Bug 13218

Summary:

Reproducible crash after call to window.close()

Product:

WebKit

Reporter:

Tom Brown <tom>

Component:

WebCore JavaScript

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

martin, mitz, mrowe

Priority:

Keywords:

InRadar

Version:

523.x (Safari 3)

Hardware:

All

OS:

OS X 10.4

Attachments:

Description	Flags
Possible fix	none
Test case reduction (zip file)	none
Another try	none
Create a fake mouse move event instead of using the current event	none
Create a fake mouse move event instead of using the current event	none
Don't use mouse events at all for hover state update	darin: review+

Tom Brown

Reported 2007-03-28 10:38:53 PDT

In the context of a webapp I'm writing, closing a child window sometimes causes the browser to crash. I have included the backtrace, and I suspect that this has similar roots to the original bug reported within bug #13124 (though I have not been able to reduce either one effectively). The interaction is complex, but is something along the lines of: 1) Main window opens pop-up child window. 2) User performs some action within the child window. 3) The child window sends an AJAX request to the server from the context of the main window. 4) The main window receives a response from the server, and passes it into the context of the child window. 5) The child window closes itself (window.close). 6) Within it's onunload handler, the child window performs cleanup by sending a "closed" notification to the server. ?) At some point between 5 and 6, the browser crashes. A workaround has been found that seems to be effective, though inconvenient: 1) Before the child window is closed, it's onunload handler is manually called. 2) The actual "window.close" call is delayed using "setTimeout" by 500 milliseconds*. If a reduction is found, it will be posted here. * The exact time doesn't seem to be important, but the crash still occurred when the timeout was only 100 milliseconds. Date/Time: 2007-03-28 11:25:21.748 -0600 OS Version: 10.4.8 (Build 8L2127) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: WindowServer [59] Version: ??? (20512) PID: 19688 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x4489001e Thread 0 Crashed: 0 libobjc.A.dylib 0x90a54438 _class_lookupMethodAndLoadCache + 72 1 libobjc.A.dylib 0x90a543c6 objc_msgSend + 86 2 com.apple.WebCore 0x011de370 WebCore::globalPoint(_NSPoint const&, NSWindow*) + 32 3 com.apple.WebCore 0x011de5fb WebCore::globalPointForEvent(NSEvent*) + 139 4 com.apple.WebCore 0x011de784 WebCore::PlatformMouseEvent::PlatformMouseEvent[in-charge](WebCore::PlatformMouseEvent::CurrentEventTag const&) + 132 5 com.apple.WebCore 0x013c132b WebCore::EventHandler::hoverTimerFired(WebCore::Timer<WebCore::EventHandler>*) + 59 6 com.apple.WebCore 0x0146b7d2 WebCore::Timer<WebCore::EventHandler>::fired() + 82 7 com.apple.WebCore 0x011d7449 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 137 8 com.apple.WebCore 0x011d7502 WebCore::TimerBase::sharedTimerFired() + 162 9 com.apple.CoreFoundation 0x90829bc9 CFRunLoopRunSpecific + 3341 10 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 11 com.apple.HIToolbox 0x92dcdb90 RunCurrentEventLoopInMode + 285 12 com.apple.HIToolbox 0x92dcd297 ReceiveNextEventCommon + 385 13 com.apple.HIToolbox 0x92dcd0ee BlockUntilNextEventMatchingListInMode + 81 14 com.apple.AppKit 0x9326f465 _DPSNextEvent + 572 15 com.apple.AppKit 0x9326f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 16 com.apple.Safari 0x00006f96 0x1000 + 24470 17 com.apple.AppKit 0x93268ddb -[NSApplication run] + 512 18 com.apple.AppKit 0x9325cd2f NSApplicationMain + 573 19 com.apple.Safari 0x0005f7de 0x1000 + 387038 20 com.apple.Safari 0x0005f6f9 0x1000 + 386809 Thread 1: 0 libSystem.B.dylib 0x90009857 mach_msg_trap + 7 1 com.apple.CoreFoundation 0x9082969a CFRunLoopRunSpecific + 2014 2 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 3 com.apple.Foundation 0x9262aa9b +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 259 4 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 5 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 2: 0 libSystem.B.dylib 0x90009857 mach_msg_trap + 7 1 com.apple.CoreFoundation 0x9082969a CFRunLoopRunSpecific + 2014 2 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 3 com.apple.Foundation 0x92651c4e +[NSURLCache _diskCacheSyncLoop:] + 206 4 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 5 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 3: 0 libSystem.B.dylib 0x90019d3c select + 12 1 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 4: 0 libSystem.B.dylib 0x90024427 semaphore_wait_signal_trap + 7 1 com.apple.Foundation 0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39 2 com.apple.Syndication 0x9a6d6052 -[AsyncDB _run:] + 181 3 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 4 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x4489000e ebx: 0x90a543fe ecx: 0x90abe3e4 edx: 0x000033fb edi: 0x02198b30 esi: 0x15bfb7f0 ebp: 0xbfffeb48 esp: 0xbfffeb00 ss: 0x0000001f efl: 0x00010246 eip: 0x90a54438 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 Binary Images Description: 0x1000 - 0xdefff com.apple.Safari 2.0.4 (419.3) /Applications/Safari.app/Contents/MacOS/Safari 0x10e000 - 0x10ffff WebKitNightlyEnabler.dylib /Users/tom/Desktop/WebKit.app/Contents/Resources/WebKitNightlyEnabler.dylib 0x114000 - 0x19bfff com.apple.JavaScriptCore 522+ /Users/tom/Desktop/WebKit.app/Contents/Resources/JavaScriptCore.framework/Versions/A/JavaScriptCore 0x305000 - 0x3b4fff com.apple.WebKit 522+ /Users/tom/Desktop/WebKit.app/Contents/Resources/WebKit.framework/Versions/A/WebKit 0x1008000 - 0x14e0fff com.apple.WebCore 522+ /Users/tom/Desktop/WebKit.app/Contents/Resources/WebCore.framework/Versions/A/WebCore 0x8fe00000 - 0x8fe49fff dyld 46.9 /usr/lib/dyld 0x90000000 - 0x9016ffff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x901bf000 - 0x901c1fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib 0x901c3000 - 0x901fffff com.apple.CoreText 1.1.1 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x90226000 - 0x902fcfff ATS /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x9031c000 - 0x90770fff com.apple.CoreGraphics 1.258.38 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics 0x90807000 - 0x908cffff com.apple.CoreFoundation 6.4.6 (368.27) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x9090d000 - 0x9090dfff com.apple.CoreServices 10.4 (???) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices 0x9090f000 - 0x90a02fff libicucore.A.dylib /usr/lib/libicucore.A.dylib 0x90a52000 - 0x90ad1fff libobjc.A.dylib /usr/lib/libobjc.A.dylib 0x90afa000 - 0x90b5efff libstdc++.6.dylib /usr/lib/libstdc++.6.dylib 0x90bcd000 - 0x90bd4fff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x90bd9000 - 0x90c4cfff com.apple.framework.IOKit 1.4.6 (???) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 0x90c61000 - 0x90c73fff libauto.dylib /usr/lib/libauto.dylib 0x90c79000 - 0x90f1ffff com.apple.CoreServices.CarbonCore 682.16 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore 0x90f62000 - 0x90fcafff com.apple.CoreServices.OSServices 4.1 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices 0x91002000 - 0x91040fff com.apple.CFNetwork 129.19 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork 0x91053000 - 0x91063fff com.apple.WebServices 1.1.3 (1.1.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore 0x9106e000 - 0x910ecfff com.apple.SearchKit 1.0.5 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x91121000 - 0x9113ffff com.apple.Metadata 10.4.4 (121.36) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata 0x9114b000 - 0x91159fff libz.1.dylib /usr/lib/libz.1.dylib 0x9115c000 - 0x912fbfff com.apple.security 4.5.2 (29774) /System/Library/Frameworks/Security.framework/Versions/A/Security 0x913f9000 - 0x91401fff com.apple.DiskArbitration 2.1.1 /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration 0x91408000 - 0x9142efff com.apple.SystemConfiguration 1.8.6 /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x91440000 - 0x91447fff libbsm.dylib /usr/lib/libbsm.dylib 0x9144b000 - 0x914c4fff com.apple.audio.CoreAudio 3.0.4 /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio 0x91512000 - 0x91512fff com.apple.ApplicationServices 10.4 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x91514000 - 0x9153ffff com.apple.AE 314 (313) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x91552000 - 0x91626fff com.apple.ColorSync 4.4.8 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x91661000 - 0x916defff com.apple.print.framework.PrintCore 4.6 (177.13) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore 0x9170b000 - 0x917b4fff com.apple.QD 3.10.21 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x917da000 - 0x91825fff com.apple.HIServices 1.5.2 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x91844000 - 0x9185afff com.apple.LangAnalysis 1.6.3 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis 0x91866000 - 0x91880fff com.apple.FindByContent 1.5 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent 0x9188a000 - 0x918c7fff com.apple.LaunchServices 181 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices 0x918db000 - 0x918e7fff com.apple.speech.synthesis.framework 3.5 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x918ee000 - 0x91929fff com.apple.ImageIO.framework 1.5.0 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO 0x9193b000 - 0x919edfff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib 0x91a33000 - 0x91a49fff libcups.2.dylib /usr/lib/libcups.2.dylib 0x91a4e000 - 0x91a6cfff libJPEG.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x91a71000 - 0x91acffff libJP2.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib 0x91ae1000 - 0x91ae5fff libGIF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x91ae7000 - 0x91b64fff libRaw.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib 0x91b68000 - 0x91ba5fff libTIFF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x91bab000 - 0x91bc5fff libPng.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x91bca000 - 0x91bccfff libRadiance.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib 0x91bce000 - 0x91bcefff com.apple.Accelerate 1.3.1 (Accelerate 1.3.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x91bd0000 - 0x91c5efff com.apple.vImage 2.5 /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x91c65000 - 0x91c65fff com.apple.Accelerate.vecLib 3.3.1 (vecLib 3.3.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib 0x91c67000 - 0x91cc0fff libvMisc.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x91cc9000 - 0x91cedfff libvDSP.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x91cf5000 - 0x920fefff libBLAS.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x92138000 - 0x924ecfff libLAPACK.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x92519000 - 0x92597fff com.apple.DesktopServices 1.3.5 /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x925d8000 - 0x92808fff com.apple.Foundation 6.4.7 (567.28) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x92914000 - 0x929f2fff libxml2.2.dylib /usr/lib/libxml2.2.dylib 0x92a0f000 - 0x92afcfff libiconv.2.dylib /usr/lib/libiconv.2.dylib 0x92b0c000 - 0x92b23fff libGL.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib 0x92b2e000 - 0x92b86fff libGLU.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib 0x92b9a000 - 0x92b9afff com.apple.Carbon 10.4 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon 0x92b9c000 - 0x92bacfff com.apple.ImageCapture 3.0.4 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x92bba000 - 0x92bc2fff com.apple.speech.recognition.framework 3.6 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition 0x92bc8000 - 0x92bcdfff com.apple.securityhi 2.0.1 (24742) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x92bd3000 - 0x92c64fff com.apple.ink.framework 101.2.1 (71) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink 0x92c78000 - 0x92c7bfff com.apple.help 1.0.3 (32.1) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help 0x92c7e000 - 0x92c9bfff com.apple.openscripting 1.2.5 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x92cab000 - 0x92cb1fff com.apple.print.framework.Print 5.2 (192.4) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print 0x92cb7000 - 0x92d1afff com.apple.htmlrendering 66.1 (1.1.3) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering 0x92d3e000 - 0x92d7ffff com.apple.NavigationServices 3.4.4 (3.4.3) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices 0x92da6000 - 0x92db3fff com.apple.audio.SoundManager 3.9.1 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound 0x92dba000 - 0x92dbffff com.apple.CommonPanels 1.2.3 (73) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels 0x92dc4000 - 0x930b6fff com.apple.HIToolbox 1.4.8 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x931bb000 - 0x931c6fff com.apple.opengl 1.4.12 /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL 0x931cb000 - 0x931e6fff com.apple.DirectoryService.Framework 3.2 /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService 0x93256000 - 0x93256fff com.apple.Cocoa 6.4 (???) /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa 0x93258000 - 0x9390efff com.apple.AppKit 6.4.8 (824.42) /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit 0x93c8f000 - 0x93d09fff com.apple.CoreData 90 /System/Library/Frameworks/CoreData.framework/Versions/A/CoreData 0x93d42000 - 0x93e03fff com.apple.audio.toolbox.AudioToolbox 1.4.3 /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x93e43000 - 0x93e43fff com.apple.audio.units.AudioUnit 1.4.2 /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x93e45000 - 0x94017fff com.apple.QuartzCore 1.4.9 /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore 0x94068000 - 0x940a9fff libsqlite3.0.dylib /usr/lib/libsqlite3.0.dylib 0x940b1000 - 0x940ebfff libGLImage.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib 0x94179000 - 0x941b7fff com.apple.vmutils 4.0.2 (93.1) /System/Library/PrivateFrameworks/vmutils.framework/Versions/A/vmutils 0x941fb000 - 0x9420bfff com.apple.securityfoundation 2.2.1 (28150) /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation 0x94218000 - 0x94255fff com.apple.securityinterface 2.2.1 (27695) /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface 0x94271000 - 0x94280fff libCGATS.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib 0x94287000 - 0x94292fff libCSync.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib 0x942de000 - 0x942f8fff libRIP.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib 0x94720000 - 0x94869fff com.apple.AddressBook.framework 4.0.4 (485.1) /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook 0x948f5000 - 0x94904fff com.apple.DSObjCWrappers.Framework 1.1 /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers 0x9490b000 - 0x94934fff com.apple.LDAPFramework 1.4.2 (69.1.1) /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP 0x9493a000 - 0x94949fff libsasl2.2.dylib /usr/lib/libsasl2.2.dylib 0x9494d000 - 0x94972fff libssl.0.9.7.dylib /usr/lib/libssl.0.9.7.dylib 0x9497e000 - 0x9499bfff libresolv.9.dylib /usr/lib/libresolv.9.dylib 0x9574a000 - 0x9576dfff libxslt.1.dylib /usr/lib/libxslt.1.dylib 0x9708b000 - 0x97090fff com.apple.agl 2.5.9 (AGL-2.5.9) /System/Library/Frameworks/AGL.framework/Versions/A/AGL 0x9a6d3000 - 0x9a70afff com.apple.Syndication 1.0.6 (54) /System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Syndication 0x9a726000 - 0x9a738fff com.apple.SyndicationUI 1.0.6 (54) /System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI Model: Macmini1,1, BootROM MM11.0055.B08, 2 processors, Intel Core Duo, 1.66 GHz, 1 GB Graphics: Intel GMA 950, GMA 950, Built-In, spdisplays_integrated_vram Memory Module: BANK 0/DIMM0, 512 MB, DDR2 SDRAM, 667 MHz Memory Module: BANK 1/DIMM1, 512 MB, DDR2 SDRAM, 667 MHz AirPort: spairport_wireless_card_type_airport_extreme (0x168C, 0x86), 0.1.31.1 Bluetooth: Version 1.7.9f12, 2 service, 1 devices, 1 incoming serial ports Network Service: Built-in Ethernet, Ethernet, en0 Serial ATA Device: FUJITSU MHV2080BHPL, 74.53 GB Parallel ATA Device: MATSHITADVD-R UJ-846 USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mA USB Device: IR Receiver, Apple Computer, Inc., Up to 12 Mb/sec, 500 mA USB Device: Microsoft Wheel Mouse Optical®, Microsoft, Up to 1.5 Mb/sec, 500 mA USB Device: DELL USB Keyboard, DELL, Up to 1.5 Mb/sec, 500 mA

Attachments
Possible fix (752 bytes, patch) 2007-03-29 00:13 PDT, mitz	no flags	Details Formatted Diff Diff
Test case reduction (zip file) (6.76 KB, application/octet-stream) 2007-03-29 11:23 PDT, Tom Brown	no flags	Details
Another try (1.38 KB, patch) 2007-03-29 11:39 PDT, mitz	no flags	Details Formatted Diff Diff
Create a fake mouse move event instead of using the current event (3.65 KB, patch) 2007-03-29 14:44 PDT, mitz	no flags	Details Formatted Diff Diff
Create a fake mouse move event instead of using the current event (7.91 KB, patch) 2007-03-29 16:48 PDT, mitz	no flags	Details Formatted Diff Diff
Don't use mouse events at all for hover state update (4.20 KB, patch) 2007-04-02 15:44 PDT, mitz	darin: review+	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

Tom Brown

Comment 1 2007-03-28 17:11:37 PDT

Sometimes the browser goes into spin-death instead of crashing. The following is a sample of the application during spin: Analysis of sampling pid 20170 every 10.000000 milliseconds Call graph: 500 Thread_0f07 500 0x5f6f9 500 0x5f7de 500 NSApplicationMain 500 -[NSApplication run] 500 0x6f96 500 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 500 _DPSNextEvent 500 BlockUntilNextEventMatchingListInMode 500 ReceiveNextEventCommon 500 RunCurrentEventLoopInMode 500 CFRunLoopRunInMode 500 CFRunLoopRunSpecific 500 WebCore::timerFired(__CFRunLoopTimer*, void*) 500 WebCore::TimerBase::sharedTimerFired() 500 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) 500 WebCore::Timer<WebCore::EventHandler>::fired() 500 WebCore::EventHandler::hoverTimerFired(WebCore::Timer<WebCore::EventHandler>*) 500 WebCore::PlatformMouseEvent::PlatformMouseEvent[in-charge](WebCore::PlatformMouseEvent::CurrentEventTag const&) 500 WebCore::globalPointForEvent(NSEvent*) 500 WebCore::globalPoint(_NSPoint const&, NSWindow*) 500 objc_msgSend 500 objc_msgSend 500 Thread_1003 500 _pthread_body 500 forkThreadForFunction 500 +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] 500 CFRunLoopRunInMode 500 CFRunLoopRunSpecific 500 mach_msg_trap 500 mach_msg_trap 500 Thread_1103 500 _pthread_body 500 forkThreadForFunction 500 +[NSURLCache _diskCacheSyncLoop:] 500 CFRunLoopRunInMode 500 CFRunLoopRunSpecific 500 mach_msg_trap 500 mach_msg_trap 500 Thread_1203 500 _pthread_body 500 select 500 select 500 Thread_1303 500 _pthread_body 500 forkThreadForFunction 500 -[AsyncDB _run:] 500 -[NSConditionLock lockWhenCondition:] 500 semaphore_wait_signal_trap 500 semaphore_wait_signal_trap Total number in stack (recursive counted multiple, when >=5): Sort by top of stack, same collapsed (when >= 5): mach_msg_trap 1000 objc_msgSend 500 select 500 semaphore_wait_signal_trap 500

Mark Rowe (bdash)

Comment 2 2007-03-28 23:36:08 PDT

This is in radar as <rdar://problem/5095977>. Notes from the radar we may be able to use to find a reproducible case: * NOTES Some of the most recent comments: * 103432617: Crash in Kerio WebMail (www.kerio.com). It crashed after I saved e-mail message to Drafts. * 102653902: Crash in Kerio WebMail (www.kerio.com), it happened when I saved message to Drafts. * 100116488: .mac mail seems to crash Safari about 2 or 3 times a day with almost coninuous use. I was not doing anything special, just responded to a mail (which does nto consistently crash it). * 102387013: Crash in Kerio Webmail (www.kerio.com)

mitz

Comment 3 2007-03-29 00:13:11 PDT

Created attachment 13858 [details] Possible fix This should prevent the hover timer from being rearmed after the view is set to 0. It also adds an ASSERT that might make the bug more reliably reproducible (if it does not fix it) in debug builds. Tom (and others seeing the bug), I'd be interested to know whether you're still able to reproduce after applying this patch locally, and if you're doing a debug build, whether you hit the ASSERT.

mitz

Comment 4 2007-03-29 10:21:23 PDT

Some testing shows that [[NSApp currentEvent] window] can be a window that's been deallocated. Specifically, this can happen in the processing of a timer with 0 interval, since the event queue is apparently not polled again before the timer fires. This and another look at the backtrace, lead me to conjecture that that's what's happening here. Bug 11705 already points at PlatformMouseEvent::PlatformMouseEvent(const CurrentEventTag&) as a potential source of trouble. I think hoverTimerFired() should use something else to fabricate a mouse move event.

Tom Brown

Comment 5 2007-03-29 11:23:37 PDT

Created attachment 13870 [details] Test case reduction (zip file) Open the "closewincrash/outer.html" file and follow the directions.

mitz

Comment 6 2007-03-29 11:39:26 PDT

Created attachment 13871 [details] Another try I could not get the reduction to crash locally.

mitz

Comment 7 2007-03-29 13:37:53 PDT

Comment on attachment 13871 [details] Another try Even scheduleHoverStateUpdate() is too late.

Tom Brown

Comment 8 2007-03-29 13:48:04 PDT

If you have trouble getting the test case to crash, try running it through a webserver. The crash reduction makes some AJAX calls which may be timed differently when not run through HTTP.

mitz

Comment 9 2007-03-29 13:55:07 PDT

(In reply to comment #8) > If you have trouble getting the test case to crash, try running it through a > webserver. The crash reduction makes some AJAX calls which may be timed > differently when not run through HTTP. > Doing that I did get the crash and I found out that scheduleHoverStateUpdate() can be called under a network callback, making [[NSApp currentEvent] window] bad even at that point. If platform mouse events are to be used, it seems that either the PlatformMouseEvent will need to be cached by the event handler when actually handling an event, or they will need to be fabricated in a way that doesn't rely on -currentEvent.

mitz

Comment 10 2007-03-29 14:44:18 PDT

Created attachment 13879 [details] Create a fake mouse move event instead of using the current event

Tom Brown

Comment 11 2007-03-29 15:02:10 PDT

This latest patch seems to fix the bug, as well as the bug originally reported as bug #13124, and also seems to be a plausible solution for bug #11705 (though I haven't tested that one)

mitz

Comment 12 2007-03-29 16:48:42 PDT

Created attachment 13883 [details] Create a fake mouse move event instead of using the current event Includes a manual test.

mitz

Comment 13 2007-04-02 15:44:17 PDT

Created attachment 13928 [details] Don't use mouse events at all for hover state update A much simpler approach, suggested by Darin.

Darin Adler

Comment 14 2007-04-02 15:45:47 PDT

Comment on attachment 13928 [details] Don't use mouse events at all for hover state update Looks good. r=me We should be sure to test cases that involve nested frames.

Mark Rowe (bdash)

Comment 15 2007-04-03 06:10:04 PDT

Landed in r20677.

mitz

Comment 16 2007-06-23 06:45:24 PDT

*** Bug 14308 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.