Bug 112518

Summary: Occasional assertion in JSNPObject::invalidate() running plugins/object-embed-plugin-scripting.html
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: ap, ggaren, simon.fraser
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Simon Fraser (smfr)
Reported 2013-03-17 09:05:22 PDT
Saw this on the bots once or twice: http://build.webkit.org/results/Apple%20Lion%20Debug%20WK2%20(Tests)/r146006%20(8122)/results.html http://build.webkit.org/results/Apple%20Lion%20Debug%20WK2%20(Tests)/r146006%20(8122)/plugins/object-onfocus-mutation-crash-crash-log.txt Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 000000010b9f9000-000000010b9fc000 [ 12K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: objc[36798]: garbage collection is OFF CRASHING TEST: plugins/object-embed-plugin-scripting.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit2 0x000000010bcc3423 WebKit::JSNPObject::invalidate() + 291 (JSNPObject.cpp:92) 1 com.apple.WebKit2 0x000000010bcc32eb WebKit::JSNPObject::~JSNPObject() + 43 (JSNPObject.cpp:82) 2 com.apple.WebKit2 0x000000010bcc32b5 WebKit::JSNPObject::~JSNPObject() + 21 (JSNPObject.cpp:82) 3 com.apple.WebKit2 0x000000010bcc1fd5 WebKit::JSNPObject::destroy(JSC::JSCell*) + 21 (JSNPObject.cpp:87) 4 com.apple.JavaScriptCore 0x000000010d3c138d JSC::MarkedBlock::callDestructor(JSC::JSCell*) + 61 (MarkedBlock.cpp:66) 5 com.apple.JavaScriptCore 0x000000010d3c1148 JSC::MarkedBlock::FreeList JSC::MarkedBlock::specializedSweep<(JSC::MarkedBlock::BlockState)3, (JSC::MarkedBlock::SweepMode)1, (JSC::MarkedBlock::DestructorType)2>() + 216 (MarkedBlock.cpp:90) 6 com.apple.JavaScriptCore 0x000000010d3c03cf JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper<(JSC::MarkedBlock::DestructorType)2>(JSC::MarkedBlock::SweepMode) + 351 (MarkedBlock.cpp:138) 7 com.apple.JavaScriptCore 0x000000010d3bfd24 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 164 (MarkedBlock.cpp:118) 8 com.apple.JavaScriptCore 0x000000010d3bf8a5 JSC::MarkedAllocator::tryAllocateHelper(unsigned long) + 85 (MarkedAllocator.cpp:34) 9 com.apple.JavaScriptCore 0x000000010d3be189 JSC::MarkedAllocator::tryAllocate(unsigned long) + 137 (MarkedAllocator.cpp:66) 10 com.apple.JavaScriptCore 0x000000010d3bdb98 JSC::MarkedAllocator::allocateSlowCase(unsigned long) + 232 (MarkedAllocator.cpp:82) 11 com.apple.JavaScriptCore 0x000000010d03d28b JSC::MarkedAllocator::allocate(unsigned long) + 75 (MarkedAllocator.h:82) 12 com.apple.JavaScriptCore 0x000000010d057de9 JSC::MarkedSpace::allocateWithNormalDestructor(unsigned long) + 41 (MarkedSpace.h:215) 13 com.apple.JavaScriptCore 0x000000010d057dad JSC::Heap::allocateWithNormalDestructor(unsigned long) + 141 (Heap.h:372) 14 com.apple.JavaScriptCore 0x000000010d32f1b9 void* JSC::allocateCell<JSC::DatePrototype>(JSC::Heap&, unsigned long) + 233 (JSCellInlines.h:94) 15 com.apple.JavaScriptCore 0x000000010d32f0bf void* JSC::allocateCell<JSC::DatePrototype>(JSC::Heap&) + 31 (JSCellInlines.h:104) 16 com.apple.JavaScriptCore 0x000000010d328dd5 JSC::DatePrototype::create(JSC::ExecState*, JSC::JSGlobalObject*, JSC::Structure*) + 37 (DatePrototype.h:39) 17 com.apple.JavaScriptCore 0x000000010d323826 JSC::JSGlobalObject::reset(JSC::JSValue) + 5910 (JSGlobalObject.cpp:261) 18 com.apple.JavaScriptCore 0x000000010d3220ce JSC::JSGlobalObject::init(JSC::JSObject*) + 254 (JSGlobalObject.cpp:153) 19 com.apple.WebCore 0x000000010edc65d8 JSC::JSGlobalObject::finishCreation(JSC::JSGlobalData&, JSC::JSObject*) + 120 (JSGlobalObject.h:221) 20 com.apple.WebCore 0x000000010edc609a WebCore::JSDOMGlobalObject::finishCreation(JSC::JSGlobalData&, JSC::JSObject*) + 58 (JSDOMGlobalObject.cpp:65) 21 com.apple.WebCore 0x000000010ee308d8 WebCore::JSDOMWindowBase::finishCreation(JSC::JSGlobalData&, WebCore::JSDOMWindowShell*) + 72 (JSDOMWindowBase.cpp:65) 22 com.apple.WebCore 0x000000010ee39a94 WebCore::JSDOMWindow::create(JSC::JSGlobalData&, JSC::Structure*, WTF::PassRefPtr<WebCore::DOMWindow>, WebCore::JSDOMWindowShell*) + 164 (JSDOMWindow.h:41) 23 com.apple.WebCore 0x000000010ee39457 WebCore::JSDOMWindowShell::setWindow(WTF::PassRefPtr<WebCore::DOMWindow>) + 359 (JSDOMWindowShell.cpp:84) 24 com.apple.WebCore 0x000000010f801bd3 WebCore::ScriptController::clearWindowShell(WebCore::DOMWindow*, bool) + 323 (ScriptController.cpp:188) 25 com.apple.WebCore 0x000000010e882cd9 WebCore::FrameLoader::clear(WebCore::Document*, bool, bool, bool) + 425 (FrameLoader.cpp:572) 26 com.apple.WebCore 0x000000010e5dd7e3 WebCore::DocumentWriter::begin(WebCore::KURL const&, bool, WebCore::Document*) + 499 (DocumentWriter.cpp:139) 27 com.apple.WebCore 0x000000010e5a2f2a WebCore::DocumentLoader::commitData(char const*, unsigned long) + 106 (DocumentLoader.cpp:513) 28 com.apple.WebCore 0x000000010e5a2a3a WebCore::DocumentLoader::finishedLoading(double) + 394 (DocumentLoader.cpp:356) 29 com.apple.WebCore 0x000000010e5a60a0 WebCore::DocumentLoader::maybeLoadEmpty() + 880 (DocumentLoader.cpp:1122) 30 com.apple.WebCore 0x000000010e5a61a4 WebCore::DocumentLoader::startLoadingMainResource() + 212 (DocumentLoader.cpp:1132) 31 com.apple.WebCore 0x000000010e88be49 WebCore::FrameLoader::continueLoadAfterWillSubmitForm() + 185 (FrameLoader.cpp:2245)
Attachments
Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2013-03-17 09:13:45 PDT
Marked as optionally crashing in http://trac.webkit.org/changeset/146008
Alexey Proskuryakov
Comment 3 2013-03-18 16:58:32 PDT
<rdar://problem/13436859>
Alexey Proskuryakov
Comment 4 2015-08-29 21:58:08 PDT
Doesn't seem to happen any more.
Note You need to log in before you can comment on or make changes to this bug.