Bug 13547
| Summary: | REGRESSION: Crash in _NPN_ReleaseObject when closing Safari on nba.com | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Matt Lilek <dev+webkit> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ddkilzer, kevin, mitz |
| Priority: | P1 | Keywords: | InRadar, Regression |
| Version: | 523.x (Safari 3) | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
| URL: | http://nba.com | ||
Matt Lilek
1. Load nba.com
2. Click the "Tonight" tab on the left-hand side
3. Quit Safari -> *boom*
This only seems to crash if you quit Safari, closing the tab/window doesn't seem to trigger this.
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x09f8945c
Thread 0 Crashed:
0 com.apple.JavaScriptCore 0x00537518 _NPN_ReleaseObject + 96 (npruntime.cpp:190)
1 com.apple.JavaScriptCore 0x00535498 KJS::Bindings::CInstance::~CInstance [in-charge deleting]() + 68 (c_instance.cpp:52)
2 com.apple.JavaScriptCore 0x005bfe38 KJS::Bindings::Instance::deref() + 116 (runtime.h:153)
3 com.apple.JavaScriptCore 0x005c01a0 WTF::RefPtr<KJS::Bindings::Instance>::~RefPtr [in-charge]() + 56 (RefPtr.h:41)
4 com.apple.JavaScriptCore 0x005c0220 KJS::RuntimeObjectImp::~RuntimeObjectImp [in-charge]() + 68 (runtime_object.h:34)
5 com.apple.JavaScriptCore 0x00574350 KJS::Collector::collect() + 1292 (collector.cpp:814)
6 com.apple.WebCore 0x012f9d34 WebCore::KJSProxy::~KJSProxy [in-charge]() + 208 (kjs_proxy.cpp:56)
7 com.apple.WebCore 0x010f4b64 WebCore::FramePrivate::~FramePrivate [in-charge]() + 56 (Frame.cpp:1893)
8 com.apple.WebCore 0x010f505c WebCore::Frame::~Frame [in-charge deleting]() + 916 (Frame.cpp:251)
9 com.apple.WebCore 0x015c531c WebCore::Shared<WebCore::Frame>::deref() + 228 (Shared.h:52)
10 com.apple.WebCore 0x0163a768 WTF::RefPtr<WebCore::Frame>::operator=(WebCore::Frame*) + 108 (RefPtr.h:107)
11 com.apple.WebCore 0x010fc8e0 WebCore::FrameView::clearPart() + 44 (FrameView.cpp:156)
12 com.apple.WebCore 0x014ce6dc WebCore::CachedPage::clear() + 548 (CachedPage.cpp:150)
13 com.apple.WebCore 0x014cf3c4 WebCore::CachedPage::close() + 184 (CachedPageMac.mm:45)
14 com.apple.WebCore 0x014cc768 WebCore::HistoryItem::performPendingReleaseOfCachedPages() + 280 (HistoryItem.cpp:467)
15 com.apple.WebKit 0x0030a134 -[WebWindowWatcher windowWillClose:] + 36 (WebHistoryItem.mm:514)
16 com.apple.Foundation 0x92be0ae4 _nsnote_callback + 180
17 com.apple.CoreFoundation 0x90806078 __CFXNotificationPost + 368
18 com.apple.CoreFoundation 0x907fe114 _CFXNotificationPostNotification + 684
19 com.apple.Foundation 0x92bcaeec -[NSNotificationCenter postNotificationName:object:userInfo:] + 92
20 com.apple.AppKit 0x9384047c -[NSWindow _close] + 100
21 com.apple.AppKit 0x938403e0 -[NSWindow close] + 36
22 com.apple.Foundation 0x92be85f4 -[NSArray makeObjectsPerformSelector:withObject:] + 264
23 com.apple.AppKit 0x938433fc -[NSApplication _deallocHardCore:] + 220
24 com.apple.AppKit 0x93841fb4 -[NSApplication terminate:] + 520
25 com.apple.AppKit 0x9383fc4c -[NSApplication sendAction:to:from:] + 108
26 com.apple.Safari 0x0002956c 0x1000 + 165228
27 com.apple.AppKit 0x9389a4b8 -[NSMenu performActionForItemAtIndex:] + 392
28 com.apple.AppKit 0x9389a23c -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 104
29 com.apple.AppKit 0x93899ce4 -[NSMenu performKeyEquivalent:] + 272
30 com.apple.AppKit 0x93899930 -[NSApplication _handleKeyEquivalent:] + 328
31 com.apple.AppKit 0x937a3408 -[NSApplication sendEvent:] + 2944
32 com.apple.Safari 0x00021238 0x1000 + 131640
33 com.apple.AppKit 0x9379ad10 -[NSApplication run] + 508
34 com.apple.AppKit 0x9388b87c NSApplicationMain + 452
35 com.apple.Safari 0x0005c77c 0x1000 + 374652
36 com.apple.Safari 0x0005c624 0x1000 + 374308
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Matt Lilek
Right now this reproduces just by loading nba.com and quitting, no tab changing necessary (the tonight tab is already chosen). If you do change a tab then close, you get a huge leak:
LEAK: 2537 Node
LEAK: 3 RenderObject
LEAK: 1 Frame
LEAK: 14055 KJS::Node
Matt Lilek
Oh, and there's no assertions failing with this. Maciej said on IRC he's seeing an assertion failure at frame 0 of my stack trace above running the layout tests so I figure I'd mention that.
Darin Adler
<rdar://problem/5183692>
David Kilzer (:ddkilzer)
Here is another way to reproduce this (with a slightly different stack trace). I'm using a local debug build of WebKit r21288 with Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135):
*STEPS TO REPRODUCE
1. Open Safari/WebKit.
2. Go to: http://www.ssh.com/
3. Go to: http://www.google.com/ [this site apparently doesn't matter]
4. Hit browser back button to return to www.ssh.com.
5. Quit Safari.
Console output:
Segmentation fault
Stack trace:
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x17c5d614
Thread 0 Crashed:
0 com.apple.JavaScriptCore 0x0054871c _NPN_ReleaseObject + 96 (npruntime.cpp:190)
1 com.apple.JavaScriptCore 0x00546548 KJS::Bindings::CInstance::~CInstance [in-charge deleting]() + 68 (c_instance.cpp:52)
2 com.apple.JavaScriptCore 0x005d2b34 KJS::Bindings::Instance::deref() + 116 (runtime.h:153)
3 com.apple.JavaScriptCore 0x005d2f34 WTF::RefPtr<KJS::Bindings::Instance>::~RefPtr [not-in-charge]() + 56 (RefPtr.h:41)
4 com.apple.JavaScriptCore 0x005d2f68 WTF::RefPtr<KJS::Bindings::Instance>::~RefPtr [in-charge]() + 32 (RefPtr.h:41)
5 com.apple.JavaScriptCore 0x005d2fc0 KJS::RuntimeObjectImp::~RuntimeObjectImp [not-in-charge]() + 68 (runtime_object.h:34)
6 com.apple.JavaScriptCore 0x005d3014 KJS::RuntimeObjectImp::~RuntimeObjectImp [in-charge]() + 32 (runtime_object.h:34)
7 com.apple.JavaScriptCore 0x005859c0 KJS::Collector::collect() + 820 (collector.cpp:790)
8 com.apple.WebCore 0x014a851c WebCore::CachedPage::clear() + 824 (CachedPage.cpp:164)
9 com.apple.WebCore 0x014a8cc4 WebCore::CachedPage::close() + 184 (CachedPageMac.mm:45)
10 com.apple.WebCore 0x014a6e34 WebCore::HistoryItem::performPendingReleaseOfCachedPages() + 280 (HistoryItem.cpp:452)
11 com.apple.WebKit 0x00309c2c -[WebWindowWatcher windowWillClose:] + 36 (WebHistoryItem.mm:514)
12 com.apple.Foundation 0x92be0ae4 _nsnote_callback + 180
13 com.apple.CoreFoundation 0x90806078 __CFXNotificationPost + 368
14 com.apple.CoreFoundation 0x907fe114 _CFXNotificationPostNotification + 684
15 com.apple.Foundation 0x92bcaeec -[NSNotificationCenter postNotificationName:object:userInfo:] + 92
16 com.apple.AppKit 0x9384047c -[NSWindow _close] + 100
17 com.apple.AppKit 0x938403e0 -[NSWindow close] + 36
18 com.apple.Foundation 0x92be85f4 -[NSArray makeObjectsPerformSelector:withObject:] + 264
19 com.apple.AppKit 0x938433fc -[NSApplication _deallocHardCore:] + 220
20 com.apple.AppKit 0x93841fb4 -[NSApplication terminate:] + 520
21 com.apple.AppKit 0x9383fc4c -[NSApplication sendAction:to:from:] + 108
22 com.apple.Safari 0x0002956c 0x1000 + 165228
23 com.apple.AppKit 0x9389a4b8 -[NSMenu performActionForItemAtIndex:] + 392
24 com.apple.AppKit 0x9389a23c -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 104
25 com.apple.AppKit 0x93899ce4 -[NSMenu performKeyEquivalent:] + 272
26 com.apple.AppKit 0x93899930 -[NSApplication _handleKeyEquivalent:] + 328
27 com.apple.AppKit 0x937a3408 -[NSApplication sendEvent:] + 2944
28 com.apple.Safari 0x00021238 0x1000 + 131640
29 com.apple.AppKit 0x9379ad10 -[NSApplication run] + 508
30 com.apple.AppKit 0x9388b87c NSApplicationMain + 452
31 com.apple.Safari 0x0005c77c 0x1000 + 374652
32 com.apple.Safari 0x0005c624 0x1000 + 374308
Matt Lilek
*** Bug 13977 has been marked as a duplicate of this bug. ***
Anders Carlsson
Committed revision 23538.