Bug 13462

Summary:

REPRODUCIBLE ASSERT: KJS::GCLock::GCLock[in-charge]() + 96 (collector.cpp:130)

Product:

WebKit

Reporter:

David Kilzer (:ddkilzer) <ddkilzer>

Component:

JavaScriptCore

Assignee:

Maciej Stachowiak <mjs>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bdakin, dev+webkit, ggaren, mitz, mjs, timothy

Priority:

Keywords:

InRadar

Version:

523.x (Safari 3)

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
the fix	mrowe: review+

Description David Kilzer (:ddkilzer) 2007-04-23 16:20:06 PDT

* SUMMARY
Reproducible assert tripped opening Web Inspector, closing Web Inspector, then opening Web Inspector again.

* STEPS TO REPRODUCE
1. Open Safari/WebKit.
2. Open a page (any page):  http://www.google.com/
3. Right-click on the page and select "Inspect Element".
4. Close the Web Inspector.
5. Right-click on the page a second time and select "Inspect Element".

* EXPECTED RESULTS
The Web Inspector should come up a second time.

* ACTUAL RESULTS
Safari/WebKit crashes with an assertion failure.

* REGRESSION
Only tested with a local debug build of WebKit r21046 with Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135).

* NOTES
Console:

ASSERTION FAILED: !isLocked
(/path/to/WebKit/JavaScriptCore/kjs/collector.cpp:130 KJS::GCLock::GCLock())
Segmentation fault

Stack:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef

Thread 0 Crashed:
0   com.apple.JavaScriptCore 	0x005bf344 KJS::GCLock::GCLock[in-charge]() + 96 (collector.cpp:130)
1   com.apple.JavaScriptCore 	0x00525664 KJS::Collector::collect() + 200 (collector.cpp:754)
2   com.apple.WebCore        	0x012fa28c WebCore::KJSProxy::~KJSProxy [in-charge]() + 208 (kjs_proxy.cpp:56)
3   com.apple.WebCore        	0x010f4be4 WebCore::FramePrivate::~FramePrivate [in-charge]() + 56 (Frame.cpp:1886)
4   com.apple.WebCore        	0x010f50dc WebCore::Frame::~Frame [in-charge deleting]() + 916 (Frame.cpp:251)
5   com.apple.WebCore        	0x015c3e18 WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52)
6   com.apple.WebCore        	0x015c3e6c WTF::RefPtr<WebCore::Frame>::~RefPtr [in-charge]() + 64 (RefPtr.h:41)
7   com.apple.WebCore        	0x011f89d0 WebCore::Page::~Page [in-charge]() + 356 (Page.cpp:94)
8   com.apple.WebKit         	0x0037d3ec -[WebView(WebPrivate) _close] + 556 (WebView.mm:665)
9   com.apple.WebKit         	0x003840c4 -[WebView dealloc] + 60 (WebView.mm:1808)
10  com.apple.AppKit         	0x937af4b4 -[NSView release] + 200
11  com.apple.Foundation     	0x92bbd908 NSPopAutoreleasePool + 536
12  com.apple.JavaScriptCore 	0x0057b470 KJS::Bindings::ObjcInstance::end() + 152 (objc_instance.mm:76)
13  com.apple.JavaScriptCore 	0x0057b73c KJS::Bindings::ObjcInstance::~ObjcInstance [in-charge deleting]() + 220 (objc_instance.mm:61)
14  com.apple.JavaScriptCore 	0x005e4c20 KJS::Bindings::Instance::deref() + 116 (runtime.h:153)
15  com.apple.JavaScriptCore 	0x005e4cf4 WTF::RefPtr<KJS::Bindings::Instance>::~RefPtr [in-charge]() + 56 (RefPtr.h:41)
16  com.apple.JavaScriptCore 	0x005e4d74 KJS::RuntimeObjectImp::~RuntimeObjectImp [in-charge]() + 68 (runtime_object.h:34)
17  com.apple.JavaScriptCore 	0x00525878 KJS::Collector::collect() + 732 (collector.cpp:817)
18  com.apple.JavaScriptCore 	0x00525df4 KJS::Collector::allocate(unsigned long) + 332 (collector.cpp:210)
19  com.apple.JavaScriptCore 	0x00561ae4 KJS::JSCell::operator new(unsigned long) + 32 (value.cpp:41)
20  com.apple.JavaScriptCore 	0x0054ec00 KJS::ObjectObjectImp::construct(KJS::ExecState*, KJS::List const&) + 252 (object_object.cpp:183)
21  com.apple.JavaScriptCore 	0x0053fae8 KJS::FuncExprNode::evaluate(KJS::ExecState*) + 296 (nodes.cpp:2480)
22  com.apple.JavaScriptCore 	0x0054ac1c KJS::AssignDotNode::evaluate(KJS::ExecState*) + 276 (nodes.cpp:1480)
23  com.apple.JavaScriptCore 	0x00542b38 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1716)
24  com.apple.JavaScriptCore 	0x005402cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2522)
25  com.apple.JavaScriptCore 	0x0053dc5c KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1693)
26  com.apple.JavaScriptCore 	0x00536960 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 1116 (interpreter.cpp:365)
27  com.apple.WebCore        	0x012faa10 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 420 (kjs_proxy.cpp:78)
28  com.apple.WebCore        	0x014a0c78 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::Node*, WebCore::String const&) + 136 (FrameLoader.cpp:711)
29  com.apple.WebCore        	0x01025a3c WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 392 (HTMLTokenizer.cpp:511)
30  com.apple.WebCore        	0x01027408 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 628 (HTMLTokenizer.cpp:1670)
31  com.apple.WebCore        	0x01128dc4 WebCore::CachedScript::ref(WebCore::CachedResourceClient*) + 104 (CachedScript.cpp:64)
32  com.apple.WebCore        	0x010288f0 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1364 (HTMLTokenizer.cpp:450)
33  com.apple.WebCore        	0x01029080 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 1212 (HTMLTokenizer.cpp:310)
34  com.apple.WebCore        	0x0102b164 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6652 (HTMLTokenizer.cpp:1185)
35  com.apple.WebCore        	0x0102ba8c WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1444 (HTMLTokenizer.cpp:1398)
36  com.apple.WebCore        	0x01492ee8 WebCore::FrameLoader::write(char const*, int, bool) + 1200 (FrameLoader.cpp:928)
37  com.apple.WebCore        	0x01493054 WebCore::FrameLoader::addData(char const*, int) + 320 (FrameLoader.cpp:1607)
38  com.apple.WebCore        	0x0111a734 -[WebCoreFrameBridge addData:] + 232 (WebCoreFrameBridge.mm:291)
39  com.apple.WebCore        	0x0111f3e4 -[WebCoreFrameBridge receivedData:textEncodingName:] + 316 (WebCoreFrameBridge.mm:1477)
40  com.apple.WebKit         	0x00342d8c -[WebHTMLRepresentation receivedData:withDataSource:] + 296 (WebHTMLRepresentation.mm:175)
41  com.apple.WebKit         	0x0033c054 -[WebDataSource(WebInternal) _receivedData:] + 116 (WebDataSource.mm:178)
42  com.apple.WebKit         	0x003c6128 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 184
43  com.apple.WebCore        	0x0148eaac WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, int) + 92 (FrameLoader.cpp:3020)
44  com.apple.WebCore        	0x014a3b2c WebCore::DocumentLoader::commitLoad(char const*, int) + 104 (DocumentLoader.cpp:347)
45  com.apple.WebCore        	0x014a3bb4 WebCore::DocumentLoader::receivedData(char const*, int) + 104 (DocumentLoader.cpp:360)
46  com.apple.WebCore        	0x0148d7fc WebCore::FrameLoader::receivedData(char const*, int) + 60 (FrameLoader.cpp:2043)
47  com.apple.WebCore        	0x014a5b88 WebCore::MainResourceLoader::addData(char const*, int, bool) + 92 (MainResourceLoader.cpp:134)
48  com.apple.WebCore        	0x014a86a4 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 104
49  com.apple.WebCore        	0x014a5f34 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 288 (MainResourceLoader.cpp:289)
50  com.apple.WebCore        	0x014a8018 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 108
51  com.apple.WebCore        	0x0147d364 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 240 (ResourceHandleMac.mm:352)
52  com.apple.Foundation     	0x92c13624 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564
53  com.apple.Foundation     	0x92c11ac4 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488
54  com.apple.Foundation     	0x92c11860 _sendCallbacks + 156
55  com.apple.CoreFoundation 	0x907df4fc __CFRunLoopDoSources0 + 384
56  com.apple.CoreFoundation 	0x907dea2c __CFRunLoopRun + 452
57  com.apple.CoreFoundation 	0x907de4ac CFRunLoopRunSpecific + 268
58  com.apple.Foundation     	0x92bf0170 -[NSRunLoop runMode:beforeDate:] + 172
59  com.apple.WebKit         	0x003b45e0 -[WebInspector init] + 1744 (WebInspector.m:108)
60  com.apple.WebKit         	0x003b3ed4 +[WebInspector sharedWebInspector] + 116 (WebInspector.m:57)
61  com.apple.WebKit         	0x003883ac -[WebView _inspectElement:] + 388 (WebView.mm:2471)
62  com.apple.AppKit         	0x9383fc4c -[NSApplication sendAction:to:from:] + 108
63  com.apple.Safari         	0x0002956c 0x1000 + 165228
64  com.apple.AppKit         	0x9389a4b8 -[NSMenu performActionForItemAtIndex:] + 392
65  com.apple.AppKit         	0x9389a23c -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 104
66  com.apple.AppKit         	0x938c2d6c _NSPopUpCarbonMenu2 + 2480
67  com.apple.AppKit         	0x938c23ac _NSPopUpCarbonMenu1 + 44
68  com.apple.AppKit         	0x93919be8 -[NSCarbonMenuImpl _popUpContextMenu:withEvent:forView:withFont:] + 168
69  com.apple.AppKit         	0x93919a68 -[NSMenu _popUpContextMenu:withEvent:forView:withFont:] + 216
70  com.apple.AppKit         	0x93ab6404 -[NSControl _rightMouseUpOrDown:] + 440
71  com.apple.AppKit         	0x937fafa0 -[NSWindow sendEvent:] + 6424
72  com.apple.Safari         	0x00021734 0x1000 + 132916
73  com.apple.AppKit         	0x937a38d4 -[NSApplication sendEvent:] + 4172
74  com.apple.Safari         	0x00021238 0x1000 + 131640
75  com.apple.AppKit         	0x9379ad10 -[NSApplication run] + 508
76  com.apple.AppKit         	0x9388b87c NSApplicationMain + 452
77  com.apple.Safari         	0x0005c77c 0x1000 + 374652
78  com.apple.Safari         	0x0005c624 0x1000 + 374308

Comment 1 Geoffrey Garen 2007-04-23 16:33:57 PDT

See also <rdar://problem/5154113>.

Comment 2 Maciej Stachowiak 2007-04-27 01:46:38 PDT

Created attachment 14221 [details]
the fix

Comment 3 Mark Rowe (bdash) 2007-04-27 01:51:20 PDT

Comment on attachment 14221 [details]
the fix

r=me

Comment 4 Timothy Hatcher 2007-04-27 10:59:39 PDT

I don't this this was the correct fix, other WebKit clients will be releasing their WebView's during dealloc in a similar situation.

Colloquy for example has this reentry in the collector.

<rdar://problem/5145162> Colloquy hung and crashed in KJS::JSObject::mark() deallocing a WebView

Comment 5 Timothy Hatcher 2007-04-27 11:05:51 PDT

The Colloquy issues isn't exactly the same. But it might be a similar collector issue.