x94017fff com.apple.QuartzCore 1.4.9	/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
0x94068000 - 0x940a9fff libsqlite3.0.dylib 	/usr/lib/libsqlite3.0.dylib
0x940b1000 - 0x940ebfff libGLImage.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib
0x94179000 - 0x941b7fff com.apple.vmutils 4.0.2 (93.1)	/System/Library/PrivateFrameworks/vmutils.framework/Versions/A/vmutils
0x941fb000 - 0x9420bfff com.apple.securityfoundation 2.2.1 (28150)	/System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
0x94218000 - 0x94255fff com.apple.securityinterface 2.2.1 (27695)	/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
0x94271000 - 0x94280fff libCGATS.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
0x94287000 - 0x94292fff libCSync.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
0x942de000 - 0x942f8fff libRIP.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x94720000 - 0x94869fff com.apple.AddressBook.framework 4.0.4 (485.1)	/System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook
0x948f5000 - 0x94904fff com.apple.DSObjCWrappers.Framework 1.1	/System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers
0x9490b000 - 0x94934fff com.apple.LDAPFramework 1.4.2 (69.1.1)	/System/Library/Frameworks/LDAP.framework/Versions/A/LDAP
0x9493a000 - 0x94949fff libsasl2.2.dylib 	/usr/lib/libsasl2.2.dylib
0x9494d000 - 0x94972fff libssl.0.9.7.dylib 	/usr/lib/libssl.0.9.7.dylib
0x9497e000 - 0x9499bfff libresolv.9.dylib 	/usr/lib/libresolv.9.dylib
0x9574a000 - 0x9576dfff libxslt.1.dylib 	/usr/lib/libxslt.1.dylib
0x9708b000 - 0x97090fff com.apple.agl 2.5.9 (AGL-2.5.9)	/System/Library/Frameworks/AGL.framework/Versions/A/AGL
0x9a6d3000 - 0x9a70afff com.apple.Syndication 1.0.6 (54)	/System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Syndication
0x9a726000 - 0x9a738fff com.apple.SyndicationUI 1.0.6 (54)	/System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI

Model: Macmini1,1, BootROM MM11.0055.B08, 2 processors, Intel Core Duo, 1.66 GHz, 1 GB
Graphics: Intel GMA 950, GMA 950, Built-In, spdisplays_integrated_vram
Memory Module: BANK 0/DIMM0, 512 MB, DDR2 SDRAM, 667 MHz
Memory Module: BANK 1/DIMM1, 512 MB, DDR2 SDRAM, 667 MHz
AirPort: spairport_wireless_card_type_airport_extreme (0x168C, 0x86), 0.1.31.1
Bluetooth: Version 1.7.9f12, 2 service, 1 devices, 1 incoming serial ports
Network Service: Built-in Ethernet, Ethernet, en0
Serial ATA Device: FUJITSU MHV2080BHPL, 74.53 GB
Parallel ATA Device: MATSHITADVD-R   UJ-846
USB Device: Microsoft Wheel Mouse Optical®, Microsoft, Up to 1.5 Mb/sec, 500 mA
USB Device: DELL USB Keyboard, DELL, Up to 1.5 Mb/sec, 500 mA
USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mA
USB Device: IR Receiver, Apple Computer, Inc., Up to 12 Mb/sec, 500 mA
Comment 2 Maciej Stachowiak 2007-03-20 03:18:24 PDT
Since we don't have usable steps to reproduce this yet, lowering to P3.
Comment 3 Tom Brown 2007-03-21 17:41:11 PDT
Created attachment 13754 [details]
Two html files comprising reduction.

Unzip this reduction to a webserver or HD, and point your browser to "outer.html".  While the stack trace is different from the stack trace reported earlier, I believe both issues stem from the same cause.
Comment 4 Tom Brown 2007-03-21 17:41:47 PDT
Updated to P1 as a reduction was found.
Comment 5 Alexey Proskuryakov 2007-03-21 22:39:58 PDT
Confirming, since the attached test does cause a crash for me, but I'm not sure whether it's really XHR-related.

Thread 0 Crashed:
0   com.apple.WebCore        	0x01280638 WebCore::Widget::getView() const + 28 (WidgetMac.mm:218)
1   com.apple.WebCore        	0x01295c18 WebCore::ScrollView::windowToContents(WebCore::IntPoint const&) const + 276 (ScrollViewMac.mm:394)
2   com.apple.WebCore        	0x014cf3a4 WebCore::EventHandler::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::PlatformMouseEvent const&) + 252 (EventHandler.cpp:1067)
3   com.apple.WebCore        	0x014cfaa8 WebCore::EventHandler::hoverTimerFired(WebCore::Timer<WebCore::EventHandler>*) + 124 (EventHandler.cpp:1246)
4   com.apple.WebCore        	0x017d99f8 WebCore::Timer<WebCore::EventHandler>::fired() + 152 (Timer.h:96)
5   com.apple.WebCore        	0x0127b7cc WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 236 (Timer.cpp:322)
6   com.apple.WebCore        	0x0127b898 WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:355)
7   com.apple.WebCore        	0x0127ac44 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47)
8   com.apple.CoreFoundation 	0x907f2578 __CFRunLoopDoTimer + 184
9   com.apple.CoreFoundation 	0x907deef8 __CFRunLoopRun + 1680
10  com.apple.CoreFoundation 	0x907de4ac CFRunLoopRunSpecific + 268
11  com.apple.HIToolbox      	0x93298b20 RunCurrentEventLoopInMode + 264
12  com.apple.HIToolbox      	0x932981b4 ReceiveNextEventCommon + 380
13  com.apple.HIToolbox      	0x93298020 BlockUntilNextEventMatchingListInMode + 96
14  com.apple.AppKit         	0x9379eae4 _DPSNextEvent + 384
15  com.apple.AppKit         	0x9379e7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
16  com.apple.Safari         	0x00006740 0x1000 + 22336
17  com.apple.AppKit         	0x9379acec -[NSApplication run] + 472
18  com.apple.AppKit         	0x9388b87c NSApplicationMain + 452
19  com.apple.Safari         	0x0005c77c 0x1000 + 374652
20  com.apple.Safari         	0x0005c624 0x1000 + 374308

Please note that WebKit does not yet store a persistent pointer to the window when creating an XMLHttpRequest object, as required by draft spec - this may be related to the original issue.
Comment 6 mitz 2007-03-23 02:05:07 PDT
Created attachment 13777 [details]
Fix crash in getView()

This fixes the crash in getView() and seems like a good idea in general but I doubt that it will fix the original crash reported in this bug.
Comment 7 mitz 2007-03-23 09:09:14 PDT
Comment on attachment 13777 [details]
Fix crash in getView()

Tom confirmed that this patch did not fix the original crash. We agreed to make this bug about the getView() crash and he'll file another bug on the original problem. Having this one fixed should help him make progress on reducing the other one.
Comment 8 mitz 2007-03-23 10:21:38 PDT
Created attachment 13780 [details]
Fix crash in getView()

Added layout test and change log. Going to ask for a review after I run the tests.
Comment 9 Adele Peterson 2007-03-23 21:24:11 PDT
<rdar://problem/5086211> REGRESSION: Reproducible crash in Widget::getView

Committed revision 20458.