WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
13547
REGRESSION: Crash in _NPN_ReleaseObject when closing Safari on nba.com
https://bugs.webkit.org/show_bug.cgi?id=13547
Summary
REGRESSION: Crash in _NPN_ReleaseObject when closing Safari on nba.com
Matt Lilek
Reported
2007-04-29 22:07:09 PDT
1. Load nba.com 2. Click the "Tonight" tab on the left-hand side 3. Quit Safari -> *boom* This only seems to crash if you quit Safari, closing the tab/window doesn't seem to trigger this. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x09f8945c Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x00537518 _NPN_ReleaseObject + 96 (npruntime.cpp:190) 1 com.apple.JavaScriptCore 0x00535498 KJS::Bindings::CInstance::~CInstance [in-charge deleting]() + 68 (c_instance.cpp:52) 2 com.apple.JavaScriptCore 0x005bfe38 KJS::Bindings::Instance::deref() + 116 (runtime.h:153) 3 com.apple.JavaScriptCore 0x005c01a0 WTF::RefPtr<KJS::Bindings::Instance>::~RefPtr [in-charge]() + 56 (RefPtr.h:41) 4 com.apple.JavaScriptCore 0x005c0220 KJS::RuntimeObjectImp::~RuntimeObjectImp [in-charge]() + 68 (runtime_object.h:34) 5 com.apple.JavaScriptCore 0x00574350 KJS::Collector::collect() + 1292 (collector.cpp:814) 6 com.apple.WebCore 0x012f9d34 WebCore::KJSProxy::~KJSProxy [in-charge]() + 208 (kjs_proxy.cpp:56) 7 com.apple.WebCore 0x010f4b64 WebCore::FramePrivate::~FramePrivate [in-charge]() + 56 (Frame.cpp:1893) 8 com.apple.WebCore 0x010f505c WebCore::Frame::~Frame [in-charge deleting]() + 916 (Frame.cpp:251) 9 com.apple.WebCore 0x015c531c WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52) 10 com.apple.WebCore 0x0163a768 WTF::RefPtr<WebCore::Frame>::operator=(WebCore::Frame*) + 108 (RefPtr.h:107) 11 com.apple.WebCore 0x010fc8e0 WebCore::FrameView::clearPart() + 44 (FrameView.cpp:156) 12 com.apple.WebCore 0x014ce6dc WebCore::CachedPage::clear() + 548 (CachedPage.cpp:150) 13 com.apple.WebCore 0x014cf3c4 WebCore::CachedPage::close() + 184 (CachedPageMac.mm:45) 14 com.apple.WebCore 0x014cc768 WebCore::HistoryItem::performPendingReleaseOfCachedPages() + 280 (HistoryItem.cpp:467) 15 com.apple.WebKit 0x0030a134 -[WebWindowWatcher windowWillClose:] + 36 (WebHistoryItem.mm:514) 16 com.apple.Foundation 0x92be0ae4 _nsnote_callback + 180 17 com.apple.CoreFoundation 0x90806078 __CFXNotificationPost + 368 18 com.apple.CoreFoundation 0x907fe114 _CFXNotificationPostNotification + 684 19 com.apple.Foundation 0x92bcaeec -[NSNotificationCenter postNotificationName:object:userInfo:] + 92 20 com.apple.AppKit 0x9384047c -[NSWindow _close] + 100 21 com.apple.AppKit 0x938403e0 -[NSWindow close] + 36 22 com.apple.Foundation 0x92be85f4 -[NSArray makeObjectsPerformSelector:withObject:] + 264 23 com.apple.AppKit 0x938433fc -[NSApplication _deallocHardCore:] + 220 24 com.apple.AppKit 0x93841fb4 -[NSApplication terminate:] + 520 25 com.apple.AppKit 0x9383fc4c -[NSApplication sendAction:to:from:] + 108 26 com.apple.Safari 0x0002956c 0x1000 + 165228 27 com.apple.AppKit 0x9389a4b8 -[NSMenu performActionForItemAtIndex:] + 392 28 com.apple.AppKit 0x9389a23c -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 104 29 com.apple.AppKit 0x93899ce4 -[NSMenu performKeyEquivalent:] + 272 30 com.apple.AppKit 0x93899930 -[NSApplication _handleKeyEquivalent:] + 328 31 com.apple.AppKit 0x937a3408 -[NSApplication sendEvent:] + 2944 32 com.apple.Safari 0x00021238 0x1000 + 131640 33 com.apple.AppKit 0x9379ad10 -[NSApplication run] + 508 34 com.apple.AppKit 0x9388b87c NSApplicationMain + 452 35 com.apple.Safari 0x0005c77c 0x1000 + 374652 36 com.apple.Safari 0x0005c624 0x1000 + 374308
Attachments
Add attachment
proposed patch, testcase, etc.
Matt Lilek
Comment 1
2007-04-30 16:04:19 PDT
Right now this reproduces just by loading nba.com and quitting, no tab changing necessary (the tonight tab is already chosen). If you do change a tab then close, you get a huge leak: LEAK: 2537 Node LEAK: 3 RenderObject LEAK: 1 Frame LEAK: 14055 KJS::Node
Matt Lilek
Comment 2
2007-04-30 16:07:40 PDT
Oh, and there's no assertions failing with this. Maciej said on IRC he's seeing an assertion failure at frame 0 of my stack trace above running the layout tests so I figure I'd mention that.
Darin Adler
Comment 3
2007-05-04 22:19:13 PDT
<
rdar://problem/5183692
>
David Kilzer (:ddkilzer)
Comment 4
2007-05-07 15:07:33 PDT
Here is another way to reproduce this (with a slightly different stack trace). I'm using a local debug build of WebKit
r21288
with Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135): *STEPS TO REPRODUCE 1. Open Safari/WebKit. 2. Go to:
http://www.ssh.com/
3. Go to:
http://www.google.com/
[this site apparently doesn't matter] 4. Hit browser back button to return to www.ssh.com. 5. Quit Safari. Console output: Segmentation fault Stack trace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x17c5d614 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x0054871c _NPN_ReleaseObject + 96 (npruntime.cpp:190) 1 com.apple.JavaScriptCore 0x00546548 KJS::Bindings::CInstance::~CInstance [in-charge deleting]() + 68 (c_instance.cpp:52) 2 com.apple.JavaScriptCore 0x005d2b34 KJS::Bindings::Instance::deref() + 116 (runtime.h:153) 3 com.apple.JavaScriptCore 0x005d2f34 WTF::RefPtr<KJS::Bindings::Instance>::~RefPtr [not-in-charge]() + 56 (RefPtr.h:41) 4 com.apple.JavaScriptCore 0x005d2f68 WTF::RefPtr<KJS::Bindings::Instance>::~RefPtr [in-charge]() + 32 (RefPtr.h:41) 5 com.apple.JavaScriptCore 0x005d2fc0 KJS::RuntimeObjectImp::~RuntimeObjectImp [not-in-charge]() + 68 (runtime_object.h:34) 6 com.apple.JavaScriptCore 0x005d3014 KJS::RuntimeObjectImp::~RuntimeObjectImp [in-charge]() + 32 (runtime_object.h:34) 7 com.apple.JavaScriptCore 0x005859c0 KJS::Collector::collect() + 820 (collector.cpp:790) 8 com.apple.WebCore 0x014a851c WebCore::CachedPage::clear() + 824 (CachedPage.cpp:164) 9 com.apple.WebCore 0x014a8cc4 WebCore::CachedPage::close() + 184 (CachedPageMac.mm:45) 10 com.apple.WebCore 0x014a6e34 WebCore::HistoryItem::performPendingReleaseOfCachedPages() + 280 (HistoryItem.cpp:452) 11 com.apple.WebKit 0x00309c2c -[WebWindowWatcher windowWillClose:] + 36 (WebHistoryItem.mm:514) 12 com.apple.Foundation 0x92be0ae4 _nsnote_callback + 180 13 com.apple.CoreFoundation 0x90806078 __CFXNotificationPost + 368 14 com.apple.CoreFoundation 0x907fe114 _CFXNotificationPostNotification + 684 15 com.apple.Foundation 0x92bcaeec -[NSNotificationCenter postNotificationName:object:userInfo:] + 92 16 com.apple.AppKit 0x9384047c -[NSWindow _close] + 100 17 com.apple.AppKit 0x938403e0 -[NSWindow close] + 36 18 com.apple.Foundation 0x92be85f4 -[NSArray makeObjectsPerformSelector:withObject:] + 264 19 com.apple.AppKit 0x938433fc -[NSApplication _deallocHardCore:] + 220 20 com.apple.AppKit 0x93841fb4 -[NSApplication terminate:] + 520 21 com.apple.AppKit 0x9383fc4c -[NSApplication sendAction:to:from:] + 108 22 com.apple.Safari 0x0002956c 0x1000 + 165228 23 com.apple.AppKit 0x9389a4b8 -[NSMenu performActionForItemAtIndex:] + 392 24 com.apple.AppKit 0x9389a23c -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 104 25 com.apple.AppKit 0x93899ce4 -[NSMenu performKeyEquivalent:] + 272 26 com.apple.AppKit 0x93899930 -[NSApplication _handleKeyEquivalent:] + 328 27 com.apple.AppKit 0x937a3408 -[NSApplication sendEvent:] + 2944 28 com.apple.Safari 0x00021238 0x1000 + 131640 29 com.apple.AppKit 0x9379ad10 -[NSApplication run] + 508 30 com.apple.AppKit 0x9388b87c NSApplicationMain + 452 31 com.apple.Safari 0x0005c77c 0x1000 + 374652 32 com.apple.Safari 0x0005c624 0x1000 + 374308
Matt Lilek
Comment 5
2007-06-02 10:43:52 PDT
***
Bug 13977
has been marked as a duplicate of this bug. ***
Anders Carlsson
Comment 6
2007-06-14 14:55:17 PDT
Committed revision 23538.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug