Bug 13545

Summary: Crash closing page on www.stevepavlina.com
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: sullivan
Priority: P1 Keywords: InRadar, NeedsReduction
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.stevepavlina.com/blog/2006/04/how-to-get-up-right-away-when-your-alarm-goes-off/

David Kilzer (:ddkilzer)
Reported 2007-04-29 18:25:47 PDT
* SUMMARY A local debug build of WebKit r21184 crashed when I closed the URL in a tab. I can't reproduce this, though. * STEPS TO REPRODUCE 1. Open Safari/WebKit. 2. Search for "site:stevepavlina.com how to get up right away" in Google in the first tab. 3. Open http://www.stevepavlina.com/ in the second tab. 4. Open third tab with URL: http://www.stevepavlina.com/blog/2006/04/how-to-get-up-right-away-when-your-alarm-goes-off/ 5. Read article in Step 4. 6. Use Cmd-W to close third tab. * EXPECTED RESULTS Tab should close without crash. * ACTUAL RESULTS Tab closes with crash. * REGRESSION This is a regression from shipping Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135). * NOTES I have NOT been able to reproduce this.
Attachments
Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2007-04-29 18:27:46 PDT
Console output: Bus error Stack trace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x04000004 Thread 0 Crashed: 0 <<00000000>> 0x04000004 0 + 67108868 1 com.apple.JavaScriptCore 0x0060181c WTF::RefPtr<KJS::FunctionBodyNode>::~RefPtr [not-in-charge]() + 60 (RefPtr.h:41) 2 com.apple.JavaScriptCore 0x00601850 WTF::RefPtr<KJS::FunctionBodyNode>::~RefPtr [in-charge]() + 32 (RefPtr.h:41) 3 com.apple.JavaScriptCore 0x005abf0c KJS::FunctionImp::~FunctionImp [not-in-charge]() + 84 (function.cpp:69) 4 com.apple.JavaScriptCore 0x00615f1c KJS::DeclaredFunctionImp::~DeclaredFunctionImp [not-in-charge]() + 64 (function.h:105) 5 com.apple.JavaScriptCore 0x00615f64 KJS::DeclaredFunctionImp::~DeclaredFunctionImp [in-charge]() + 32 (function.h:105) 6 com.apple.JavaScriptCore 0x00585bb8 KJS::Collector::collect() + 1292 (collector.cpp:814) 7 com.apple.WebCore 0x012e1bf0 WebCore::KJSProxy::~KJSProxy [not-in-charge]() + 208 (kjs_proxy.cpp:56) 8 com.apple.WebCore 0x012e1c38 WebCore::KJSProxy::~KJSProxy [in-charge]() + 32 (kjs_proxy.cpp:57) 9 com.apple.WebCore 0x010ebbe8 WebCore::FramePrivate::~FramePrivate [not-in-charge]() + 56 (Frame.cpp:1893) 10 com.apple.WebCore 0x010ebd6c WebCore::FramePrivate::~FramePrivate [in-charge]() + 32 (Frame.cpp:1895) 11 com.apple.WebCore 0x010ec114 WebCore::Frame::~Frame [in-charge deleting]() + 916 (Frame.cpp:251) 12 com.apple.WebCore 0x0159f604 WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52) 13 com.apple.WebCore 0x0159f658 WTF::RefPtr<WebCore::Frame>::~RefPtr [not-in-charge]() + 64 (RefPtr.h:41) 14 com.apple.WebCore 0x0159f68c WTF::RefPtr<WebCore::Frame>::~RefPtr [in-charge]() + 32 (RefPtr.h:41) 15 com.apple.WebCore 0x010f3854 WebCore::FrameView::~FrameView [in-charge deleting]() + 792 (FrameView.cpp:146) 16 com.apple.WebCore 0x01622d60 WebCore::FrameView::deref() + 116 (FrameView.h:63) 17 com.apple.WebCore 0x0131676c WebCore::RenderPart::~RenderPart [not-in-charge]() + 180 (RenderPart.cpp:54) 18 com.apple.WebCore 0x0171f89c WebCore::RenderPartObject::~RenderPartObject [in-charge deleting]() + 64 (RenderPartObject.h:32) 19 com.apple.WebCore 0x011c9a44 WebCore::RenderObject::arenaDelete(WebCore::RenderArena*, void*) + 324 (RenderObject.cpp:2539) 20 com.apple.WebCore 0x0131dc0c WebCore::RenderWidget::deref(WebCore::RenderArena*) + 112 (RenderWidget.cpp:207) 21 com.apple.WebCore 0x0131e484 WebCore::RenderWidget::destroy() + 372 (RenderWidget.cpp:101) 22 com.apple.WebCore 0x012af64c WebCore::Node::detach() + 124 (Node.cpp:834) 23 com.apple.WebCore 0x01109844 WebCore::ContainerNode::detach() + 112 (ContainerNode.cpp:618) 24 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 25 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 26 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 27 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 28 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 29 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 30 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 31 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 32 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 33 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 34 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 35 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 36 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 37 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 38 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 39 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 40 com.apple.WebCore 0x012b8f78 WebCore::Element::detach() + 44 (Element.cpp:661) 41 com.apple.WebCore 0x0110981c WebCore::ContainerNode::detach() + 72 (ContainerNode.cpp:615) 42 com.apple.WebCore 0x01100408 WebCore::Document::detach() + 220 (Document.cpp:1150) 43 com.apple.WebCore 0x010e2b54 WebCore::Frame::setView(WebCore::FrameView*) + 184 (Frame.cpp:272) 44 com.apple.WebCore 0x0147b6a4 WebCore::FrameLoader::detachFromParent() + 352 (FrameLoader.cpp:2964) 45 com.apple.WebKit 0x0037f1cc -[WebView(WebPrivate) _close] + 524 (WebView.mm:662) 46 com.apple.Safari 0x00047858 0x1000 + 288856 47 com.apple.Safari 0x000476fc 0x1000 + 288508 48 com.apple.Safari 0x00047690 0x1000 + 288400 49 com.apple.Safari 0x0007163c 0x1000 + 460348 50 com.apple.AppKit 0x9383fc4c -[NSApplication sendAction:to:from:] + 108 51 com.apple.Safari 0x0002956c 0x1000 + 165228 52 com.apple.AppKit 0x9389a4b8 -[NSMenu performActionForItemAtIndex:] + 392 53 com.apple.AppKit 0x9389a23c -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 104 54 com.apple.AppKit 0x93899ce4 -[NSMenu performKeyEquivalent:] + 272 55 com.apple.AppKit 0x93899930 -[NSApplication _handleKeyEquivalent:] + 328 56 com.apple.AppKit 0x937a3408 -[NSApplication sendEvent:] + 2944 57 com.apple.Safari 0x00021238 0x1000 + 131640 58 com.apple.AppKit 0x9379ad10 -[NSApplication run] + 508 59 com.apple.AppKit 0x9388b87c NSApplicationMain + 452 60 com.apple.Safari 0x0005c77c 0x1000 + 374652 61 com.apple.Safari 0x0005c624 0x1000 + 374308
Darin Adler
Comment 2 2007-05-04 22:19:01 PDT
<rdar://problem/5183691>
John Sullivan
Comment 3 2007-06-07 10:27:44 PDT
This was marked as a regression, but the originator cannot reproduce it. There's no evidence that an unreproducible crash is a regression, so I un-marked it as a regression.
David Kilzer (:ddkilzer)
Comment 4 2007-06-07 10:47:17 PDT
Can't reproduce bug, so closing for now.
Note You need to log in before you can comment on or make changes to this bug.