Open around 5 tabs on www.newegg.com Before they all finish loading start closing them using Cmd-W Crash! Reproduced in nightly r13302 and r14505 (with different backtraces)
Created attachment 8455 [details] Crash log Here is a crash log from nightly WebKit r14505
Confirmed using r14648. I can reproduce it almost every time by 1. Open a window and let www.newegg.com load (newly loaded WebKit) 2. Close the window, using cmd+w or the red pill. This doesn't happen in Safari release. I guess the component could be WebCore JavaScript, as that's how the crash trace starts.
I tried a few times and could not reproduce it. But the backtrace makes it look like a problem where a timer fires after the DOMWindow is gone. Looks like the code is calling defaultView on a document and getting a 0 back. So I think the fix is to add a nil check to the toJS function that takes a DOMWindow in kjs_window.cpp.
Created attachment 8705 [details] patch
Comment on attachment 8705 [details] patch r=me
Committed revision 14733.
I can still reproduce the crash (using the original instructions), although at a later stage: 0 <<00000000>> 0xfffeff18 objc_msgSend_rtp + 24 1 com.apple.WebKit 0x00333328 -[WebFrameBridge webView] + 144 (WebFrameBridge.m:111) 2 com.apple.WebKit 0x00335888 -[WebFrameBridge addMessageToConsole:] + 68 (WebFrameBridge.m:445) 3 com.apple.WebCore 0x018660b8 WebCore::FrameMac::addMessageToConsole(WebCore::String const&, unsigned, WebCore::String const&) + 264 (FrameMac.mm:1335) 4 com.apple.WebCore 0x01a7edf8 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 1228 (kjs_proxy.cpp:77) 5 com.apple.WebCore 0x0185e3c0 WebCore::Frame::executeScript(WebCore::Node*, DeprecatedString const&, bool) + 244 (Frame.cpp:399) 6 com.apple.WebCore 0x01a84abc KJS::ScheduledAction::execute(KJS::Window*) + 968 (kjs_window.cpp:1810) 7 com.apple.WebCore 0x01a8a8f8 KJS::Window::timerFired(KJS::DOMWindowTimer*) + 76 (kjs_window.cpp:1907) 8 com.apple.WebCore 0x01a8a9d0 KJS::DOMWindowTimer::fired() + 44 (kjs_window.cpp:2474) 9 com.apple.WebCore 0x01a05cb8 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 260 (Timer.cpp:321) 10 com.apple.WebCore 0x01a05d6c WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:354) 11 com.apple.WebCore 0x01a05118 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47) 12 com.apple.CoreFoundation 0x907ef550 __CFRunLoopDoTimer + 184
Comment on attachment 8705 [details] patch Clearing the flag so this doesn't show up in the list to be committed.
I can also reproduce it (using my instructions). My crash log starts like this (the toJS function doesn't appear, as it did in the reporter's crash log): 0 com.apple.WebCore 0x0129b120 WebCore::DOMWindow::frame() + 0 1 com.apple.WebCore 0x0126596c WebCore::JSDocument::getValueProperty(KJS::ExecState*, int) const + 380 2 com.apple.WebCore 0x0126596c WebCore::JSDocument::getValueProperty(KJS::ExecState*, int) const + 380 3 com.apple.JavaScriptCore 0x00137c90 KJS::JSObject::get(KJS::ExecState*, KJS::Identifier const&) const + 176 4 com.apple.JavaScriptCore 0x0012a44c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 60 5 com.apple.JavaScriptCore 0x00128518 KJS::VarDeclNode::evaluate(KJS::ExecState*) + 88 6 com.apple.JavaScriptCore 0x0012845c KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 76 7 com.apple.JavaScriptCore 0x0012ec68 KJS::VarStatementNode::execute(KJS::ExecState*) + 104 8 com.apple.JavaScriptCore 0x001324ac KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 9 com.apple.JavaScriptCore 0x0012edf8 KJS::BlockNode::execute(KJS::ExecState*) + 152 10 com.apple.JavaScriptCore 0x0011a758 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56 11 com.apple.JavaScriptCore 0x0011a000 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 432 12 com.apple.JavaScriptCore 0x00138a34 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 13 com.apple.JavaScriptCore 0x0012a678 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 616 14 com.apple.JavaScriptCore 0x0012eec8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 15 com.apple.JavaScriptCore 0x001324ac KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 16 com.apple.JavaScriptCore 0x0012edf8 KJS::BlockNode::execute(KJS::ExecState*) + 152 17 com.apple.JavaScriptCore 0x0011e80c KJS::InterpreterImp::evaluate(KJS::UChar const*, int, KJS::JSValue*, KJS::UString const&, int) + 908 18 com.apple.JavaScriptCore 0x00121bd4 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 68 19 com.apple.WebCore 0x0128c958 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 280 20 com.apple.WebCore 0x010d47e8 WebCore::Frame::executeScript(WebCore::Node*, DeprecatedString const&, bool) + 184
<rdar://problem/4578100>
Created attachment 9052 [details] Patch
Comment on attachment 9052 [details] Patch r=me
Fixed in r15048