| Summary: | WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | vomitols | ||||||||||||
| Component: | JavaScriptCore | Assignee: | Chris Curtis <chris_curtis> | ||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||
| Severity: | Normal | CC: | ap, chris_curtis, commit-queue, fpizlo, ggaren | ||||||||||||
| Priority: | P1 | ||||||||||||||
| Version: | 528+ (Nightly build) | ||||||||||||||
| Hardware: | Mac (Intel) | ||||||||||||||
| OS: | OS X 10.8 | ||||||||||||||
| URL: | http://facebook.com | ||||||||||||||
| Attachments: |
|
||||||||||||||
Inside throwException, if appendSourceToMessage flag is set, the codeBlock is used to get the developers source code for the error message. In this case though, the codeBlock is never found. By checking to make sure that the codeBlock is valid we can fix the error, But because appendSourceToMessage was set there should have been a valid codeBlock. I am looking into why the codeBlock is not being found. JSValueToObject was almost certainly passed a "globalExec", which doesn't contain any CodeBlock. So, the bug here is the assumption that there will be a CodeBlock. Created attachment 210409 [details]
patch
Initial review, This patch still needs a regression test.
*** Bug 120825 has been marked as a duplicate of this bug. *** What is the status of this bug, did making a regression prove challenging? *** Bug 120509 has been marked as a duplicate of this bug. *** (In reply to comment #5) > What is the status of this bug, did making a regression prove challenging? A regression test can not be made to be run through DumpRenderTree, so I am making one in the testapi.c file. I was slightly distracted by a different patch, which is why it is not done. I will do it right now Created attachment 211261 [details]
patch with test
Created attachment 211262 [details]
removed extra whitespace line
Comment on attachment 211262 [details] removed extra whitespace line View in context: https://bugs.webkit.org/attachment.cgi?id=211262&action=review Looks good, but please fix these details. > Source/JavaScriptCore/API/tests/testapi.c:1064 > + JSClassRef globalObjectClass = JSClassCreate(&globalObjectClassDefinition); This needs a corresponding JSClassRelease. > Source/JavaScriptCore/API/tests/testapi.c:1065 > + context = JSGlobalContextCreateInGroup(NULL, globalObjectClass); This needs a corresponding JSContextRelease. Is it OK that we're overwriting the global here? Maybe this should be a local. > Source/JavaScriptCore/API/tests/testapi.c:1066 > + JSContextGetGlobalObject(context); You can remove this line. Created attachment 211268 [details]
patch 4
Created attachment 211269 [details]
name change.
Comment on attachment 211269 [details]
name change.
r=me
Comment on attachment 211269 [details] name change. Clearing flags on attachment: 211269 Committed r155495: <http://trac.webkit.org/changeset/155495> All reviewed patches have been landed. Closing bug. |
Process: WebProcess [257] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 538+ (538.1+) Code Type: X86-64 (Native) Parent Process: ??? [255] User ID: 501 Date/Time: 2013-09-02 19:29:22.095 -0400 OS Version: Mac OS X 10.8.4 (12E3067) Report Version: 10 Interval Since Last Report: 581443 sec Crashes Since Last Report: 9 Per-App Interval Since Last Report: 220852 sec Per-App Crashes Since Last Report: 9 Anonymous UUID: DCE721A9-E6D2-843E-8602-282ED14B7DF9 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0xfffffffffffffff8 VM Regions Near 0xfffffffffffffff8: --> shared memory 00007ffffff55000-00007ffffff56000 [ 4K] r-x/r-x SM=SHM Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010179927a JSC::VM::throwException(JSC::ExecState*, JSC::JSValue) + 1370 1 com.apple.JavaScriptCore 0x0000000101799a09 JSC::VM::throwException(JSC::ExecState*, JSC::JSObject*) + 9 2 com.apple.JavaScriptCore 0x0000000101667504 JSC::JSValue::toObjectSlowCase(JSC::ExecState*, JSC::JSGlobalObject*) const + 132 3 com.apple.JavaScriptCore 0x00000001016b0813 JSValueToObject + 195 4 com.apple.Safari.framework 0x00007fff8a12db73 Safari::controlObject(Safari::WK::BundleFrame const&, Safari::WK::Double const&, Safari::WK::String const&) + 230 5 com.apple.Safari.framework 0x00007fff8a12d7bc Safari::FrameMetadata::computeMetadata() + 538 6 com.apple.Safari.framework 0x00007fff8a12dbc1 Safari::FrameMetadata::metadataForAllForms() + 21 7 com.apple.Safari.framework 0x00007fff8a12e71f Safari::FormMetadataController::frameMetadata(Safari::WK::BundleFrame const&) + 95 8 com.apple.Safari.framework 0x00007fff8a12e90d Safari::FormMetadataController::metadataForForm(Safari::WK::BundleFrame const&, Safari::WK::BundleNodeHandle const&) + 109 9 com.apple.Safari.framework 0x00007fff8a000272 Safari::BrowserBundlePageFormClient::willSendSubmitEvent(Safari::WK::BundlePage const&, Safari::WK::BundleNodeHandle const&, Safari::WK::BundleFrame const&, Safari::WK::BundleFrame const&, Safari::WK::Dictionary const&) + 102 10 com.apple.Safari.framework 0x00007fff8a07ed0a Safari::WK::willSendSubmitEvent(OpaqueWKBundlePage const*, OpaqueWKBundleNodeHandle const*, OpaqueWKBundleFrame const*, OpaqueWKBundleFrame const*, OpaqueWKDictionary const*, void const*) + 151 11 com.apple.WebKit2 0x000000010109ece1 WebKit::InjectedBundlePageFormClient::willSendSubmitEvent(WebKit::WebPage*, WebCore::HTMLFormElement*, WebKit::WebFrame*, WebKit::WebFrame*, WTF::Vector<std::__1::pair<WTF::String, WTF::String>, 0ul, WTF::CrashOnOverflow> const&) + 277 12 com.apple.WebKit2 0x000000010113e905 WebKit::WebFrameLoaderClient::dispatchWillSendSubmitEvent(WTF::PassRefPtr<WebCore::FormState>) + 123 13 com.apple.WebCore 0x0000000101d6f816 WebCore::HTMLFormElement::prepareForSubmission(WebCore::Event*) + 294 14 com.apple.WebCore 0x0000000102472ada WebCore::SubmitInputType::handleDOMActivateEvent(WebCore::Event*) + 74 15 com.apple.WebCore 0x0000000101d7ab1b WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 619 16 com.apple.WebCore 0x0000000101c60289 WebCore::EventDispatcher::dispatchEventPostProcess(void*) + 313 17 com.apple.WebCore 0x0000000101c5ffcc WebCore::EventDispatcher::dispatch() + 764 18 com.apple.WebCore 0x0000000101c606ac WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 12 19 com.apple.WebCore 0x0000000101c5f3cc WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 124 20 com.apple.WebCore 0x00000001023c06ef WebCore::ScopedEventQueue::enqueueEventDispatchMediator(WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 175 21 com.apple.WebCore 0x0000000101c5f597 WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 247 22 com.apple.WebCore 0x00000001021e0d73 WebCore::Node::dispatchScopedEvent(WTF::PassRefPtr<WebCore::Event>) + 67 23 com.apple.WebCore 0x00000001021e123e WebCore::Node::dispatchDOMActivateEvent(int, WTF::PassRefPtr<WebCore::Event>) + 302 24 com.apple.WebCore 0x00000001021e1a14 WebCore::Node::defaultEventHandler(WebCore::Event*) + 404 25 com.apple.WebCore 0x0000000101d7adbe WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 1294 26 com.apple.WebCore 0x0000000101c60289 WebCore::EventDispatcher::dispatchEventPostProcess(void*) + 313 27 com.apple.WebCore 0x0000000101c5ffcc WebCore::EventDispatcher::dispatch() + 764 28 com.apple.WebCore 0x0000000101c5fbf7 WebCore::EventDispatcher::dispatchSimulatedClick(WebCore::Element*, WebCore::Event*, WebCore::SimulatedClickMouseEventOptions, WebCore::SimulatedClickVisualOptions) + 1575 29 com.apple.WebCore 0x0000000101fbb2e1 WebCore::jsHTMLElementPrototypeFunctionClick(JSC::ExecState*) + 97 30 ??? 0x0000587845001045 0 + 97273576951877 31 com.apple.JavaScriptCore 0x0000000101629601 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 32 com.apple.JavaScriptCore 0x000000010160ff4d JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 573 33 com.apple.JavaScriptCore 0x00000001014e64e5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 34 com.apple.JavaScriptCore 0x000000010165f59e JSC::boundFunctionCall(JSC::ExecState*) + 526 35 ??? 0x0000587845001045 0 + 97273576951877 36 com.apple.JavaScriptCore 0x0000000101629601 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 37 com.apple.JavaScriptCore 0x000000010160ff4d JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 573 38 com.apple.JavaScriptCore 0x00000001014e64e5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 39 com.apple.WebCore 0x0000000101f8f78c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 908 40 com.apple.WebCore 0x0000000101c77bec WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 364 41 com.apple.WebCore 0x0000000101c77895 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 469 42 com.apple.WebCore 0x00000001021e0d23 WebCore::Node::handleLocalEvents(WebCore::Event*) + 67 43 com.apple.WebCore 0x0000000101c5f1b7 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 87 44 com.apple.WebCore 0x0000000101c600d8 WebCore::EventDispatcher::dispatchEventAtBubbling(WebCore::WindowEventContext&) + 56 45 com.apple.WebCore 0x0000000101c5ffc1 WebCore::EventDispatcher::dispatch() + 753 46 com.apple.WebCore 0x0000000101c606ac WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 12 47 com.apple.WebCore 0x0000000101c5f3cc WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 124 48 com.apple.WebCore 0x00000001021e0f2a WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 234 49 com.apple.WebCore 0x0000000101c77610 WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 112 50 com.apple.WebCore 0x0000000101c6b8f9 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 1097 51 com.apple.WebKit2 0x000000010115f839 WebKit::handleKeyEvent(WebKit::WebKeyboardEvent const&, WebCore::Page*) + 244 52 com.apple.WebKit2 0x000000010115f6fe WebKit::WebPage::keyEvent(WebKit::WebKeyboardEvent const&) + 42 53 com.apple.WebKit2 0x00000001011722a7 void CoreIPC::handleMessage<Messages::WebPage::KeyEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebKeyboardEvent const&)>(CoreIPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebKeyboardEvent const&)) + 107 54 com.apple.WebKit2 0x00000001010a7963 CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 137 55 com.apple.WebKit2 0x00000001011ad59e WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 34 56 com.apple.WebKit2 0x000000010107cfc5 CoreIPC::Connection::dispatchMessage(WTF::PassOwnPtr<CoreIPC::MessageDecoder>) + 105 57 com.apple.WebKit2 0x000000010107eb2e CoreIPC::Connection::dispatchOneMessage() + 106 58 com.apple.WebCore 0x00000001023b9e91 WebCore::RunLoop::performWork() + 129 59 com.apple.WebCore 0x00000001023ba452 WebCore::RunLoop::performWork(void*) + 34 60 com.apple.CoreFoundation 0x00007fff8fd53b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 61 com.apple.CoreFoundation 0x00007fff8fd53455 __CFRunLoopDoSources0 + 245 62 com.apple.CoreFoundation 0x00007fff8fd767f5 __CFRunLoopRun + 789 63 com.apple.CoreFoundation 0x00007fff8fd760e2 CFRunLoopRunSpecific + 290 64 com.apple.HIToolbox 0x00007fff88d21eb4 RunCurrentEventLoopInMode + 209 65 com.apple.HIToolbox 0x00007fff88d21c52 ReceiveNextEventCommon + 356 66 com.apple.HIToolbox 0x00007fff88d21ae3 BlockUntilNextEventMatchingListInMode + 62 67 com.apple.AppKit 0x00007fff8bc7f533 _DPSNextEvent + 685 68 com.apple.AppKit 0x00007fff8bc7edf2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 69 com.apple.AppKit 0x00007fff8bc761a3 -[NSApplication run] + 517 70 com.apple.WebCore 0x00000001023baad2 WebCore::RunLoop::run() + 82 71 com.apple.WebKit2 0x000000010111d26a int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 422 72 com.apple.WebProcess 0x0000000101033e23 main + 337 73 libdyld.dylib 0x00007fff8e1117e1 start + 1 Thread 1:: Dispatch queue: com.apple.libdispatch-manager 0 libsystem_kernel.dylib 0x00007fff864a1d16 kevent + 10 1 libdispatch.dylib 0x00007fff8da12dea _dispatch_mgr_invoke + 883 2 libdispatch.dylib 0x00007fff8da129ee _dispatch_mgr_thread + 54 Thread 2:: JavaScriptCore::BlockFree 0 libsystem_kernel.dylib 0x00007fff864a10fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff8ad9bb99 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x00000001014cc8c8 JSC::BlockAllocator::blockFreeingThreadMain() + 296 3 com.apple.JavaScriptCore 0x00000001017f0f3f WTF::wtfThreadEntryPoint(void*) + 15 4 libsystem_c.dylib 0x00007fff8ad97352 _pthread_start + 327 5 libsystem_c.dylib 0x00007fff8ad83d81 thread_start + 13 Thread 3:: JavaScriptCore::Marking 0 libsystem_kernel.dylib 0x00007fff864a10fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff8ad9bb99 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x00000001016020eb JSC::GCThread::waitForNextPhase() + 123 3 com.apple.JavaScriptCore 0x00000001016021af JSC::GCThread::gcThreadMain() + 143 4 com.apple.JavaScriptCore 0x00000001017f0f3f WTF::wtfThreadEntryPoint(void*) + 15 5 libsystem_c.dylib 0x00007fff8ad97352 _pthread_start + 327 6 libsystem_c.dylib 0x00007fff8ad83d81 thread_start + 13 Thread 4:: JavaScriptCore::Marking 0 libsystem_kernel.dylib 0x00007fff864a10fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff8ad9bb99 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x00000001016020eb JSC::GCThread::waitForNextPhase() + 123 3 com.apple.JavaScriptCore 0x00000001016021af JSC::GCThread::gcThreadMain() + 143 4 com.apple.JavaScriptCore 0x00000001017f0f3f WTF::wtfThreadEntryPoint(void*) + 15 5 libsystem_c.dylib 0x00007fff8ad97352 _pthread_start + 327 6 libsystem_c.dylib 0x00007fff8ad83d81 thread_start + 13 Thread 5:: JavaScriptCore::Marking 0 libsystem_kernel.dylib 0x00007fff864a10fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff8ad9bb99 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x00000001016020eb JSC::GCThread::waitForNextPhase() + 123 3 com.apple.JavaScriptCore 0x00000001016021af JSC::GCThread::gcThreadMain() + 143 4 com.apple.JavaScriptCore 0x00000001017f0f3f WTF::wtfThreadEntryPoint(void*) + 15 5 libsystem_c.dylib 0x00007fff8ad97352 _pthread_start + 327 6 libsystem_c.dylib 0x00007fff8ad83d81 thread_start + 13 Thread 6:: WebCore: Scrolling 0 libsystem_kernel.dylib 0x00007fff8649f686 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff8649ec42 mach_msg + 70 2 com.apple.CoreFoundation 0x00007fff8fd71233 __CFRunLoopServiceMachPort + 195 3 com.apple.CoreFoundation 0x00007fff8fd76916 __CFRunLoopRun + 1078 4 com.apple.CoreFoundation 0x00007fff8fd760e2 CFRunLoopRunSpecific + 290 5 com.apple.CoreFoundation 0x00007fff8fd84dd1 CFRunLoopRun + 97 6 com.apple.WebCore 0x00000001023e5a4e WebCore::ScrollingThread::initializeRunLoop() + 254 7 com.apple.JavaScriptCore 0x00000001017f0f3f WTF::wtfThreadEntryPoint(void*) + 15 8 libsystem_c.dylib 0x00007fff8ad97352 _pthread_start + 327 9 libsystem_c.dylib 0x00007fff8ad83d81 thread_start + 13 Thread 7:: com.apple.NSURLConnectionLoader 0 libsystem_kernel.dylib 0x00007fff8649f686 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff8649ec42 mach_msg + 70 2 com.apple.CoreFoundation 0x00007fff8fd71233 __CFRunLoopServiceMachPort + 195 3 com.apple.CoreFoundation 0x00007fff8fd76916 __CFRunLoopRun + 1078 4 com.apple.CoreFoundation 0x00007fff8fd760e2 CFRunLoopRunSpecific + 290 5 com.apple.Foundation 0x00007fff8837d546 +[NSURLConnection(Loader) _resourceLoadLoop:] + 356 6 com.apple.Foundation 0x00007fff883db562 __NSThread__main__ + 1345 7 libsystem_c.dylib 0x00007fff8ad97352 _pthread_start + 327 8 libsystem_c.dylib 0x00007fff8ad83d81 thread_start + 13 Thread 8:: com.apple.CFSocket.private 0 libsystem_kernel.dylib 0x00007fff864a1322 __select + 10 1 com.apple.CoreFoundation 0x00007fff8fdb5f46 __CFSocketManager + 1302 2 libsystem_c.dylib 0x00007fff8ad97352 _pthread_start + 327 3 libsystem_c.dylib 0x00007fff8ad83d81 thread_start + 13 Thread 9:: JSC Compilation Thread 0 libsystem_kernel.dylib 0x00007fff864a10fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff8ad9bb99 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x00000001015f679b JSC::DFG::Worklist::runThread() + 763 3 com.apple.JavaScriptCore 0x00000001017f0f3f WTF::wtfThreadEntryPoint(void*) + 15 4 libsystem_c.dylib 0x00007fff8ad97352 _pthread_start + 327 5 libsystem_c.dylib 0x00007fff8ad83d81 thread_start + 13 Thread 10: 0 libsystem_kernel.dylib 0x00007fff864a16d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff8ad99afc _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff8ad998c3 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff8ad83d71 start_wqthread + 13 Thread 11: 0 libsystem_kernel.dylib 0x00007fff864a16d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff8ad99afc _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff8ad998c3 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff8ad83d71 start_wqthread + 13 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x00007fff5ebc94e8 rbx: 0x0000000106d7e420 rcx: 0x000000010726a170 rdx: 0x00007fff5ebc9420 rdi: 0x00000001064cb780 rsi: 0x00000000000000e1 rbp: 0x00007fff5ebc9650 rsp: 0x00007fff5ebc9470 r8: 0xffff000000000002 r9: 0x000000010726a170 r10: 0x0000000111bb6780 r11: 0x0000000000000003 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x000000012512dd60 r15: 0x0000000106d7e420 rip: 0x000000010179927a rfl: 0x0000000000010213 cr2: 0xfffffffffffffff8