5518 – Consistent crash using liveconnect/javascript @ www.binarybet.com

RESOLVED FIXED 5518

Consistent crash using liveconnect/javascript @ www.binarybet.com

https://bugs.webkit.org/show_bug.cgi?id=5518

Summary Consistent crash using liveconnect/javascript @ www.binarybet.com

Andrew Wright

Reported 2005-10-27 02:08:58 PDT

Our site uses a heavy mixture of frames, javascript, liveconnect to an applet....you name it. It basically works but is quite flakey - Safari (or the nightly builds) crash just during navigation around the site. The crash reports are all very similiar, down in KJS::Bindings::dispatchJNICall. This happens across all versions of Safari - I'm testing with fully patched 10.4.2. I've gotten as far as debugging ToT source in xcode but my obj-c skills are somewhat lacking :-/ Relevant portion of crashdump attached. Happy to build/update/test/provide more info if it will help. Date/Time: 2005-10-27 09:47:26.366 +0100 OS Version: 10.4.2 (Build 8C46) Report Version: 3 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: WindowServer [87] Version: 2.0.1 (412.5) Build Version: 7 Project Name: WebBrowser Source Version: 4120500 PID: 23018 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x162a096c Thread 0 Crashed: 0 <<00000000>> 0xfffeff30 objc_msgSend_rtp + 48 1 com.apple.JavaScriptCore 0x95a71f14 KJS::Bindings::dispatchJNICall(void const*, _jobject*, bool, JNIType, _jmethodID*, jvalue*, jvalue&, char const*, KJS::Value&) + 80 2 com.apple.JavaScriptCore 0x95a68840 KJS::Bindings::JavaInstance::invokeMethod(KJS::ExecState*, KJS::Bindings::MethodList const&, KJS::List const&) + 460 3 com.apple.JavaScriptCore 0x95a691ac KJS::RuntimeMethodImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 268 4 com.apple.JavaScriptCore 0x95a34d70 KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 172 5 com.apple.JavaScriptCore 0x95a33670 KJS::FunctionCallNode::evaluate(KJS::ExecState*) + 932 6 com.apple.JavaScriptCore 0x95a37d7c KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 80 7 com.apple.JavaScriptCore 0x95a347d0 KJS::ArgumentsNode::evaluateList(KJS::ExecState*) + 44 8 com.apple.JavaScriptCore 0x95a33370 KJS::FunctionCallNode::evaluate(KJS::ExecState*) + 164 9 com.apple.JavaScriptCore 0x95a332b4 KJS::AssignExprNode::evaluate(KJS::ExecState*) + 40 10 com.apple.JavaScriptCore 0x95a331c4 KJS::VarDeclNode::evaluate(KJS::ExecState*) + 124 11 com.apple.JavaScriptCore 0x95a330f4 KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 68 12 com.apple.JavaScriptCore 0x95a32f50 KJS::VarStatementNode::execute(KJS::ExecState*) + 128 13 com.apple.JavaScriptCore 0x95a55ba4 KJS::StatListNode::execute(KJS::ExecState*) + 52 14 com.apple.JavaScriptCore 0x95a55b24 KJS::CaseClauseNode::evalStatements(KJS::ExecState*) + 52 15 com.apple.JavaScriptCore 0x95a55598 KJS::CaseBlockNode::evalBlock(KJS::ExecState*, KJS::Value const&) + 548 16 com.apple.JavaScriptCore 0x95a55274 KJS::SwitchNode::execute(KJS::ExecState*) + 304 17 com.apple.JavaScriptCore 0x95a32dc8 KJS::SourceElementsNode::execute(KJS::ExecState*) + 500 18 com.apple.JavaScriptCore 0x95a32b64 KJS::BlockNode::execute(KJS::ExecState*) + 136 19 com.apple.JavaScriptCore 0x95a3f260 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 44 20 com.apple.JavaScriptCore 0x95a3eb60 KJS::FunctionImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 428 21 com.apple.JavaScriptCore 0x95a69cf4 KJS::Bindings::JSObject::call(_jstring*, _jobjectArray*) const + 496 22 com.apple.JavaScriptCore 0x95a69968 KJS::Bindings::JSObject::invoke (KJS::Bindings::JSObjectCallContext*) + 316 23 com.apple.JavaScriptCore 0x95a6afb4 KJS_JSObject_JSObjectCall + 48 24 com.apple.JavaPluginCocoa 0x059b7688 nsToJavaString + 3740 25 com.apple.JavaPluginCocoa 0x059b6cf8 nsToJavaString + 1292 26 com.apple.Foundation 0x92890760 __NSFireMainThreadPerform + 276 27 com.apple.CoreFoundation 0x9077c108 __CFRunLoopPerformPerform + 104 28 com.apple.CoreFoundation 0x9074bc8c __CFRunLoopDoSources0 + 384 29 com.apple.CoreFoundation 0x9074b1bc __CFRunLoopRun + 452 30 com.apple.CoreFoundation 0x9074ac3c CFRunLoopRunSpecific + 268 31 com.apple.HIToolbox 0x93129ac0 RunCurrentEventLoopInMode + 264 32 com.apple.HIToolbox 0x931d66e0 HIMenuView::SimulateHitSelf(short, unsigned long, short*) + 200 33 com.apple.HIToolbox 0x931d65d0 HIStandardMenuView::SimulateHitSelf(short, unsigned long, short*) + 172 34 com.apple.HIToolbox 0x9314b630 HIView::EventHandler(OpaqueEventHandlerCallRef*, OpaqueEventRef*, void*) + 1932 35 com.apple.HIToolbox 0x931288d4 DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, HandlerCallRec*) + 692 36 com.apple.HIToolbox 0x9312802c SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*, HandlerCallRec*) + 372 37 com.apple.HIToolbox 0x93127ea8 SendEventToEventTargetWithOptions + 40 38 com.apple.HIToolbox 0x931d64c8 SendControlSimulateHit(HIView*, short, unsigned long, short*) + 172 39 com.apple.HIToolbox 0x932ae8b8 HIView::SimulateClickSelf(short, unsigned long, short*) + 36 40 com.apple.HIToolbox 0x9314b58c HIView::EventHandler(OpaqueEventHandlerCallRef*, OpaqueEventRef*, void*) + 1768 41 com.apple.HIToolbox 0x931288d4 DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, HandlerCallRec*) + 692 42 com.apple.HIToolbox 0x9312802c SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*, HandlerCallRec*) + 372 43 com.apple.HIToolbox 0x93127ea8 SendEventToEventTargetWithOptions + 40 44 com.apple.HIToolbox 0x931d63b8 HIView::SimulateClick(short, unsigned long, short*) + 192 45 com.apple.HIToolbox 0x931d62dc HIViewSimulateClick + 60 46 com.apple.HIToolbox 0x931d619c FlashFeedback(MenuSelectData*) + 96 47 com.apple.HIToolbox 0x931d6100 SelectItemAndRestoreAllMenuBits(MenuSelectData&) + 436 48 com.apple.HIToolbox 0x931c0dec TrackMenuCommon(MenuSelectData&, unsigned char*) + 828 49 com.apple.HIToolbox 0x931f9428 PopUpMenuSelectCore(MenuData*, Point, double, Point, GDevice**, Rect const*, unsigned short, unsigned long, Rect const*, Rect const*, __CFString const*, OpaqueMenuRef**, unsigned short*) + 312 50 com.apple.HIToolbox 0x931f92a4 _HandlePopUpMenuSelection5 + 364 51 com.apple.AppKit 0x93755ce0 _NSPopUpCarbonMenu2 + 2268 52 com.apple.AppKit 0x937553f4 _NSPopUpCarbonMenu1 + 44 53 com.apple.AppKit 0x937553b0 -[NSCarbonMenuImpl popUpMenu:atLocation:width:forView:withSelectedItem:withFont:] + 224 54 com.apple.AppKit 0x93755050 -[NSPopUpButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 1184 55 com.apple.WebCore 0x95ca5348 -[KWQPopUpButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 148 56 com.apple.AppKit 0x936ec164 -[NSControl mouseDown:] + 536 57 com.apple.WebCore 0x95ca5578 -[KWQPopUpButton mouseDown:] + 72 58 com.apple.WebCore 0x95c495c8 KWQKHTMLPart::passWidgetMouseDownEventToWidget (QWidget*) + 644 59 com.apple.WebCore 0x95c1dfb8 KWQKHTMLPart::passWidgetMouseDownEventToWidget (khtml::MouseEvent*) + 260 60 com.apple.WebCore 0x95c1ddec KWQKHTMLPart::khtmlMousePressEvent (khtml::MousePressEvent*) + 168 61 com.apple.WebCore 0x95dc6c28 KParts::Part::event(QEvent*) + 28 62 com.apple.WebCore 0x95c1d508 KHTMLView::viewportMousePressEvent(QMouseEvent*) + 1008 63 com.apple.WebCore 0x95c1cfd0 KWQKHTMLPart::mouseDown(NSEvent*) + 424 64 com.apple.WebKit 0x9595c444 -[WebHTMLView mouseDown:] + 200 65 com.apple.WebCore 0x95c495c8 KWQKHTMLPart::passWidgetMouseDownEventToWidget (QWidget*) + 644 66 com.apple.WebCore 0x95bfd10c KWQKHTMLPart::passSubframeEventToSubframe (DOM::NodeImpl::MouseEvent&) + 208 67 com.apple.WebCore 0x95c1d394 KHTMLView::viewportMousePressEvent(QMouseEvent*) + 636 68 com.apple.WebCore 0x95c1cfd0 KWQKHTMLPart::mouseDown(NSEvent*) + 424 69 com.apple.WebKit 0x9595c444 -[WebHTMLView mouseDown:] + 200 70 com.apple.WebCore 0x95c495c8 KWQKHTMLPart::passWidgetMouseDownEventToWidget (QWidget*) + 644 71 com.apple.WebCore 0x95bfd10c KWQKHTMLPart::passSubframeEventToSubframe (DOM::NodeImpl::MouseEvent&) + 208 72 com.apple.WebCore 0x95c1d394 KHTMLView::viewportMousePressEvent(QMouseEvent*) + 636 73 com.apple.WebCore 0x95c1cfd0 KWQKHTMLPart::mouseDown(NSEvent*) + 424 74 com.apple.WebKit 0x9595c444 -[WebHTMLView mouseDown:] + 200 75 com.apple.WebCore 0x95c495c8 KWQKHTMLPart::passWidgetMouseDownEventToWidget (QWidget*) + 644 76 com.apple.WebCore 0x95bfd10c KWQKHTMLPart::passSubframeEventToSubframe (DOM::NodeImpl::MouseEvent&) + 208 77 com.apple.WebCore 0x95c1d394 KHTMLView::viewportMousePressEvent(QMouseEvent*) + 636 78 com.apple.WebCore 0x95c1cfd0 KWQKHTMLPart::mouseDown(NSEvent*) + 424 79 com.apple.WebKit 0x9595c444 -[WebHTMLView mouseDown:] + 200 80 com.apple.WebCore 0x95c495c8 KWQKHTMLPart::passWidgetMouseDownEventToWidget (QWidget*) + 644 81 com.apple.WebCore 0x95bfd10c KWQKHTMLPart::passSubframeEventToSubframe (DOM::NodeImpl::MouseEvent&) + 208 82 com.apple.WebCore 0x95c1d394 KHTMLView::viewportMousePressEvent(QMouseEvent*) + 636 83 com.apple.WebCore 0x95c1cfd0 KWQKHTMLPart::mouseDown(NSEvent*) + 424 84 com.apple.WebKit 0x9595c444 -[WebHTMLView mouseDown:] + 200 85 com.apple.AppKit 0x9368d9c8 -[NSWindow sendEvent:] + 4616 86 com.apple.Safari 0x0001d2d8 0x1000 + 115416 87 com.apple.AppKit 0x93636bfc -[NSApplication sendEvent:] + 4172 88 com.apple.Safari 0x0001a2b8 0x1000 + 103096 89 com.apple.AppKit 0x9362e090 -[NSApplication run] + 508 90 com.apple.AppKit 0x9371e8bc NSApplicationMain + 452 91 com.apple.Safari 0x000021e8 0x1000 + 4584 92 com.apple.Safari 0x00056e28 0x1000 + 351784

Attachments
Full dump from latest public Safari (50.93 KB, application/octet-stream) 2005-11-01 02:01 PST, Andrew Wright	no flags	Details
JVM crash at same time of Safari crash (14.29 KB, application/octet-stream) 2005-11-02 02:01 PST, Andrew Wright	no flags	Details
JVM 5 dump (17.69 KB, application/octet-stream) 2005-12-13 02:58 PST, Andrew Wright	no flags	Details
Safari dump to go with Attachment 5060 (46.37 KB, text/plain) 2005-12-13 02:58 PST, Andrew Wright	no flags	Details
Fix (3.90 KB, patch) 2005-12-28 23:34 PST, Geoffrey Garen	mjs: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2005-10-30 02:49:29 PST

(In reply to comment #0) > Relevant portion of crashdump attached. Happy to build/update/test/provide more info if it will help. Please provide some way to reproduce the problem (even if inconsistently). Attaching (as a file) a complete crash log with all loaded binary images could also be useful, especially since this is JNI-related.

Andrew Wright

Comment 2 2005-11-01 02:01:22 PST

The most reproducible crasher involves selecting choices from 3 drop-down menus. The first two drop downs affect the next one along the row, selecting a row in the last menu calls an applet, which requests updated info from a server. Once this info is received, individual table cells are being updated with the new values (basically a stock price streaming/ticker solution). It is particularly bad if you change a menu selection without waiting for the entire table to load & begin updating - seems like cutting things off during an update causes issues. I can provide a login to our test system if needed but would rather not post it here - am happy to email someone direct though. BTW: are there any preferences for where to test/take crashdumps - latest public Safari, or a nightly build?

Andrew Wright

Comment 3 2005-11-01 02:01:54 PST

Created attachment 4548 [details] Full dump from latest public Safari

Andrew Wright

Comment 4 2005-11-01 10:56:18 PST

Some more info - the crash is consistently on this line: if ([view respondsToSelector:@selector (webPlugInCallJava:isStatic:returnType:method:arguments:callingURL:exceptionDescription:)]) { of dispatchJNICall in jni_objc.mm, and strangely also appears to be when calling lastIndexOf (although that may just be a side-effect of our site). Adding a 'if (!view) return false' line to the above method made no difference. Some sample output from the debug log, with a bit of extra debug. There are many successful calls, then the crash. There didn't seem to be any correlation between whether a global ref had been used before or not (before having a method called on it), and a crash - happened with both new & previously gc'ed references. /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:353 -- JObjectWrapper: new global ref 0xce2e224 for 0xce369fc /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:353 -- JObjectWrapper: new global ref 0xce2e220 for 0xce36d48 /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:127 -- invokeMethod: call lastIndexOf (Ljava/lang/String;)I on 0xce2e224 /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:130 -- invokeMethod: orig str: [18:42:55:496] /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:143 -- invokeMethod: arg [0] = [:] /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:273 -- invokeMethod: int result: [8] ... /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:353 -- JObjectWrapper: new global ref 0xce30e94 for 0xce35cf0 /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:353 -- JObjectWrapper: new global ref 0xce30e90 for 0xce37a78 /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:127 -- invokeMethod: call lastIndexOf (Ljava/lang/String;)I on 0xce30e94 /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:130 -- invokeMethod: orig str: [13:52:02:531] /Users/andrew/Code/WebKit/JavaScriptCore/bindings/jni/jni_instance.cpp:143 -- invokeMethod: arg [0] = [:] [Switching to process 2313 local thread 0xf03] Program received signal: "EXC_BAD_ACCESS". Suspect this means the problem is elsewhere :-/

Andrew Wright

Comment 5 2005-11-02 02:01:01 PST

Created attachment 4562 [details] JVM crash at same time of Safari crash

Andrew Wright

Comment 6 2005-11-02 02:03:21 PST

Hadn't realised the JVM was crashing - attached sample log. Happens with 1.4.2 and 5.0 plugins. Possibly browser/plugin/jvm interacting badly?

Andrew Wright

Comment 7 2005-11-02 04:47:12 PST

JVM crash logged as radar 4325722

Andrew Wright

Comment 8 2005-12-13 02:57:16 PST

Symptoms become markedly worse using the Java5 VM - either update 3 publicly released, or the current DP from dev connection. Unfortunately our site goes from 'bascially working' to 'badly broken' as a result. This is of particular concern as the next update will make Java 5 the default VM for users. There is also a much easier way to reproduce the crash. Go to www.binarybet.com, and click on one of the 'highlights' for events on that page. This will open a page which uses the applet in question. Prices should load into the applet - I only see the first price load (a single row) then updates will either stop or a crash will occur. If it doesn't crash immediately, navigating the popup menus will trigger one.

Andrew Wright

Comment 9 2005-12-13 02:58:15 PST

Created attachment 5060 [details] JVM 5 dump Running JVM Update 4 DP1

Andrew Wright

Comment 10 2005-12-13 02:58:49 PST

Created attachment 5061 [details] Safari dump to go with Attachment 5060 [details]

Geoffrey Garen

Comment 11 2005-12-27 12:08:32 PST

Thanks for the great bug report(s). I'm on the case.

Geoffrey Garen

Comment 12 2005-12-28 20:51:39 PST

Andrew, Once again, thanks for the great bug report. The basic problem here is that the Java plugin continues to execute code after Safari has told it to stop. Some of this code accesses plugin data structures that Safari/WebKit has destroyed. I'm preparing a patch that should fix this in a future release. In the meantime, you can try to work around it. I see two options. (1) Reload the page. Currently, your drop-down menus do a form submission and load the data you want into an iframe. If you could load the whole page instead, (still using the form submission to tell the server what data you wanted on the new page), the new page would ignore the old plugin's errant messages. (2) Remove Java calls to JavaScript; use JavaScript calls to Java instead. If I'm reading things right, your Java plugin periodically invokes javaScript methods like 'handleAppletTick' in order to update data. Instead, you could use a JavaScript method like setInterval, along with getElementById, to periodically call into Java and get the new data. (I'm not sure if this is practical on your end or not.) Hope that helps.

Geoffrey Garen

Comment 13 2005-12-28 23:34:19 PST

Created attachment 5348 [details] Fix Never has a programmer worked so hard to produce so little code. No layout test because the bug is difficult to reproduce.

Maciej Stachowiak

Comment 14 2005-12-29 00:25:07 PST

Comment on attachment 5348 [details] Fix r=me, I will grudingly accept the lack of test.

Maciej Stachowiak

Comment 15 2005-12-29 00:25:07 PST

Comment on attachment 5348 [details] Fix r=me, I will grudingly accept the lack of test.

Geoffrey Garen

Comment 16 2005-12-29 02:35:06 PST

Landed.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Major

Classification Unclassified

Version 420+

Hardware Mac

OS OS X 10.4

Product WebKit

Component JavaScriptCore

Assignee

Geoffrey Garen

Reported

2005-10-27 02:08 PDT

Modified

2005-12-29 02:35 PST History

CC List

0 users

URL

http://www.binarybet.com

Keywords

Depends on

Blocks