RESOLVED FIXED Bug 17057
REGRESSION: Frequent random crashes in WebCore::JSNodeList::indexGetter 
https://bugs.webkit.org/show_bug.cgi?id=17057
Summary REGRESSION: Frequent random crashes in WebCore::JSNodeList::indexGetter
Steven Hollingsworth
Reported 2008-01-28 20:56:36 PST
WebKit crashes on quit.
Attachments
WebKit Crash (42.67 KB, text/plain)
2008-01-28 20:57 PST, Steven Hollingsworth 		no flags
Details
Problem Report for Webkit (58.10 KB, text/plain)
2008-02-06 20:51 PST, Steven Hollingsworth 		no flags
Details
Problem Report for Webkit (39.38 KB, text/plain)
2008-02-07 14:47 PST, Steven Hollingsworth 		no flags
Details
Problem Report for WebKit (50.16 KB, text/plain)
2008-02-16 20:04 PST, Steven Hollingsworth 		no flags
Details
Problem Report for Webkit (47.29 KB, text/plain)
2008-02-17 23:23 PST, Steven Hollingsworth 		no flags
Details
Problem Report for WebKit (43.13 KB, text/plain)
2008-02-18 12:34 PST, Steven Hollingsworth 		no flags
Details
Problem Report for WebKit (56.79 KB, text/plain)
2008-02-18 12:59 PST, Steven Hollingsworth 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Steven Hollingsworth
Comment 1 2008-01-28 20:57:29 PST
Created attachment 18755 [details] WebKit Crash Log from WebKit Crash.
Steven Hollingsworth
Comment 2 2008-01-28 20:58:03 PST
WebKit crashed on quit (Cmd + Q).
Alexey Proskuryakov
Comment 3 2008-01-29 00:50:04 PST
Do you remember what Web pages were open at the time? The crash is seemingly caused by something that a page's JavaScript performed.
Steven Hollingsworth
Comment 4 2008-01-29 06:02:15 PST
I cannot remember exactly but it was probably iGoogle, Gmail, Google Calendar, Google Docs, or Google Reader.
Steven Hollingsworth
Comment 5 2008-02-06 20:51:39 PST
Created attachment 18977 [details] Problem Report for Webkit Just had this issue appear again while scrolling through Google Reader.
Steven Hollingsworth
Comment 6 2008-02-07 14:47:24 PST
Created attachment 18991 [details] Problem Report for Webkit Just had this issue occur again on Google Reader.
Alexey Proskuryakov
Comment 7 2008-02-08 05:37:12 PST
Thanks! The stack traces are different, and the do not really match the "crash on quit" description, but such frequent crashing is worrisome.
Cameron Zwarich (cpst)
Comment 8 2008-02-08 21:02:32 PST
I agree, this is probably not a crash on quit. Google Reader is known for doing some funky things with JS, so it is likely a problem with the ActivationImp tear-off. I will try to find a reliable method of reproduction so that I can figure out exactly what is going wrong.
Cameron Zwarich (cpst)
Comment 9 2008-02-09 13:50:31 PST
I played around with Google Reader for a bit, trying to reproduce the crash, but I couldn't.
Steven Hollingsworth
Comment 10 2008-02-16 17:21:10 PST
*** Bug 17389 has been marked as a duplicate of this bug. ***
Steven Hollingsworth
Comment 11 2008-02-16 17:21:36 PST
Bug continues to occur.
Cameron Zwarich (cpst)
Comment 12 2008-02-16 17:24:49 PST
The third stack trace is probably the same issue as bug 17329, which is now fixed, whereas the first two are likely the same distinct bug.
Steven Hollingsworth
Comment 13 2008-02-16 18:02:18 PST
Comment on attachment 18991 [details] Problem Report for Webkit Same as bug 17329, which has been fixed.
Cameron Zwarich (cpst)
Comment 14 2008-02-16 19:12:06 PST
All of the stack traces look the same (I didn't check all the way back) so it is probably the same JS causing the crash each time. It's also sort of strange that the crash is on dereferencing a null pointer rather than something offset from zero. Where would that be happening in JSNodeList::indexGetter()?
Steven Hollingsworth
Comment 15 2008-02-16 20:04:30 PST
Created attachment 19165 [details] Problem Report for WebKit Just had this issue again while loading AmpCoder.com in one tab and an already loaded GoDaddy.com in the other.
Alexey Proskuryakov
Comment 16 2008-02-17 00:23:17 PST
(In reply to comment #14) > It's also sort of strange that the crash is on dereferencing a null pointer > rather than something offset from zero. AFAICT, the crash may be happening in a virtual node->nodeType() call in toJS(ExecState*, PassRefPtr<Node> n) in JSNodeCustom.cpp.
Steven Hollingsworth
Comment 17 2008-02-17 23:23:45 PST
Created attachment 19183 [details] Problem Report for Webkit Just had another crash while browsing through Gmail.
Alexey Proskuryakov
Comment 18 2008-02-18 03:10:19 PST
*** Bug 17399 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 19 2008-02-18 03:13:01 PST
Marking confirmed since this keeps happening, and we have a duplicate - although I never saw this myself.
Alexey Proskuryakov
Comment 20 2008-02-18 03:13:53 PST
<rdar://problem/5749117>
Steven Hollingsworth
Comment 21 2008-02-18 12:34:04 PST
Created attachment 19194 [details] Problem Report for WebKit Just had this issue occur while iGoogle loading iGoogle in a single window.
Steven Hollingsworth
Comment 22 2008-02-18 12:59:50 PST
Created attachment 19195 [details] Problem Report for WebKit Just had this issue after composing a message in Gmail and clicking "Send".
David Kilzer (:ddkilzer)
Comment 23 2008-02-23 19:02:56 PST
The call stack in the crashing thread is awfully deep (180+ frames). Could this be related to removing the KJS_MEM_LIMIT in r30492? http://trac.webkit.org/projects/webkit/changeset/30492 Steven, if you use a WebKit nightly build before r30492, do you still see crashes?
David Kilzer (:ddkilzer)
Comment 24 2008-02-23 19:04:02 PST
I think it's fair to say that this is a regression as well.
David Kilzer (:ddkilzer)
Comment 25 2008-02-23 19:08:11 PST
(In reply to comment #23) > The call stack in the crashing thread is awfully deep (180+ frames). Could > this be related to removing the KJS_MEM_LIMIT in r30492? > > http://trac.webkit.org/projects/webkit/changeset/30492 Hmm...that didn't make much sense. KJS_MAX_STACK was raised from 100 to 500 in r25161, but that was a while time ago. Please ignore Comment #23. :)
Ismail Donmez
Comment 26 2008-02-29 14:01:11 PST
I frequently see this at GMail using latest SVN.
Steven Hollingsworth
Comment 27 2008-03-02 07:41:02 PST
I just had this issue while working on a Spreadsheet in Google Docs.
Maciej Stachowiak
Comment 28 2008-03-13 22:22:03 PDT
We're actively investigating this bug. If anyone can reproduce it running under gdb, please find a WebKit developer (especially weinig, bdash, darin or maciej) on IRC.
Sam Weinig
Comment 29 2008-03-18 18:43:18 PDT
Fix landed in r31144.
Note You need to log in before you can comment on or make changes to this bug.