Bug 13462

Summary: REPRODUCIBLE ASSERT: KJS::GCLock::GCLock[in-charge]() + 96 (collector.cpp:130)
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: JavaScriptCoreAssignee: Maciej Stachowiak <mjs>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, dev+webkit, ggaren, mitz, mjs, timothy
Priority: P1 Keywords: InRadar
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
the fix mrowe: review+

David Kilzer (:ddkilzer)
Reported 2007-04-23 16:20:06 PDT
* SUMMARY Reproducible assert tripped opening Web Inspector, closing Web Inspector, then opening Web Inspector again. * STEPS TO REPRODUCE 1. Open Safari/WebKit. 2. Open a page (any page): http://www.google.com/ 3. Right-click on the page and select "Inspect Element". 4. Close the Web Inspector. 5. Right-click on the page a second time and select "Inspect Element". * EXPECTED RESULTS The Web Inspector should come up a second time. * ACTUAL RESULTS Safari/WebKit crashes with an assertion failure. * REGRESSION Only tested with a local debug build of WebKit r21046 with Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135). * NOTES Console: ASSERTION FAILED: !isLocked (/path/to/WebKit/JavaScriptCore/kjs/collector.cpp:130 KJS::GCLock::GCLock()) Segmentation fault Stack: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x005bf344 KJS::GCLock::GCLock[in-charge]() + 96 (collector.cpp:130) 1 com.apple.JavaScriptCore 0x00525664 KJS::Collector::collect() + 200 (collector.cpp:754) 2 com.apple.WebCore 0x012fa28c WebCore::KJSProxy::~KJSProxy [in-charge]() + 208 (kjs_proxy.cpp:56) 3 com.apple.WebCore 0x010f4be4 WebCore::FramePrivate::~FramePrivate [in-charge]() + 56 (Frame.cpp:1886) 4 com.apple.WebCore 0x010f50dc WebCore::Frame::~Frame [in-charge deleting]() + 916 (Frame.cpp:251) 5 com.apple.WebCore 0x015c3e18 WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52) 6 com.apple.WebCore 0x015c3e6c WTF::RefPtr<WebCore::Frame>::~RefPtr [in-charge]() + 64 (RefPtr.h:41) 7 com.apple.WebCore 0x011f89d0 WebCore::Page::~Page [in-charge]() + 356 (Page.cpp:94) 8 com.apple.WebKit 0x0037d3ec -[WebView(WebPrivate) _close] + 556 (WebView.mm:665) 9 com.apple.WebKit 0x003840c4 -[WebView dealloc] + 60 (WebView.mm:1808) 10 com.apple.AppKit 0x937af4b4 -[NSView release] + 200 11 com.apple.Foundation 0x92bbd908 NSPopAutoreleasePool + 536 12 com.apple.JavaScriptCore 0x0057b470 KJS::Bindings::ObjcInstance::end() + 152 (objc_instance.mm:76) 13 com.apple.JavaScriptCore 0x0057b73c KJS::Bindings::ObjcInstance::~ObjcInstance [in-charge deleting]() + 220 (objc_instance.mm:61) 14 com.apple.JavaScriptCore 0x005e4c20 KJS::Bindings::Instance::deref() + 116 (runtime.h:153) 15 com.apple.JavaScriptCore 0x005e4cf4 WTF::RefPtr<KJS::Bindings::Instance>::~RefPtr [in-charge]() + 56 (RefPtr.h:41) 16 com.apple.JavaScriptCore 0x005e4d74 KJS::RuntimeObjectImp::~RuntimeObjectImp [in-charge]() + 68 (runtime_object.h:34) 17 com.apple.JavaScriptCore 0x00525878 KJS::Collector::collect() + 732 (collector.cpp:817) 18 com.apple.JavaScriptCore 0x00525df4 KJS::Collector::allocate(unsigned long) + 332 (collector.cpp:210) 19 com.apple.JavaScriptCore 0x00561ae4 KJS::JSCell::operator new(unsigned long) + 32 (value.cpp:41) 20 com.apple.JavaScriptCore 0x0054ec00 KJS::ObjectObjectImp::construct(KJS::ExecState*, KJS::List const&) + 252 (object_object.cpp:183) 21 com.apple.JavaScriptCore 0x0053fae8 KJS::FuncExprNode::evaluate(KJS::ExecState*) + 296 (nodes.cpp:2480) 22 com.apple.JavaScriptCore 0x0054ac1c KJS::AssignDotNode::evaluate(KJS::ExecState*) + 276 (nodes.cpp:1480) 23 com.apple.JavaScriptCore 0x00542b38 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1716) 24 com.apple.JavaScriptCore 0x005402cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2522) 25 com.apple.JavaScriptCore 0x0053dc5c KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1693) 26 com.apple.JavaScriptCore 0x00536960 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 1116 (interpreter.cpp:365) 27 com.apple.WebCore 0x012faa10 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 420 (kjs_proxy.cpp:78) 28 com.apple.WebCore 0x014a0c78 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::Node*, WebCore::String const&) + 136 (FrameLoader.cpp:711) 29 com.apple.WebCore 0x01025a3c WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 392 (HTMLTokenizer.cpp:511) 30 com.apple.WebCore 0x01027408 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 628 (HTMLTokenizer.cpp:1670) 31 com.apple.WebCore 0x01128dc4 WebCore::CachedScript::ref(WebCore::CachedResourceClient*) + 104 (CachedScript.cpp:64) 32 com.apple.WebCore 0x010288f0 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1364 (HTMLTokenizer.cpp:450) 33 com.apple.WebCore 0x01029080 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 1212 (HTMLTokenizer.cpp:310) 34 com.apple.WebCore 0x0102b164 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6652 (HTMLTokenizer.cpp:1185) 35 com.apple.WebCore 0x0102ba8c WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1444 (HTMLTokenizer.cpp:1398) 36 com.apple.WebCore 0x01492ee8 WebCore::FrameLoader::write(char const*, int, bool) + 1200 (FrameLoader.cpp:928) 37 com.apple.WebCore 0x01493054 WebCore::FrameLoader::addData(char const*, int) + 320 (FrameLoader.cpp:1607) 38 com.apple.WebCore 0x0111a734 -[WebCoreFrameBridge addData:] + 232 (WebCoreFrameBridge.mm:291) 39 com.apple.WebCore 0x0111f3e4 -[WebCoreFrameBridge receivedData:textEncodingName:] + 316 (WebCoreFrameBridge.mm:1477) 40 com.apple.WebKit 0x00342d8c -[WebHTMLRepresentation receivedData:withDataSource:] + 296 (WebHTMLRepresentation.mm:175) 41 com.apple.WebKit 0x0033c054 -[WebDataSource(WebInternal) _receivedData:] + 116 (WebDataSource.mm:178) 42 com.apple.WebKit 0x003c6128 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 184 43 com.apple.WebCore 0x0148eaac WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, int) + 92 (FrameLoader.cpp:3020) 44 com.apple.WebCore 0x014a3b2c WebCore::DocumentLoader::commitLoad(char const*, int) + 104 (DocumentLoader.cpp:347) 45 com.apple.WebCore 0x014a3bb4 WebCore::DocumentLoader::receivedData(char const*, int) + 104 (DocumentLoader.cpp:360) 46 com.apple.WebCore 0x0148d7fc WebCore::FrameLoader::receivedData(char const*, int) + 60 (FrameLoader.cpp:2043) 47 com.apple.WebCore 0x014a5b88 WebCore::MainResourceLoader::addData(char const*, int, bool) + 92 (MainResourceLoader.cpp:134) 48 com.apple.WebCore 0x014a86a4 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 104 49 com.apple.WebCore 0x014a5f34 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 288 (MainResourceLoader.cpp:289) 50 com.apple.WebCore 0x014a8018 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 108 51 com.apple.WebCore 0x0147d364 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 240 (ResourceHandleMac.mm:352) 52 com.apple.Foundation 0x92c13624 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 53 com.apple.Foundation 0x92c11ac4 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 54 com.apple.Foundation 0x92c11860 _sendCallbacks + 156 55 com.apple.CoreFoundation 0x907df4fc __CFRunLoopDoSources0 + 384 56 com.apple.CoreFoundation 0x907dea2c __CFRunLoopRun + 452 57 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 58 com.apple.Foundation 0x92bf0170 -[NSRunLoop runMode:beforeDate:] + 172 59 com.apple.WebKit 0x003b45e0 -[WebInspector init] + 1744 (WebInspector.m:108) 60 com.apple.WebKit 0x003b3ed4 +[WebInspector sharedWebInspector] + 116 (WebInspector.m:57) 61 com.apple.WebKit 0x003883ac -[WebView _inspectElement:] + 388 (WebView.mm:2471) 62 com.apple.AppKit 0x9383fc4c -[NSApplication sendAction:to:from:] + 108 63 com.apple.Safari 0x0002956c 0x1000 + 165228 64 com.apple.AppKit 0x9389a4b8 -[NSMenu performActionForItemAtIndex:] + 392 65 com.apple.AppKit 0x9389a23c -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 104 66 com.apple.AppKit 0x938c2d6c _NSPopUpCarbonMenu2 + 2480 67 com.apple.AppKit 0x938c23ac _NSPopUpCarbonMenu1 + 44 68 com.apple.AppKit 0x93919be8 -[NSCarbonMenuImpl _popUpContextMenu:withEvent:forView:withFont:] + 168 69 com.apple.AppKit 0x93919a68 -[NSMenu _popUpContextMenu:withEvent:forView:withFont:] + 216 70 com.apple.AppKit 0x93ab6404 -[NSControl _rightMouseUpOrDown:] + 440 71 com.apple.AppKit 0x937fafa0 -[NSWindow sendEvent:] + 6424 72 com.apple.Safari 0x00021734 0x1000 + 132916 73 com.apple.AppKit 0x937a38d4 -[NSApplication sendEvent:] + 4172 74 com.apple.Safari 0x00021238 0x1000 + 131640 75 com.apple.AppKit 0x9379ad10 -[NSApplication run] + 508 76 com.apple.AppKit 0x9388b87c NSApplicationMain + 452 77 com.apple.Safari 0x0005c77c 0x1000 + 374652 78 com.apple.Safari 0x0005c624 0x1000 + 374308
Attachments
the fix (1.37 KB, patch)
2007-04-27 01:46 PDT, Maciej Stachowiak 		mrowe: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2007-04-23 16:33:57 PDT
See also <rdar://problem/5154113>.
Maciej Stachowiak
Comment 2 2007-04-27 01:46:38 PDT
Created attachment 14221 [details] the fix
Mark Rowe (bdash)
Comment 3 2007-04-27 01:51:20 PDT
Comment on attachment 14221 [details] the fix r=me
Timothy Hatcher
Comment 4 2007-04-27 10:59:39 PDT
I don't this this was the correct fix, other WebKit clients will be releasing their WebView's during dealloc in a similar situation. Colloquy for example has this reentry in the collector. <rdar://problem/5145162> Colloquy hung and crashed in KJS::JSObject::mark() deallocing a WebView
Timothy Hatcher
Comment 5 2007-04-27 11:05:51 PDT
The Colloquy issues isn't exactly the same. But it might be a similar collector issue.
Note You need to log in before you can comment on or make changes to this bug.