20241 2008-07-31 04:37:14 -0700 [retitleme] Safari crashes at JSValueUnprotect() when fontpicker view close 2008-10-27 01:48:57 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC Windows XP RESOLVED INVALID InRadar P3 Normal --- 1 808caaa4.8ce9.9cd6c799e9f6 webkit-unassigned ap aroben oldest_to_newest 87479 0 808caaa4.8ce9.9cd6c799e9f6 2008-07-31 04:37:14 -0700 Access violation - code c0000005 (!!! second chance !!!) eax=3ea01c77 ebx=7f53ee38 ecx=0012ef68 edx=0051c0f0 esi=0012ef68 edi=7f194a00 eip=1003078c esp=0012fa70 ebp=0012fa8c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 WebKit!WTF__ThreadSpecific<WTF__OwnPtr<KJS__Heap__ThreadRegistrar> >__operator W TF__OwnPtr<KJS__Heap__ThreadRegistrar> *+c: 1003078c ff30 push dword ptr [eax] ds:0023:3ea01c77=???????? 0:000> k ChildEBP RetAddr 0012fa8c 10022b88 WebKit!WTF__ThreadSpecific<WTF__OwnPtr<KJS__Heap__ThreadRegist rar> >__operator WTF__OwnPtr<KJS__Heap__ThreadRegistrar> *+0xc 0012fac0 1039cd67 WebKit!KJS__Heap__registerThread+0x18 0012fad4 004770f0 WebKit!JSValueUnprotect+0x13 0012fb0c 005085da Safari+0x770f0 00000000 00000000 Safari+0x1085da // Hmmm... uninitialized m_currentThreadRegistrar? 87487 1 aroben 2008-07-31 06:50:59 -0700 Can you please tell us the steps to reproduce? 87488 2 808caaa4.8ce9.9cd6c799e9f6 2008-07-31 07:52:56 -0700 ntsdlog above is with: host: v3.1.2 (525.21) webkit: WebKit-r35417 OS: XPSP3 home, ja-JP reproduction summary: - open Preference. - go to Appearance panel, and press Select. FontPicker view appears. - close it. - drwatson invoked. 87489 3 aroben 2008-07-31 07:54:15 -0700 Thanks! 87581 4 ap 2008-08-01 10:46:54 -0700 I could reproduce this with a nightly, but not with a local debug build. 94741 5 mihnea 2008-10-09 08:48:10 -0700 Hello, I was able to reproduce it using a local debug build and following the steps already mentioned. I currently have revision 37446 on WinXP. Here is the stack trace, taken from Visual Studio debugger: 1.WebKit.dll!JSC::Heap::registerThread() Line 485 + 0x5 bytes C++ 2.WebKit.dll!JSValueUnprotect(const OpaqueJSContext * ctx=0x051e0170, const OpaqueJSValue * value=0x055f2700) Line 266 C++ 3.Safari.exe!FontPicker::~FontPicker() + 0x40 bytes 4.Safari.exe!FontPicker::`vector deleting destructor'() + 0x8 bytes 5.Safari.exe!WindowDeleter::deleteAllWindows() + 0x67 bytes 6.Safari.exe!WindowDeleter::ProcessWindowMessage() + 0x2a bytes 7.Safari.exe!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<2147483648,524416> >::WindowProc() + 0x68 bytes 8.user32.dll!_InternalCallWinProc@20() + 0x28 bytes 9.user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes 10.user32.dll!_DispatchMessageWorker@8() + 0xdc bytes 11.user32.dll!_DispatchMessageW@4() + 0xf bytes 12.Safari.exe!RSSPrefsDlg::`vector deleting destructor'() + 0x20f bytes 13.Safari.exe!run() + 0x9d bytes 14.Safari.exe!_wWinMain@16() + 0x34b bytes 15.Safari.exe!_free() + 0x1a1 bytes 16.kernel32.dll!_BaseProcessStart@4() + 0x23 bytes The problem in function *void Heap::registerThread()* from file javascriptcore/kjs/collector.cpp appears while calling: if (pthread_getspecific(m_currentThreadRegistrar)) The problem is access violation while accessing a memory address. m_currentThreadRegistrar is not defined and cannot be seen in debugger. 95278 6 ap 2008-10-14 03:26:52 -0700 <rdar://problem/6290576> 96608 7 ap 2008-10-24 15:19:41 -0700 A provisional fix for this was landed in <http://trac.webkit.org/changeset/37868> - please try a newer nightly! 96726 8 ap 2008-10-27 01:14:15 -0700 Reportedly, the original bug with crash on close is still present, re-opening. 96727 9 ap 2008-10-27 01:48:57 -0700 OK, after some more investigation the crash on close turns out to be a Safari bug, now made visible by JSValueUnprotect() actually using the context value passed to it. Closing as INVALID, as a non-WebKit issue. Thank you very much for filing it, and providing additional information!