Bug 13250

Summary:

REGRESSION: Browser crash on clicking back button while at link specified above (inspector: ObjC wrapper outlives JS wrapper)

Product:

WebKit

Reporter:

Ross McDonald <ross.mcdonald>

Component:

WebCore JavaScript

Assignee:

Darin Adler <darin>

Status:

RESOLVED FIXED

Severity:

Major

CC:

darin, ggaren, mitz, mjs, sam

Priority:

Keywords:

HasReduction, InRadar, Regression

Version:

523.x (Safari 3)

Hardware:

Mac

OS:

OS X 10.4

URL:

http://www.csszengarden.com/zengarden-sample.css

Attachments:

Description	Flags
Demo app (source)	none
Proposed patch	darin: review-
Check JS wrapper validity and recreate if needed	ggaren: review-
patch to fix, not this bug, but other problems seen testing inspector with back/forward	none
check root object for validity whenever using the ObjC wrapper	darin: review+

Ross McDonald

Reported 2007-04-01 02:22:53 PDT

apple report info pasted below: Date/Time: 2007-04-01 09:57:23.419 +0100 OS Version: 10.4.9 (Build 8P135) Report Version: 4 Command: Safari Path: /Applications/browsers/Safari.app/Contents/MacOS/Safari Parent: WindowServer [22026] Version: ??? (20648) PID: 23566 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000020 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x00131ea0 KJS::ForInNode::execute(KJS::ExecState*) + 336 1 com.apple.JavaScriptCore 0x00134020 KJS::SourceElementsNode::execute(KJS::ExecState*) + 432 2 com.apple.JavaScriptCore 0x00130a3c KJS::BlockNode::execute(KJS::ExecState*) + 156 3 com.apple.JavaScriptCore 0x0011df08 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56 4 com.apple.JavaScriptCore 0x0011d870 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 464 5 com.apple.JavaScriptCore 0x00139514 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 6 com.apple.JavaScriptCore 0x0012c968 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 600 7 com.apple.JavaScriptCore 0x00130b28 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 8 com.apple.JavaScriptCore 0x00133f4c KJS::SourceElementsNode::execute(KJS::ExecState*) + 220 9 com.apple.JavaScriptCore 0x00130a3c KJS::BlockNode::execute(KJS::ExecState*) + 156 10 com.apple.JavaScriptCore 0x0011e90c KJS::GlobalFuncImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 828 11 com.apple.JavaScriptCore 0x00139514 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 12 com.apple.JavaScriptCore 0x0012c968 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 600 13 com.apple.JavaScriptCore 0x00130b28 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 14 com.apple.JavaScriptCore 0x00134020 KJS::SourceElementsNode::execute(KJS::ExecState*) + 432 15 com.apple.JavaScriptCore 0x00130a3c KJS::BlockNode::execute(KJS::ExecState*) + 156 16 com.apple.JavaScriptCore 0x0011df08 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56 17 com.apple.JavaScriptCore 0x0011d870 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 464 18 com.apple.JavaScriptCore 0x00139514 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 19 com.apple.WebCore 0x013151a0 -[WebScriptObject callWebScriptMethod:withArguments:] + 528 20 com.apple.WebKit 0x0036b594 -[WebInspector setFocusedDOMNode:] + 324 21 com.apple.WebKit 0x0036e114 -[WebInspector(WebInspectorPrivate) inspectedWebViewProgressFinished:] + 132 22 com.apple.Foundation 0x92be2ae4 _nsnote_callback + 180 23 com.apple.CoreFoundation 0x90806078 __CFXNotificationPost + 368 24 com.apple.CoreFoundation 0x907fe114 _CFXNotificationPostNotification + 684 25 com.apple.Foundation 0x92bcceec -[NSNotificationCenter postNotificationName:object:userInfo:] + 92 26 com.apple.WebCore 0x01439a6c WebCore::ProgressTracker::finalProgressComplete() + 172 27 com.apple.WebCore 0x01439b58 WebCore::ProgressTracker::progressCompleted(WebCore::Frame*) + 120 28 com.apple.WebCore 0x013e0400 WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 896 29 com.apple.WebCore 0x013e07bc WebCore::FrameLoader::opened() + 876 30 com.apple.WebCore 0x013e912c WebCore::FrameLoader::commitProvisionalLoad(WTF::PassRefPtr<WebCore::PageCache>) + 796 31 com.apple.WebCore 0x013eef44 WebCore::DocumentLoader::loadFromPageCache(WTF::PassRefPtr<WebCore::PageCache>) + 84 32 com.apple.WebCore 0x013d63ac WebCore::FrameLoader::loadProvisionalItemFromPageCache() + 140 33 com.apple.WebCore 0x013dfcec WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 220 34 com.apple.WebCore 0x013dff1c WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 44 35 com.apple.WebCore 0x013db63c WebCore::FrameLoader::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) + 620 36 com.apple.WebCore 0x013e0d5c WebCore::FrameLoader::load(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 220 37 com.apple.WebCore 0x013e66dc WebCore::FrameLoader::loadItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 668 38 com.apple.WebCore 0x013e7280 WebCore::FrameLoader::recursiveGoToItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 336 39 com.apple.WebCore 0x011872bc WebCore::Page::goBack() + 60 40 com.apple.AppKit 0x93869c4c -[NSApplication sendAction:to:from:] + 108 41 com.apple.Safari 0x0002956c 0x1000 + 165228 42 com.apple.AppKit 0x93869b80 -[NSControl sendAction:to:] + 96 43 com.apple.AppKit 0x93869a60 -[NSCell _sendActionFrom:] + 156 44 com.apple.AppKit 0x93883a88 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 1020 45 com.apple.AppKit 0x93883670 -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 564 46 com.apple.AppKit 0x93883094 -[NSControl mouseDown:] + 536 47 com.apple.Safari 0x00054614 0x1000 + 341524 48 com.apple.AppKit 0x93824890 -[NSWindow sendEvent:] + 4616 49 com.apple.Safari 0x00021734 0x1000 + 132916 50 com.apple.AppKit 0x937cd8d4 -[NSApplication sendEvent:] + 4172 51 com.apple.Safari 0x00021238 0x1000 + 131640 52 com.apple.AppKit 0x937c4d10 -[NSApplication run] + 508 53 com.apple.AppKit 0x938b587c NSApplicationMain + 452 54 com.apple.Safari 0x0005c77c 0x1000 + 374652 55 com.apple.Safari 0x0005c624 0x1000 + 374308 Thread 1: 0 libSystem.B.dylib 0x9000b4c8 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000b41c mach_msg + 60 2 com.apple.CoreFoundation 0x907deba8 __CFRunLoopRun + 832 3 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 4 com.apple.Foundation 0x92c0a6a8 +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 264 5 com.apple.Foundation 0x92be31a0 forkThreadForFunction + 108 6 libSystem.B.dylib 0x9002be88 _pthread_body + 96 Thread 2: 0 libSystem.B.dylib 0x9000b4c8 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000b41c mach_msg + 60 2 com.apple.CoreFoundation 0x907deba8 __CFRunLoopRun + 832 3 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 4 com.apple.Foundation 0x92c0b7e8 +[NSURLCache _diskCacheSyncLoop:] + 152 5 com.apple.Foundation 0x92be31a0 forkThreadForFunction + 108 6 libSystem.B.dylib 0x9002be88 _pthread_body + 96 Thread 3: 0 libSystem.B.dylib 0x9001fa0c select + 12 1 com.apple.CoreFoundation 0x907f1434 __CFSocketManager + 472 2 libSystem.B.dylib 0x9002be88 _pthread_body + 96 Thread 4: 0 libSystem.B.dylib 0x9002c548 semaphore_wait_signal_trap + 8 1 libSystem.B.dylib 0x9003102c pthread_cond_wait + 480 2 com.apple.Foundation 0x92bea30c -[NSConditionLock lockWhenCondition:] + 68 3 com.apple.Syndication 0x9b29442c -[AsyncDB _run:] + 192 4 com.apple.Foundation 0x92be31a0 forkThreadForFunction + 108 5 libSystem.B.dylib 0x9002be88 _pthread_body + 96 Thread 5: 0 libSystem.B.dylib 0x9002c548 semaphore_wait_signal_trap + 8 1 libSystem.B.dylib 0x9003102c pthread_cond_wait + 480 2 com.apple.Foundation 0x92bea30c -[NSConditionLock lockWhenCondition:] + 68 3 com.apple.AppKit 0x93865708 -[NSUIHeartBeat _heartBeatThread:] + 324 4 com.apple.Foundation 0x92be31a0 forkThreadForFunction + 108 5 libSystem.B.dylib 0x9002be88 _pthread_body + 96 Thread 0 crashed with PPC Thread State 64: srr0: 0x0000000000131ea0 srr1: 0x000000000200f030 vrsave: 0x0000000000000000 cr: 0x44444222 xer: 0x0000000000000004 lr: 0x0000000000131e2c ctr: 0x000000000011c910 r0: 0x0000000000000000 r1: 0x00000000bfffc1b0 r2: 0x0000000000000000 r3: 0x00000000063f8c10 r4: 0x00000000bfffc444 r5: 0x0000000006331b98 r6: 0x00000000bfffc178 r7: 0x00000000bf254c4a r8: 0x000000000000000f r9: 0x0000000000000000 r10: 0x000000000637ba34 r11: 0x0000000000000001 r12: 0x000000000011c910 r13: 0x0000000001540460 r14: 0x00000000bfffd62c r15: 0x00000000014e0460 r16: 0x00000000001b1d64 r17: 0x0000000000000000 r18: 0x00000000006188c0 r19: 0x0000000000616350 r20: 0x00000000bfffcc5c r21: 0x00000000018526c0 r22: 0x00000000bfffc454 r23: 0x00000000bfffc2f4 r24: 0x000000000635bc58 r25: 0x00000000bfffc794 r26: 0x000000000019f048 r27: 0x0000000000000000 r28: 0x00000000bfffc444 r29: 0x0000000006958030 r30: 0x0000000000000000 r31: 0x0000000000131d64 Binary Images Description: 0x1000 - 0xdcfff com.apple.Safari 2.0.4 (419.3) /Applications/browsers/Safari.app/Contents/MacOS/Safari 0x109000 - 0x10afff WebKitNightlyEnabler.dylib /Applications/browsers/WebKit.app/Contents/Resources/WebKitNightlyEnabler.dylib 0x10e000 - 0x19efff com.apple.JavaScriptCore 522+ /Applications/browsers/WebKit.app/Contents/Resources/JavaScriptCore.framework/Versions/A/JavaScriptCore 0x305000 - 0x3b7fff com.apple.WebKit 522+ /Applications/browsers/WebKit.app/Contents/Resources/WebKit.framework/Versions/A/WebKit 0x1008000 - 0x154cfff com.apple.WebCore 522+ /Applications/browsers/WebKit.app/Contents/Resources/WebCore.framework/Versions/A/WebCore 0x1a6d000 - 0x1a6dfff com.apple.SpotLightCM 1.0 (121.20.2) /System/Library/Contextual Menu Items/SpotlightCM.plugin/Contents/MacOS/SpotlightCM 0x1af6000 - 0x1af8fff com.apple.AutomatorCMM 1.0.1 (54) /System/Library/Contextual Menu Items/AutomatorCMM.plugin/Contents/MacOS/AutomatorCMM 0x1b0d000 - 0x1b11fff com.apple.FolderActionsMenu 1.3 /System/Library/Contextual Menu Items/FolderActionsMenu.plugin/Contents/MacOS/FolderActionsMenu 0x8fe00000 - 0x8fe52fff dyld 46.12 /usr/lib/dyld 0x90000000 - 0x901bdfff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x90215000 - 0x9021afff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib 0x9021c000 - 0x90269fff com.apple.CoreText 1.0.3 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x90294000 - 0x90345fff ATS /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x90374000 - 0x9072ffff com.apple.CoreGraphics 1.258.61 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics 0x907bc000 - 0x90895fff com.apple.CoreFoundation 6.4.7 (368.28) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x908de000 - 0x908defff com.apple.CoreServices 10.4 (???) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices 0x908e0000 - 0x909e2fff libicucore.A.dylib /usr/lib/libicucore.A.dylib 0x90a3c000 - 0x90ac0fff libobjc.A.dylib /usr/lib/libobjc.A.dylib 0x90aea000 - 0x90b5afff com.apple.framework.IOKit 1.4.1 (???) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 0x90b70000 - 0x90b82fff libauto.dylib /usr/lib/libauto.dylib 0x90b89000 - 0x90e60fff com.apple.CoreServices.CarbonCore 681.9 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore 0x90ec6000 - 0x90f46fff com.apple.CoreServices.OSServices 4.1 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices 0x90f90000 - 0x90fd1fff com.apple.CFNetwork 129.20 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork 0x90fe6000 - 0x90ffefff com.apple.WebServices 1.1.2 (1.1.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore 0x9100e000 - 0x9108ffff com.apple.SearchKit 1.0.5 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x910d5000 - 0x910fffff com.apple.Metadata 10.4.4 (121.36) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata 0x91110000 - 0x9111efff libz.1.dylib /usr/lib/libz.1.dylib 0x91121000 - 0x912dcfff com.apple.security 4.6 (29770) /System/Library/Frameworks/Security.framework/Versions/A/Security 0x913db000 - 0x913e4fff com.apple.DiskArbitration 2.1 /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration 0x913eb000 - 0x91413fff com.apple.SystemConfiguration 1.8.3 /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x91426000 - 0x91431fff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x91436000 - 0x9143efff libbsm.dylib /usr/lib/libbsm.dylib 0x91442000 - 0x914bdfff com.apple.audio.CoreAudio 3.0.4 /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio 0x914fa000 - 0x914fafff com.apple.ApplicationServices 10.4 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x914fc000 - 0x91534fff com.apple.AE 1.5 (297) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x9154f000 - 0x91621fff com.apple.ColorSync 4.4.9 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x91674000 - 0x91705fff com.apple.print.framework.PrintCore 4.6 (177.13) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore 0x9174c000 - 0x91803fff com.apple.QD 3.10.24 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x91840000 - 0x9189efff com.apple.HIServices 1.5.3 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x918cd000 - 0x918f1fff com.apple.LangAnalysis 1.6.1 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis 0x91905000 - 0x9192afff com.apple.FindByContent 1.5 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent 0x9193d000 - 0x9197ffff com.apple.LaunchServices 182 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices 0x9199b000 - 0x919affff com.apple.speech.synthesis.framework 3.3 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x919bd000 - 0x91a03fff com.apple.ImageIO.framework 1.5.4 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO 0x91a1a000 - 0x91ae1fff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib 0x91b2f000 - 0x91b44fff libcups.2.dylib /usr/lib/libcups.2.dylib 0x91b49000 - 0x91b67fff libJPEG.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x91b6d000 - 0x91c24fff libJP2.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib 0x91c73000 - 0x91c77fff libGIF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x91c79000 - 0x91ce1fff libRaw.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib 0x91ce6000 - 0x91d23fff libTIFF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x91d2a000 - 0x91d43fff libPng.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x91d48000 - 0x91d4bfff libRadiance.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib 0x91d4d000 - 0x91e2bfff libxml2.2.dylib /usr/lib/libxml2.2.dylib 0x91e4b000 - 0x91e4bfff com.apple.Accelerate 1.2.2 (Accelerate 1.2.2) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x91e4d000 - 0x91f32fff com.apple.vImage 2.4 /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x91f3a000 - 0x91f59fff com.apple.Accelerate.vecLib 3.2.2 (vecLib 3.2.2) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib 0x91fc5000 - 0x92033fff libvMisc.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x9203e000 - 0x920d3fff libvDSP.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x920ed000 - 0x92675fff libBLAS.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x926a8000 - 0x929d3fff libLAPACK.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x92a03000 - 0x92af1fff libiconv.2.dylib /usr/lib/libiconv.2.dylib 0x92af4000 - 0x92b7cfff com.apple.DesktopServices 1.3.6 /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x92bbd000 - 0x92de8fff com.apple.Foundation 6.4.8 (567.29) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x92f15000 - 0x92f33fff libGL.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib 0x92f3e000 - 0x92f98fff libGLU.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib 0x92fb6000 - 0x92fb6fff com.apple.Carbon 10.4 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon 0x92fb8000 - 0x92fccfff com.apple.ImageCapture 3.0 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x92fe4000 - 0x92ff4fff com.apple.speech.recognition.framework 3.4 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition 0x93000000 - 0x93015fff com.apple.securityhi 2.0 (203) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x93027000 - 0x930aefff com.apple.ink.framework 101.2 (69) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink 0x930c2000 - 0x930cdfff com.apple.help 1.0.3 (32) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help 0x930d7000 - 0x93104fff com.apple.openscripting 1.2.5 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x9311e000 - 0x9312efff com.apple.print.framework.Print 5.0 (190.1) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print 0x9313a000 - 0x931a0fff com.apple.htmlrendering 1.1.2 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering 0x931d1000 - 0x93220fff com.apple.NavigationServices 3.4.4 (3.4.3) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices 0x9324e000 - 0x9326bfff com.apple.audio.SoundManager 3.9 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound 0x9327d000 - 0x9328afff com.apple.CommonPanels 1.2.2 (73) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels 0x93293000 - 0x935a1fff com.apple.HIToolbox 1.4.9 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x936f1000 - 0x936fdfff com.apple.opengl 1.4.7 /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL 0x93702000 - 0x93722fff com.apple.DirectoryService.Framework 3.1 /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService 0x937be000 - 0x937befff com.apple.Cocoa 6.4 (???) /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa 0x937c0000 - 0x93df3fff com.apple.AppKit 6.4.7 (824.41) /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit 0x94180000 - 0x941f2fff com.apple.CoreData 91 (92.1) /System/Library/Frameworks/CoreData.framework/Versions/A/CoreData 0x9422b000 - 0x942effff com.apple.audio.toolbox.AudioToolbox 1.4.5 /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x94341000 - 0x94341fff com.apple.audio.units.AudioUnit 1.4 /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x94343000 - 0x94503fff com.apple.QuartzCore 1.4.12 /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore 0x9454d000 - 0x9458afff libsqlite3.0.dylib /usr/lib/libsqlite3.0.dylib 0x94592000 - 0x945e2fff libGLImage.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib 0x945eb000 - 0x945fffff com.apple.CoreVideo 1.4 /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo 0x94695000 - 0x946cdfff com.apple.vmutils 4.0.0 (85) /System/Library/PrivateFrameworks/vmutils.framework/Versions/A/vmutils 0x94710000 - 0x9472cfff com.apple.securityfoundation 2.2 (27710) /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation 0x94740000 - 0x94784fff com.apple.securityinterface 2.2 (27692) /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface 0x947a8000 - 0x947b7fff libCGATS.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib 0x947bf000 - 0x947cbfff libCSync.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib 0x94811000 - 0x94829fff libRIP.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib 0x94bc9000 - 0x94c3afff libstdc++.6.dylib /usr/lib/libstdc++.6.dylib 0x94daf000 - 0x94edffff com.apple.AddressBook.framework 4.0.4 (485.1) /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook 0x94f71000 - 0x94f80fff com.apple.DSObjCWrappers.Framework 1.1 /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers 0x94f88000 - 0x94fb5fff com.apple.LDAPFramework 1.4.1 (69.0.1) /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP 0x94fbc000 - 0x94fccfff libsasl2.2.dylib /usr/lib/libsasl2.2.dylib 0x94fd0000 - 0x94ffffff libssl.0.9.7.dylib /usr/lib/libssl.0.9.7.dylib 0x9500f000 - 0x9502cfff libresolv.9.dylib /usr/lib/libresolv.9.dylib 0x9620e000 - 0x96237fff libxslt.1.dylib /usr/lib/libxslt.1.dylib 0x97aa7000 - 0x97ab4fff com.apple.agl 2.5.6 (AGL-2.5.6) /System/Library/Frameworks/AGL.framework/Versions/A/AGL 0x9b291000 - 0x9b2c7fff com.apple.Syndication 1.0.6 (54) /System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Syndication 0x9b2e4000 - 0x9b2f6fff com.apple.SyndicationUI 1.0.6 (54) /System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI Model: PowerBook5,8, BootROM 4.9.6f0, 1 processors, PowerPC G4 (1.5), 1.67 GHz, 1.5 GB Graphics: ATI Mobility Radeon 9700, ATY,RV360M11, AGP, 128 MB Memory Module: SODIMM0/J20STANDARD, 512 MB, DDR2 SDRAM, PC2-4200S-444 Memory Module: SODIMM1/J23REVERSED, 1 GB, DDR2 SDRAM, PC2-4200S-444 AirPort: AirPort Extreme, 405.1 (3.90.34.0.p18) Modem: Jump, V.92, Version 1.0 Bluetooth: Version 1.7.14f14, 2 service, 0 devices, 1 incoming serial ports Network Service: Built-in Ethernet, Ethernet, en0 Network Service: AirPort, AirPort, en1 PCI Card: pci106b,4318, sppci_othernetwork, SLOT-A PCI Card: TXN,PCIXXXX-00, cardbus, PC Card PCI Card: usb, usb, USB20 PCI Card: usb, usb, USB20 PCI Card: usb, ehci, USB20 Parallel ATA Device: ST9808211A, 74.53 GB Parallel ATA Device: MATSHITADVD-R UJ-846 USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mA USB Device: Apple Internal Keyboard / Trackpad, Apple Computer, Up to 12 Mb/sec, 500 mA

Attachments
Demo app (source) (17.31 KB, application/x-gzip) 2007-04-02 02:04 PDT, mitz	no flags	Details
Proposed patch (2.45 KB, patch) 2007-04-02 03:06 PDT, mitz	darin: review-	Details Formatted Diff Diff
Check JS wrapper validity and recreate if needed (3.65 KB, patch) 2007-04-02 14:18 PDT, mitz	ggaren: review-	Details Formatted Diff Diff
patch to fix, not this bug, but other problems seen testing inspector with back/forward (10.58 KB, patch) 2007-07-04 22:10 PDT, Darin Adler	no flags	Details Formatted Diff Diff
check root object for validity whenever using the ObjC wrapper (12.73 KB, patch) 2007-07-22 15:33 PDT, Darin Adler	darin: review+	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Ross McDonald

Comment 1 2007-04-01 02:28:46 PDT

I had the Web Inspector window open at the time, and can recreate this successfully....

mitz

Comment 2 2007-04-01 08:14:29 PDT

Reproducible by doing some b/f navigation while the inspector is open.

mitz

Comment 3 2007-04-01 10:21:25 PDT

Using gdb I found out that the crash happens in inspector.js:469. At the time of the crash, focusedNode, which was a JSHTMLDocument has already been deleted (during earlier GC), despite the fact that the Obj-C wrapper (_private->focusedNode) is still alive.

mitz

Comment 4 2007-04-01 12:22:49 PDT

The Document's JS wrapper gets unprotected when the bindings root is invalidated when the Frame is cleared. However, the ObjC wrapper sticks around and therefore also the entry in the ObjC wrapper cache mapping the Document to it. Thus the inspector is able to retrieve the ObjC wrapper which now points to a destroyed JS wrapper.

mitz

Comment 5 2007-04-02 02:04:03 PDT

Created attachment 13915 [details] Demo app (source) To reproduce the bug with this application, build it an run it linked to TOT WebKit. Do the following: 1) Press Return to load the "a" document. 2) Click the Store button to make and retain an Obj-C wrapper for the document. 3) Choose the "about:blank" document from the combo box, to load that into the view. This destroys the JS wrapper for the document. 4) Click the Back button to go back to the "a" document. 5) Click the Use button to pass the document to JavaScript and try to use it. This will trigger the crash.

mitz

Comment 6 2007-04-02 03:06:47 PDT

Created attachment 13916 [details] Proposed patch

Darin Adler

Comment 7 2007-04-02 08:01:39 PDT

Comment on attachment 13916 [details] Proposed patch I don't see any reason to use the rootObject protect/unprotect if we're also going to directly protect/unprotect.

Darin Adler

Comment 8 2007-04-02 08:42:32 PDT

I'm not sure this qualifies as a regression -- it requires use of the inspector so won't affect most users. I'm a little worried about storage leaks. It might be better to guard use of the JS implementation pointer in the WebScriptObject implementation so the object "goes dead" if the root object is gone. I'd like to hear Geoff's comment on that.

Geoffrey Garen

Comment 9 2007-04-02 08:48:46 PDT

I agree with Darin. The alternative would enable careless plug-ins to leak the whole window. (Ultimately, I'm on the fence about whether the browser should try to guard against plug-in leaks -- what about direct malloc leaks? or mmap leaks? -- but WebKit has always guarded against this kind of leak, so I think it needs to keep doing so.)

mitz

Comment 10 2007-04-02 08:52:57 PDT

(In reply to comment #8) > I'm not sure this qualifies as a regression -- it requires use of the inspector > so won't affect most users. It is a regression since linked against shipping WebKit, the demo app doesn't crash, while linked against TOT it does. > I'm a little worried about storage leaks. It might be better to guard use of > the JS implementation pointer in the WebScriptObject implementation so the > object "goes dead" if the root object is gone. I'd like to hear Geoff's comment > on that. I also realized that the proposed patch didn't solve the problem of calling -callWebScriptMethod... on an object with invalidated root and hitting the ASSERT in RootObject::interpreter() (or crashing).

mitz

Comment 11 2007-04-02 08:59:12 PDT

(In reply to comment #10) > calling > -callWebScriptMethod... on an object with invalidated root and hitting the > ASSERT in RootObject::interpreter() (or crashing). Wrong again (this cannot happen because -[WebScriptObject _root] is nil when the root is invalid).

mitz

Comment 12 2007-04-02 14:18:02 PDT

Created attachment 13926 [details] Check JS wrapper validity and recreate if needed I don't think it's possible or desirable to "kill" the object as suggested in comment #8 (the way I understood it). This patch just fetches a new JS wrapper for the DOM node if the old one is gone (it is also possible that the root is invalid but the old wrapper is still alive thanks to some other JS object pointing to it or any part of the DOM, in which case I believe the same old wrapper will be refetched and subsequently reprotected by a different, valid root object).

Darin Adler

Comment 13 2007-04-03 09:17:13 PDT

Comment on attachment 13926 [details] Check JS wrapper validity and recreate if needed This looks like a safer approach to me, but I'd like Geoff and perhaps Maciej to evaluate it too.

Geoffrey Garen

Comment 14 2007-04-03 15:45:52 PDT

In the WebScriptObject API, once a RootObject becomes invalid, any WebScriptObject created with it goes "inert" with respect to JavaScript. This means, for example, that if you call -valueForKey: on such an object, you'll unconditionally get back nil. I don't think that's a great API, but we probably shouldn't change it now. This patch would poke a small hole in that API, allowing you to pass an inert WebScriptObject as an argument to a JavaScript function, even though you couldn't use the WebScriptObject in any other JavaScript context. I see three problems with that: 1. It's inconsistent, and therefore confusing. 2. It doesn't fix the crash in all cases. A WebScriptObject will fail to regenerate its JS counterpart if its document is not in a frame, in which case, it will still vend a stale pointer. 3. Because it resets the WebScriptObject's RootObject, it breaks the (admittedly not very strong) cross-frame scripting security model. I think it's possible to make the object's inert-ness apply when its used as an argument to a function, too. The -_imp method can just return nil if rootObject->isValid() returns false. The tricky part will be finding all the callers of _imp and getting them to respect a nil return value, but I think that's definitely do-able.

Geoffrey Garen

Comment 15 2007-04-03 15:47:38 PDT

Comment on attachment 13926 [details] Check JS wrapper validity and recreate if needed r- for the issues I mentioned above (sorry, mitz!)

Darin Adler

Comment 16 2007-04-11 02:11:10 PDT

<rdar://problem/5126394>

Darin Adler

Comment 17 2007-07-04 22:08:20 PDT

Given Geoff's comments, I know how to fix this, but I can't seem to reproduce the bug. I have a patch sitting on one of my machines that I can attach. I tried using the inspector and then doing back/forward. I immediately hit another crash, so I fixed those first. Once I fixed the crashes I saw, I couldn't reproduce this using the inspector and back/forward.

Darin Adler

Comment 18 2007-07-04 22:10:24 PDT

Created attachment 15392 [details] patch to fix, not this bug, but other problems seen testing inspector with back/forward I wanted to put this patch up here. I probably should file a new bug report about these other problems I saw and attach the patch to that for review, but for the moment, I'll just do this.

mitz

Comment 19 2007-07-04 23:43:41 PDT

(In reply to comment #17) > Given Geoff's comments, I know how to fix this, but I can't seem to reproduce > the bug. I have a patch sitting on one of my machines that I can attach. Does this bug no longer reproduce with the demo app? (In reply to comment #18) > patch to fix, not this bug, but other problems seen testing inspector with > back/forward Perhaps your patch belongs in bug 14337.

Darin Adler

Comment 20 2007-07-05 00:49:22 PDT

(In reply to comment #19) > Does this bug no longer reproduce with the demo app? Oh, I never tried the demo app!

mitz

Comment 21 2007-07-22 14:18:02 PDT

<http://trac.webkit.org/projects/webkit/changeset/24493> has made the crash a little harder to reproduce with the demo app (by coalescing two garbage collections). To reproduce the bug with r24493 or later, build the demo app an run it linked to TOT WebKit. Do the following: 1) Press Return to load the "a" document. 2) Click the Store button to make and retain an Obj-C wrapper for the document. 3) Choose the "about:blank" document from the combo box, to load that into the view. This destroys the JS wrapper for the document. 4) Enter "data:text/html,b" in the combo box and press Return to load a "b" document. 5) Click the Back button to go back to about:blank. 6) Click the Back button to go back to the "a" document. 7) Click the Use button to pass the document to JavaScript and try to use it. This will trigger the crash.

Darin Adler

Comment 22 2007-07-22 15:33:55 PDT

Created attachment 15630 [details] check root object for validity whenever using the ObjC wrapper

Darin Adler

Comment 23 2007-07-22 15:49:00 PDT

Comment on attachment 15630 [details] check root object for validity whenever using the ObjC wrapper Kevin Decker reviewed this.

Darin Adler

Comment 24 2007-07-22 22:08:41 PDT

Committed revision 24524.

Note You need to log in before you can comment on or make changes to this bug.