Bug 18828 - Reproducible crash with PAC file
Summary: Reproducible crash with PAC file
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Major
Assignee: Alexey Proskuryakov
URL: http://ip30.eti.uva.nl/zma3d/sittidae...
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-01 07:32 PDT by Gavin Sherlock
Modified: 2008-05-12 00:39 PDT (History)
0 users

See Also:


Attachments
Crash log (33.15 KB, text/plain)
2008-05-01 07:32 PDT, Gavin Sherlock
no flags Details
fix by disabling incomplete multithreading support (2.33 KB, patch)
2008-05-12 00:30 PDT, Alexey Proskuryakov
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gavin Sherlock 2008-05-01 07:32:02 PDT
Steps to reproduce.

1.  Go to http://ip30.eti.uva.nl/zma3d/sittidae.html
2.  Click on Medium Size for the top bird.

Kaboom.  Crash.  Tested in r32698.  It does not crash on Safari 3.1.1.  Crash log coming.

Note, this is the same bug url as bug 3524; I don't think they are actually related though.
Comment 1 Gavin Sherlock 2008-05-01 07:32:24 PDT
Created attachment 20912 [details]
Crash log
Comment 2 Matt Lilek 2008-05-01 09:11:15 PDT
I can't reproduce this, but if anyone can it will have to be moved to radar as the crash is in closed source libraries unrelated to WebKit.
Comment 3 Gavin Sherlock 2008-05-01 09:15:36 PDT
Hmm, it's reproducible in my machine at home (2 out of 2 times I tried), but not on my machine at work.  Both are running 10.5.2, and both are MacPros (one new, one older).  The only difference that occurs to me is that the one on which it crashed has the Java 1.6 release installed, but I don't think that's relevant.
Comment 4 Gavin Sherlock 2008-05-01 21:04:48 PDT
I worked out the problem.  Looking more closely at the crash log:

Thread 5 Crashed:
0   com.apple.JavaScriptCore      	0x003a7c19 JSObjectIsFunction + 9
1   com.apple.CFNetwork           	0x96f719f3 JSObjectIsFunction + 190
2   com.apple.CFNetwork           	0x96f5ac36 _callPACFunction + 131
3   com.apple.CFNetwork           	0x96f5c4a7 _JSFindProxyForURLAsync + 197
4   com.apple.CFNetwork           	0x96f1e870 _CFNetworkProxyListForURLAsync + 771
5   com.apple.CFNetwork           	0x96f1e50e constructProxyList + 326

I noticed reference to a proxy.  The problem only manifests when you're behind a proxy server.  I use a PAC file so that when I access online scientific journals, I get routed through Stanford, and thus have Stanford access to those journals.  I just removed the reference to the PAC file in the system preferences, and the crash no longer occurs.  If it's relevant, the PAC file (referenced by URL) is:

http://library.stanford.edu/apcproxy/suproxy.pac

I presume this means the bug is in CFNetwork, not Webkit, and that I should file a radar, and this should be marked as INVALID?

I've noticed at least two other bugs in Leopard with regard to PAC files (Adobe updater takes up all available RAM behind a proxy, and dmnotifyd also takes up all available memory after waking from sleep (see http://discussions.apple.com/thread.jspa?threadID=1287849&tstart=0)), so these may all be related.
Comment 5 Matt Lilek 2008-05-02 06:30:39 PDT
Oh wow, I guess I didn't have enough caffeine in me yesterday to look at which thread crashed.

(In reply to comment #4)
> 
> I presume this means the bug is in CFNetwork, not Webkit, and that I should
> file a radar, and this should be marked as INVALID?
> 
> I've noticed at least two other bugs in Leopard with regard to PAC files (Adobe
> updater takes up all available RAM behind a proxy, and dmnotifyd also takes up
> all available memory after waking from sleep (see
> http://discussions.apple.com/thread.jspa?threadID=1287849&tstart=0)), so these
> may all be related.
> 

Looks like it's actually in JSCore; there have been a number of PAC file-related crashes lately.
Comment 6 Alexey Proskuryakov 2008-05-03 01:00:15 PDT
Can you still reproduce this problem with r32828?
Comment 7 Gavin Sherlock 2008-05-03 05:46:05 PDT
Still reproduces with r32828, with identical backtrace.
Comment 8 Alexey Proskuryakov 2008-05-05 01:21:54 PDT
Confirmed with r32862.
Comment 9 Alexey Proskuryakov 2008-05-12 00:30:48 PDT
Created attachment 21076 [details]
fix by disabling incomplete multithreading support
Comment 10 Maciej Stachowiak 2008-05-12 00:37:40 PDT
Comment on attachment 21076 [details]
fix by disabling incomplete multithreading support

r=me
Comment 11 Alexey Proskuryakov 2008-05-12 00:39:30 PDT
Committed revision 33039.