Bug 11891

Summary: REGRESSION(r18328): Webkit crashing shortly after startup (YUI Animation)
Product: WebKit Reporter: Patricia Warwick <pwarwick>
Component: CSSAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Major CC: ap, bdakin, ddkilzer
Priority: P1 Keywords: InRadar, Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://address.yahoo.com/
Attachments:
Description Flags
Safari crash log
none
Webarchive of Y! Address page (crashes every time)
none
Web Page, Complete version of Webarchive (crashes)
none
Patch v1
none
Crash log none

Patricia Warwick
Reported 2006-12-20 05:14:48 PST
After launching the 18338 nightly update, I open a few pages in tabs and whether or not I do anything else a few minutes later WebKit crashes. I suspect it is due to the fact that one of the sites automatically reloads every few minutes.
Attachments
Safari crash log (79.10 KB, text/plain)
2006-12-20 05:15 PST, Patricia Warwick 		no flags
Details
Webarchive of Y! Address page (crashes every time) (237.63 KB, application/x-webarchive)
2006-12-21 04:07 PST, David Kilzer (:ddkilzer) 		no flags
Details
Web Page, Complete version of Webarchive (crashes) (59.14 KB, application/zip)
2006-12-21 04:17 PST, David Kilzer (:ddkilzer) 		no flags
Details
Patch v1 (1.47 KB, patch)
2006-12-21 20:13 PST, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
Crash log (27.81 KB, text/plain)
2007-01-03 07:21 PST, Patricia Warwick 		no flags
Details
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Patricia Warwick
Comment 1 2006-12-20 05:15:48 PST
Created attachment 11931 [details] Safari crash log
Alexey Proskuryakov
Comment 2 2006-12-20 06:03:43 PST
While there is a chance that these crash logs will be sufficient to fix this problem, it will be much more likely if there were steps to reproduce the problem. What are the sites you seeing this problem with? Beginning of crash log for easier searching: Thread 0 Crashed: 0 com.apple.WebCore 0x01270908 KJS::DOMCSSStyleDeclaration::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 568 1 com.apple.JavaScriptCore 0x00131040 KJS::AssignBracketNode::evaluate(KJS::ExecState*) + 3360 2 com.apple.JavaScriptCore 0x00131528 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 3 com.apple.JavaScriptCore 0x0013491c KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 4 com.apple.JavaScriptCore 0x0013380c KJS::CaseClauseNode::evalStatements(KJS::ExecState*) + 76
Patricia Warwick
Comment 3 2006-12-20 06:29:21 PST
I think the site responsible is http://www.huffingtonpost.com/
David Kilzer (:ddkilzer)
Comment 4 2006-12-20 07:38:22 PST
Confirming. I'm seeing this every time I connect to http://address.yahoo.com/ after logging in to my Yahoo! account. Using a locally-built debug build of WebKit r18344 with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8L127). Console prints: Bus error Stack trace from debug build: Date/Time: 2006-12-20 09:27:51.016 -0600 OS Version: 10.4.8 (Build 8L127) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: bash [412] Version: 2.0.4 (419.3) Build Version: 1 Project Name: WebBrowser Source Version: 4190300 PID: 15300 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 com.apple.WebCore 0x013081a4 KJS::DOMCSSStyleDeclaration::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 424 (kjs_css.cpp:222) 1 com.apple.JavaScriptCore 0x00531334 KJS::AssignBracketNode::evaluate(KJS::ExecState*) + 3684 (nodes.cpp:1506) 2 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 3 com.apple.JavaScriptCore 0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450) 4 com.apple.JavaScriptCore 0x00522ce8 KJS::CaseClauseNode::evalStatements(KJS::ExecState*) + 168 (nodes.cpp:2065) 5 com.apple.JavaScriptCore 0x00525130 KJS::CaseBlockNode::evalBlock(KJS::ExecState*, KJS::JSValue*) + 1272 (nodes.cpp:2183) 6 com.apple.JavaScriptCore 0x00525548 KJS::SwitchNode::execute(KJS::ExecState*) + 488 (nodes.cpp:2235) 7 com.apple.JavaScriptCore 0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450) 8 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 9 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 10 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 11 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 12 com.apple.JavaScriptCore 0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138) 13 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 14 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 15 com.apple.JavaScriptCore 0x00525c04 KJS::ReturnNode::execute(KJS::ExecState*) + 384 (nodes.cpp:2021) 16 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 17 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 18 com.apple.JavaScriptCore 0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691) 19 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 20 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 21 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 22 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 23 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 24 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 25 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 26 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 27 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 28 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 29 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 30 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 31 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 32 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 33 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 34 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 35 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 36 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 37 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 38 com.apple.JavaScriptCore 0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138) 39 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 40 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 41 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 42 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 43 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 44 com.apple.JavaScriptCore 0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691) 45 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 46 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 47 com.apple.JavaScriptCore 0x00526128 KJS::ForNode::execute(KJS::ExecState*) + 1056 (nodes.cpp:1820) 48 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 49 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 50 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 51 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 52 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 53 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 54 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 55 com.apple.JavaScriptCore 0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450) 56 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 57 com.apple.JavaScriptCore 0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691) 58 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 59 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 60 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 61 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 62 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 63 com.apple.JavaScriptCore 0x0052b854 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 856 (nodes.cpp:679) 64 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 65 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 66 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 67 com.apple.JavaScriptCore 0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691) 68 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 69 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 70 com.apple.JavaScriptCore 0x00526128 KJS::ForNode::execute(KJS::ExecState*) + 1056 (nodes.cpp:1820) 71 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 72 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 73 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 74 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 75 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 76 com.apple.JavaScriptCore 0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138) 77 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 78 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 79 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 80 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 81 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 82 com.apple.JavaScriptCore 0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691) 83 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 84 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 85 com.apple.JavaScriptCore 0x00526128 KJS::ForNode::execute(KJS::ExecState*) + 1056 (nodes.cpp:1820) 86 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 87 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 88 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 89 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 90 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 91 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 92 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 93 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 94 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 95 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 96 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 97 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 98 com.apple.JavaScriptCore 0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138) 99 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 100 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 101 com.apple.JavaScriptCore 0x00525c04 KJS::ReturnNode::execute(KJS::ExecState*) + 384 (nodes.cpp:2021) 102 com.apple.JavaScriptCore 0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450) 103 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 104 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 105 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 106 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 107 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 108 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 109 com.apple.JavaScriptCore 0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456) 110 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 111 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 112 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 113 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 114 com.apple.JavaScriptCore 0x0052b854 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 856 (nodes.cpp:679) 115 com.apple.JavaScriptCore 0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672) 116 com.apple.JavaScriptCore 0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450) 117 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 118 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 119 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 120 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 121 com.apple.JavaScriptCore 0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138) 122 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 123 com.apple.JavaScriptCore 0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772) 124 com.apple.JavaScriptCore 0x00525c04 KJS::ReturnNode::execute(KJS::ExecState*) + 384 (nodes.cpp:2021) 125 com.apple.JavaScriptCore 0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450) 126 com.apple.JavaScriptCore 0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649) 127 com.apple.JavaScriptCore 0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361) 128 com.apple.JavaScriptCore 0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111) 129 com.apple.JavaScriptCore 0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 130 com.apple.WebCore 0x01313b08 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 736 (kjs_events.cpp:121) 131 com.apple.WebCore 0x0113ca54 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 416 (Document.cpp:2240) 132 com.apple.WebCore 0x012d3d5c WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 360 (EventTargetNode.cpp:327) 133 com.apple.WebCore 0x0113f8e0 WebCore::Document::implicitClose() + 796 (Document.cpp:1329) 134 com.apple.WebCore 0x014b8d9c WebCore::FrameLoader::checkEmitLoadEvent() + 596 (FrameLoader.cpp:1079) 135 com.apple.WebCore 0x014bd764 WebCore::FrameLoader::checkCompleted() + 468 (FrameLoader.cpp:1050) 136 com.apple.WebCore 0x014bd9a0 WebCore::FrameLoader::finishedParsing() + 100 (FrameLoader.cpp:1007) 137 com.apple.WebCore 0x0113a3f8 WebCore::Document::finishedParsing() + 84 (Document.cpp:3328) 138 com.apple.WebCore 0x01022f3c WebCore::HTMLParser::finished() + 300 (HTMLParser.cpp:1405) 139 com.apple.WebCore 0x010284c8 WebCore::HTMLTokenizer::end() + 336 (HTMLTokenizer.cpp:1549) 140 com.apple.WebCore 0x0102ce6c WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 2620 (HTMLTokenizer.cpp:1485) 141 com.apple.WebCore 0x01026864 WebCore::HTMLTokenizer::timerFired(WebCore::Timer<WebCore::HTMLTokenizer>*) + 320 (HTMLTokenizer.cpp:1523) 142 com.apple.WebCore 0x015cb318 WebCore::Timer<WebCore::HTMLTokenizer>::fired() + 152 (Timer.h:96) 143 com.apple.WebCore 0x012acea0 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 236 (Timer.cpp:322) 144 com.apple.WebCore 0x012acf6c WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:355) 145 com.apple.WebCore 0x012ac318 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47) 146 com.apple.CoreFoundation 0x907f0550 __CFRunLoopDoTimer + 184 147 com.apple.CoreFoundation 0x907dcec8 __CFRunLoopRun + 1680 148 com.apple.CoreFoundation 0x907dc47c CFRunLoopRunSpecific + 268 149 com.apple.HIToolbox 0x93208740 RunCurrentEventLoopInMode + 264 150 com.apple.HIToolbox 0x93207d4c ReceiveNextEventCommon + 244 151 com.apple.HIToolbox 0x93207c40 BlockUntilNextEventMatchingListInMode + 96 152 com.apple.AppKit 0x9370bae4 _DPSNextEvent + 384 153 com.apple.AppKit 0x9370b7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 154 com.apple.Safari 0x00006740 0x1000 + 22336 155 com.apple.AppKit 0x93707cec -[NSApplication run] + 472 156 com.apple.AppKit 0x937f887c NSApplicationMain + 452 157 com.apple.Safari 0x0005c77c 0x1000 + 374652 158 com.apple.Safari 0x0005c624 0x1000 + 374308
Alexey Proskuryakov
Comment 5 2006-12-20 11:09:35 PST
So, it looks like my mistake; the crashing line is: ASSERT(styleDecl.stylesheet()->isCSSStyleSheet());
Alexey Proskuryakov
Comment 6 2006-12-20 13:41:16 PST
Then again, maybe not - a rule without a stylesheet seems wrong. The crash happens in Yahoo UI animation code, but I couldn't reproduce it with their demos.
David Kilzer (:ddkilzer)
Comment 7 2006-12-20 16:53:50 PST
(In reply to comment #6) > Then again, maybe not - a rule without a stylesheet seems wrong. Do we really need to crash the debug browser when this happens, though? That's awfully annoying. :( Could we log an error instead?
David Kilzer (:ddkilzer)
Comment 8 2006-12-21 04:07:45 PST
Created attachment 11947 [details] Webarchive of Y! Address page (crashes every time) This webarchive crashes every time when I open it. I will provide a web-page-complete version of it next for easier reduction.
David Kilzer (:ddkilzer)
Comment 9 2006-12-21 04:17:04 PST
Created attachment 11948 [details] Web Page, Complete version of Webarchive (crashes) This is the contents of the webarchive (Attachment 11947 [details]) converted to a "Web Page, Complete" format as if it were saved from Firefox. (The conversion isn't perfect, but it's close. The *.html.orig file is the original content from the webarchive file with no URLs rewritten to use the *_files directory. I wrote this utility to "fix" Bug 7241, but it's not quite ready for prime time yet.)
David Kilzer (:ddkilzer)
Comment 10 2006-12-21 05:20:30 PST
I tried reducing this myself, but I got stuck in the bowels of address.yahoo.com-crash_files/yab.js. Basically, if you put an alert() statement before the "function setup_region_encoding_pulldowns(region2encodings, encoding2name, opt_on_enc_change)" definition, you will see the alert before the crash. Anywhere after that and you won't see the alert before Safari crashes. The other "interesting" thing about this page is that there is JavaScript in the address.yahoo.com-crash_files/yab_blue.css file.
David Kilzer (:ddkilzer)
Comment 11 2006-12-21 20:10:58 PST
The change to kjs_css.cpp occurred in r18320. I have a fix that works for the Y! Address webarchive, but I'm not sure I understand how to reproduce the issue in a test. Do all CSSStyleDeclaration objects have a stylesheet, or are there cases when a CSSStyleDeclaration won't have a stylesheet (perhaps during a race condition)? Also, is there a way to get the frame for a given CSSStyleDeclaration without going through static_cast<CSSStyleSheet*>(styleDecl.stylesheet())->doc()->frame()? The only reason the stylesheet is needed is to get a reference to the frame to check the shouldUseDashboardBackwardCompatibilityMode setting.
David Kilzer (:ddkilzer)
Comment 12 2006-12-21 20:13:21 PST
Created attachment 11960 [details] Patch v1 This patch fixes the issue I'm seeing with the Y! Address webarchive (attachment 11947 [details]), but I'm not sure how to write a test for it.
Alexey Proskuryakov
Comment 13 2006-12-21 22:09:14 PST
(In reply to comment #11) > Do all CSSStyleDeclaration > objects have a stylesheet, or are there cases when a CSSStyleDeclaration won't > have a stylesheet (perhaps during a race condition)? I have now found a way to reproduce the crash - computed styles don't have a stylesheet, e.g.: element.getComputedStyle(...).color = "blue"; Computed styles are of course immutable, but the check is only performed later (in DOM implementation). This makes me think that the approach in this patch is correct. For better performance, it would be nice to avoid re-calculating styleDecl.stylesheet() several times. Not sure if it's the same case that causes a crash at these sites, still investigating. > Also, is there a way to get the frame for a given CSSStyleDeclaration without > going through <...> I haven't found one. But it looks like a logical way to get one!
Alexey Proskuryakov
Comment 14 2006-12-21 22:21:31 PST
Beth has just checked in a fix for what looks like a real life cause for these crashes, r18386!
David Kilzer (:ddkilzer)
Comment 15 2006-12-22 01:45:47 PST
Per r18386 and Comment #14, this appears to be in Radar as well: <rdar://problem/4897162> REGRESSION: Attempting to create a new message in .Mac web mail causes Safari to crash ( KJS::DOMCSSStyleDeclaration::put() + 368 ) Also, buildbot is claiming 2 regressions were found in testjks with this commit: http://build.webkit.org/post-commit-powerpc-mac-os-x/builds/4803
David Kilzer (:ddkilzer)
Comment 16 2006-12-22 02:01:33 PST
r18386 definitely fixed the crashing for me on attachment 11947 [details] (the webarchive)! I'm running the JavaScriptCore tests locally, but my guess is that the Date tests failed because they were run during a midnight boundary change. (Purely a guess, though.)
David Kilzer (:ddkilzer)
Comment 17 2006-12-22 02:07:13 PST
(In reply to comment #16) > I'm running the JavaScriptCore tests locally, but my guess is that the Date > tests failed because they were run during a midnight boundary change. (Purely > a guess, though.) 0 regressions found. 0 tests fixed. OK. W00t! I'm closing this bug.
David Kilzer (:ddkilzer)
Comment 18 2006-12-22 02:11:27 PST
(In reply to comment #15) > Per r18386 and Comment #14, this appears to be in Radar as well: > > <rdar://problem/4897162> REGRESSION: Attempting to create a new message in .Mac > web mail causes Safari to crash ( KJS::DOMCSSStyleDeclaration::put() + 368 ) Per Beth's comments, this was originally broken in r18328.
Alexey Proskuryakov
Comment 19 2006-12-22 03:52:56 PST
> r18386 definitely fixed the crashing for me on attachment 11947 [details] [edit] (the > webarchive)! What about http://www.huffingtonpost.com/ (the original URL)? > W00t! I'm closing this bug. I'll file a new one for the computed style problem.
David Kilzer (:ddkilzer)
Comment 20 2006-12-22 06:57:03 PST
(In reply to comment #19) > > r18386 definitely fixed the crashing for me on attachment 11947 [details] [edit] [edit] (the > > webarchive)! > > What about http://www.huffingtonpost.com/ (the original URL)? This page does not crash in a locally-built debug build of WebKit r18386, nor did it crash with WebKit nightly r18377 (which I would have expected it to). Either way it seems to work. Patricia, let us know if you see a similar crash again (by commenting on this bug).
Patricia Warwick
Comment 21 2006-12-22 07:18:47 PST
Todays version (18386) has fixed my problem with Huffingtonpost ... thanks.
Alexey Proskuryakov
Comment 22 2006-12-22 10:40:51 PST
Marking as verified per comment 21 (In reply to comment #19) > I'll file a new one for the computed style problem. Bug 11933.
Beth Dakin
Comment 23 2006-12-22 11:20:40 PST
Oh yay!
Patricia Warwick
Comment 24 2007-01-03 07:21:29 PST
Created attachment 12187 [details] Crash log
Patricia Warwick
Comment 25 2007-01-03 07:22:21 PST
This crash is occurring regularly today. Once again it will crash about 5 minutes after I open HuffingtonPost.com (I think that 5 minutes is the refresh period.)
Alexey Proskuryakov
Comment 26 2007-01-03 08:13:02 PST
This new problem is tracked as bug 12089. In most cases, it's better not re-open old bugs, even if the symptoms are very similar, as this tends to create confusion.
Patricia Warwick
Comment 27 2007-01-03 11:51:39 PST
I still have a lot to learn about reporting Webkit bugs ... I'll open a new bug in future. Thanks
Note You need to log in before you can comment on or make changes to this bug.