Bug 17313

Summary: querySelectorAll() causing crashes when called via dojo.query() wrapper
Product: WebKit Reporter: Alex Russell <alex>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, catfish.man, dylans, hyatt, mitz, mrowe, sam
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://dojotoolkit.org/~alex/anon_view/dojo/tests/_base/query.html
Bug Depends on:    
Bug Blocks: 13846    
Attachments:
Description Flags
Reduction (will crash Release builds of TOT)
none
Transcript of debugging session from point of crash
none
Transcript of debugging session from point of bogus write
none
Crash under guard malloc
none
Patch mitz: review+

Description Alex Russell 2008-02-11 14:07:59 PST
Individual calls to document.querySelectorAll(), and individual calls to [node].querySelectorAll() work as expected, but when being wrapped by dojo.query() (and called many times in succession), we are seeing crashes on the latest webkit nightlies.
Comment 1 Alexey Proskuryakov 2008-02-11 14:52:40 PST
FWIW, I could not reproduce this by opening the bug URL with a local debug build of r30153.
Comment 2 Alex Russell 2008-02-11 15:04:11 PST
The nightly I'm working from is r30123...I'll try again on tomorrow's build.
Comment 3 Mark Rowe (bdash) 2008-02-11 19:08:09 PST
Can you please attach the crash logs from this crash?  See <http://webkit.org/quality/crashlogs.html> for details.
Comment 4 Dylan Schiemann 2008-02-12 21:00:18 PST
(In reply to comment #3)
> Can you please attach the crash logs from this crash?  See
> <http://webkit.org/quality/crashlogs.html> for details.
> 

Date/Time:      2008-02-12 20:58:59.020 -0800
OS Version:     10.4.11 (Build 8S2167)
Report Version: 4

Command: Safari
Path:    /Applications/Safari.app/Contents/MacOS/Safari
Parent:  WindowServer [87]

Version: r30153 (30153)

PID:    6917
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x898c45bf

Thread 0 Crashed:
0   com.apple.WebCore        	0x014d0e6b WebCore::TextIterator::handleTextBox() + 587
1   com.apple.WebCore        	0x014d20e6 WebCore::TextIterator::advance() + 54
2   com.apple.WebCore        	0x014d25db WebCore::plainTextToMallocAllocatedBuffer(WebCore::Range const*, unsigned&) + 187
3   com.apple.WebCore        	0x014eca12 -[WebCoreFrameBridge stringForRange:] + 50
4   com.apple.WebKit         	0x00346e44 -[WebHTMLView(WebDocumentPrivateProtocols) string] + 84
5   com.apple.Safari         	0x0002fbf9 0x1000 + 191481
6   com.apple.Safari         	0x0002f7d8 0x1000 + 190424
7   com.apple.Safari         	0x0002f5ec 0x1000 + 189932
8   com.apple.Safari         	0x0002f4e7 0x1000 + 189671
9   com.apple.Foundation     	0x9283f2be __NSFireTimer + 199
10  com.apple.CoreFoundation 	0x9082d76a CFRunLoopRunSpecific + 3341
11  com.apple.CoreFoundation 	0x9082ca56 CFRunLoopRunInMode + 61
12  com.apple.HIToolbox      	0x92df0878 RunCurrentEventLoopInMode + 285
13  com.apple.HIToolbox      	0x92deff82 ReceiveNextEventCommon + 385
14  com.apple.HIToolbox      	0x92defdd9 BlockUntilNextEventMatchingListInMode + 81
15  com.apple.AppKit         	0x93296485 _DPSNextEvent + 572
16  com.apple.AppKit         	0x93296076 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
17  com.apple.Safari         	0x00009208 0x1000 + 33288
18  com.apple.AppKit         	0x9328fdfb -[NSApplication run] + 512
19  com.apple.AppKit         	0x93283d4f NSApplicationMain + 573
20  com.apple.Safari         	0x00090652 0x1000 + 587346
21  com.apple.Safari         	0x000027a9 0x1000 + 6057

Thread 1:
0   libSystem.B.dylib        	0x90009cd7 mach_msg_trap + 7
1   com.unsanity.ape         	0xc0001cac __ape_agent + 307
2   libSystem.B.dylib        	0x90024227 _pthread_body + 84

Thread 2:
0   libSystem.B.dylib        	0x900248c7 semaphore_wait_signal_trap + 7
1   com.apple.WebCore        	0x01200b0f WebCore::IconDatabase::syncThreadMainLoop() + 239
2   com.apple.WebCore        	0x01200c25 WebCore::IconDatabase::iconDatabaseSyncThread() + 181
3   libSystem.B.dylib        	0x90024227 _pthread_body + 84

Thread 3:
0   libSystem.B.dylib        	0x90009cd7 mach_msg_trap + 7
1   com.apple.CoreFoundation 	0x9082d23b CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation 	0x9082ca56 CFRunLoopRunInMode + 61
3   com.apple.Foundation     	0x92854bca +[NSURLCache _diskCacheSyncLoop:] + 206
4   com.apple.Foundation     	0x927f82c0 forkThreadForFunction + 123
5   libSystem.B.dylib        	0x90024227 _pthread_body + 84

Thread 4:
0   libSystem.B.dylib        	0x90009cd7 mach_msg_trap + 7
1   com.apple.CoreFoundation 	0x9082d23b CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation 	0x9082ca56 CFRunLoopRunInMode + 61
3   com.apple.Foundation     	0x9282d9ef +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 259
4   com.apple.Foundation     	0x927f82c0 forkThreadForFunction + 123
5   libSystem.B.dylib        	0x90024227 _pthread_body + 84

Thread 5:
0   libSystem.B.dylib        	0x900248c7 semaphore_wait_signal_trap + 7
1   com.apple.Foundation     	0x9284e250 -[NSConditionLock lockWhenCondition:] + 39
2   com.apple.Syndication    	0x9ad79966 -[AsyncDB _run:] + 181
3   com.apple.Foundation     	0x927f82c0 forkThreadForFunction + 123
4   libSystem.B.dylib        	0x90024227 _pthread_body + 84

Thread 6:
0   libSystem.B.dylib        	0x9001a1cc select + 12
1   libSystem.B.dylib        	0x90024227 _pthread_body + 84

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x458c3dd5  ebx: 0x014ec9ea  ecx: 0x898c458b  edx: 0x898c458b
  edi: 0xbfffeb74  esi: 0x898c458b  ebp: 0xbfffeae8  esp: 0xbfffea80
   ss: 0x0000001f  efl: 0x00010286  eip: 0x014d0e6b   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037

Binary Images Description:
    0x1000 -   0x119fff com.apple.Safari 3.0.4 (523.12.2)	/Applications/Safari.app/Contents/MacOS/Safari
  0x155000 -   0x156fff WebKitNightlyEnabler.dylib 	/Applications/WebKit.app/Contents/Resources/WebKitNightlyEnabler.dylib
  0x305000 -   0x3c2fff com.apple.WebKit 525.8+	/Applications/WebKit.app/Contents/Frameworks/10.4/WebKit.framework/Versions/A/WebKit
  0x457000 -   0x526fff com.apple.JavaScriptCore 525.8+	/Applications/WebKit.app/Contents/Frameworks/10.4/JavaScriptCore.framework/Versions/A/JavaScriptCore
  0x5aa000 -   0x5abfff com.Logitech.Control Center.Scroll Enhancer 2.1.4	/Library/Application Enhancers/LCC Scroll Enhancer.ape/Contents/MacOS/LCC Scroll Enhancer
 0x1008000 -  0x1654fff com.apple.WebCore 525.8+	/Applications/WebKit.app/Contents/Frameworks/10.4/WebCore.framework/Versions/A/WebCore
0x270d3000 - 0x27140fff com.DivXInc.DivXDecoder 6.6.0	/Library/QuickTime/DivX Decoder.component/Contents/MacOS/DivX Decoder
0x8f8c0000 - 0x8f95ffff com.apple.QuickTimeImporters.component 7.4 (92)	/System/Library/QuickTime/QuickTimeImporters.component/Contents/MacOS/QuickTimeImporters
0x8fe00000 - 0x8fe4afff dyld 46.16	/usr/lib/dyld
0x90000000 - 0x90171fff libSystem.B.dylib 	/usr/lib/libSystem.B.dylib
0x901c1000 - 0x901c3fff libmathCommon.A.dylib 	/usr/lib/system/libmathCommon.A.dylib
0x901c5000 - 0x90202fff com.apple.CoreText 1.1.3 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x90229000 - 0x902fffff ATS 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x9031f000 - 0x90774fff com.apple.CoreGraphics 1.258.77 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
0x9080b000 - 0x908d3fff com.apple.CoreFoundation 6.4.9 (368.31)	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x90911000 - 0x90911fff com.apple.CoreServices 10.4 (???)	/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x90913000 - 0x90a07fff libicucore.A.dylib 	/usr/lib/libicucore.A.dylib
0x90a57000 - 0x90ad6fff libobjc.A.dylib 	/usr/lib/libobjc.A.dylib
0x90aff000 - 0x90b63fff libstdc++.6.dylib 	/usr/lib/libstdc++.6.dylib
0x90bd2000 - 0x90bd9fff libgcc_s.1.dylib 	/usr/lib/libgcc_s.1.dylib
0x90bde000 - 0x90c51fff com.apple.framework.IOKit 1.4.8 (???)	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x90c66000 - 0x90c78fff libauto.dylib 	/usr/lib/libauto.dylib
0x90c7e000 - 0x90f24fff com.apple.CoreServices.CarbonCore 682.28	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
0x90f67000 - 0x90fcffff com.apple.CoreServices.OSServices 4.1	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
0x91008000 - 0x91047fff com.apple.CFNetwork 129.22	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x9105a000 - 0x9106afff com.apple.WebServices 1.1.3 (1.1.0)	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore
0x91075000 - 0x910f4fff com.apple.SearchKit 1.0.7	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x9112e000 - 0x9114cfff com.apple.Metadata 10.4.4 (121.36)	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x91158000 - 0x91166fff libz.1.dylib 	/usr/lib/libz.1.dylib
0x91169000 - 0x91308fff com.apple.security 4.5.2 (29774)	/System/Library/Frameworks/Security.framework/Versions/A/Security
0x91406000 - 0x9140efff com.apple.DiskArbitration 2.1.2	/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x91415000 - 0x9141cfff libbsm.dylib 	/usr/lib/libbsm.dylib
0x91420000 - 0x91446fff com.apple.SystemConfiguration 1.8.6	/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x91458000 - 0x914cefff com.apple.audio.CoreAudio 3.0.5	/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x9151f000 - 0x9151ffff com.apple.ApplicationServices 10.4 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x91521000 - 0x9154dfff com.apple.AE 314 (313)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x91560000 - 0x91634fff com.apple.ColorSync 4.4.10	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x9166f000 - 0x916e2fff com.apple.print.framework.PrintCore 4.6 (177.13)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore
0x91710000 - 0x917b9fff com.apple.QD 3.10.25 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x917df000 - 0x9182afff com.apple.HIServices 1.5.2 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x91849000 - 0x9185ffff com.apple.LangAnalysis 1.6.3	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis
0x9186b000 - 0x91886fff com.apple.FindByContent 1.5	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent
0x91891000 - 0x918cefff com.apple.LaunchServices 182	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
0x918e2000 - 0x918eefff com.apple.speech.synthesis.framework 3.5	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x918f5000 - 0x91935fff com.apple.ImageIO.framework 1.5.6	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x91948000 - 0x919fafff libcrypto.0.9.7.dylib 	/usr/lib/libcrypto.0.9.7.dylib
0x91a40000 - 0x91a56fff libcups.2.dylib 	/usr/lib/libcups.2.dylib
0x91a5b000 - 0x91a79fff libJPEG.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x91a7e000 - 0x91addfff libJP2.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
0x91aef000 - 0x91af3fff libGIF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91af5000 - 0x91b7dfff libRaw.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib
0x91b81000 - 0x91bbefff libTIFF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x91bc4000 - 0x91bdefff libPng.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x91be3000 - 0x91be5fff libRadiance.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib
0x91be7000 - 0x91cc5fff libxml2.2.dylib 	/usr/lib/libxml2.2.dylib
0x91ce2000 - 0x91ce2fff com.apple.Accelerate 1.3.1 (Accelerate 1.3.1)	/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x91ce4000 - 0x91d72fff com.apple.vImage 2.5	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x91d79000 - 0x91d79fff com.apple.Accelerate.vecLib 3.3.1 (vecLib 3.3.1)	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib
0x91d7b000 - 0x91dd4fff libvMisc.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x91ddd000 - 0x91e01fff libvDSP.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x91e09000 - 0x92212fff libBLAS.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x9224c000 - 0x92600fff libLAPACK.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x9262d000 - 0x9271afff libiconv.2.dylib 	/usr/lib/libiconv.2.dylib
0x9271c000 - 0x9279afff com.apple.DesktopServices 1.3.7	/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x927db000 - 0x92a0bfff com.apple.Foundation 6.4.9 (567.36)	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x92b25000 - 0x92b3cfff libGL.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib
0x92b47000 - 0x92b9ffff libGLU.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib
0x92bb3000 - 0x92bb3fff com.apple.Carbon 10.4 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
0x92bb5000 - 0x92bc5fff com.apple.ImageCapture 3.0.4	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x92bd4000 - 0x92bdcfff com.apple.speech.recognition.framework 3.6	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition
0x92be2000 - 0x92be8fff com.apple.securityhi 2.0.1 (24742)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x92bee000 - 0x92c7ffff com.apple.ink.framework 101.2.1 (71)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink
0x92c93000 - 0x92c97fff com.apple.help 1.0.3 (32.1)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help
0x92c9a000 - 0x92cb8fff com.apple.openscripting 1.2.5 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x92cca000 - 0x92cd0fff com.apple.print.framework.Print 5.2 (192.4)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print
0x92cd6000 - 0x92d39fff com.apple.htmlrendering 66.1 (1.1.3)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x92d60000 - 0x92da1fff com.apple.NavigationServices 3.4.4 (3.4.3)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices
0x92dc8000 - 0x92dd6fff com.apple.audio.SoundManager 3.9.1	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x92ddd000 - 0x92de2fff com.apple.CommonPanels 1.2.3 (73)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels
0x92de7000 - 0x930dcfff com.apple.HIToolbox 1.4.10 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x931e2000 - 0x931edfff com.apple.opengl 1.4.16	/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
0x931f2000 - 0x9320dfff com.apple.DirectoryService.Framework 3.3	/System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService
0x9327d000 - 0x9327dfff com.apple.Cocoa 6.4 (???)	/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0x9327f000 - 0x93935fff com.apple.AppKit 6.4.9 (824.44)	/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x93cb6000 - 0x93d31fff com.apple.CoreData 91 (92.1)	/System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
0x93d6a000 - 0x93e23fff com.apple.audio.toolbox.AudioToolbox 1.4.7	/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x93e66000 - 0x93e66fff com.apple.audio.units.AudioUnit 1.4.3	/System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x93e68000 - 0x94029fff com.apple.QuartzCore 1.4.12	/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
0x9406f000 - 0x940b0fff libsqlite3.0.dylib 	/usr/lib/libsqlite3.0.dylib
0x940b8000 - 0x940f2fff libGLImage.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib
0x940f7000 - 0x9410dfff com.apple.CoreVideo 1.4.2	/System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo
0x941a6000 - 0x941e4fff com.apple.vmutils 4.0.2 (93.1)	/System/Library/PrivateFrameworks/vmutils.framework/Versions/A/vmutils
0x94228000 - 0x94239fff com.apple.securityfoundation 2.2.1 (28150)	/System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
0x94247000 - 0x94285fff com.apple.securityinterface 2.2.1 (27695)	/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
0x942a1000 - 0x942b0fff libCGATS.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
0x942b7000 - 0x942c2fff libCSync.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
0x9430e000 - 0x94328fff libRIP.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x9432e000 - 0x94645fff com.apple.QuickTime 7.4.0 (92)	/System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime
0x947ca000 - 0x94910fff com.apple.AddressBook.framework 4.0.6 (490)	/System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook
0x9499c000 - 0x949abfff com.apple.DSObjCWrappers.Framework 1.1	/System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers
0x949b2000 - 0x949dbfff com.apple.LDAPFramework 1.4.2 (69.1.1)	/System/Library/Frameworks/LDAP.framework/Versions/A/LDAP
0x949e1000 - 0x949f0fff libsasl2.2.dylib 	/usr/lib/libsasl2.2.dylib
0x949f4000 - 0x94a19fff libssl.0.9.7.dylib 	/usr/lib/libssl.0.9.7.dylib
0x94a25000 - 0x94a42fff libresolv.9.dylib 	/usr/lib/libresolv.9.dylib
0x96da2000 - 0x96da2fff com.apple.vecLib 3.3.1 (vecLib 3.3.1)	/System/Library/Frameworks/vecLib.framework/Versions/A/vecLib
0x97411000 - 0x97416fff com.apple.agl 2.5.9 (AGL-2.5.9)	/System/Library/Frameworks/AGL.framework/Versions/A/AGL
0x98e82000 - 0x99cc4fff com.apple.QuickTimeComponents.component 7.4 (92)	/System/Library/QuickTime/QuickTimeComponents.component/Contents/MacOS/QuickTimeComponents
0x9aa61000 - 0x9aa91fff com.apple.QuickTime Plugin.plugin 7.4 (92)	/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents/MacOS/QuickTime Plugin
0x9ad77000 - 0x9adaefff com.apple.Syndication 1.0.7 (55)	/System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Syndication
0x9adca000 - 0x9addcfff com.apple.SyndicationUI 1.0.7 (55)	/System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI
0xc0000000 - 0xc000efff com.unsanity.ape 2.0.2	/Library/Frameworks/ApplicationEnhancer.framework/Versions/A/ApplicationEnhancer

Model: MacPro1,1, BootROM MP11.005C.B08, 4 processors, Dual-Core Intel Xeon, 2.66 GHz, 8 GB
Graphics: NVIDIA GeForce 7300 GT, NVIDIA GeForce 7300 GT, PCIe, 256 MB
Graphics: NVIDIA GeForce 7300 GT, NVIDIA GeForce 7300 GT, PCIe, 256 MB
Memory Module: DIMM Riser A/DIMM 1, 1 GB, DDR2 FB-DIMM, 667 MHz
Memory Module: DIMM Riser A/DIMM 2, 1 GB, DDR2 FB-DIMM, 667 MHz
Memory Module: DIMM Riser B/DIMM 1, 1 GB, DDR2 FB-DIMM, 667 MHz
Memory Module: DIMM Riser B/DIMM 2, 1 GB, DDR2 FB-DIMM, 667 MHz
Memory Module: DIMM Riser A/DIMM 3, 1 GB, DDR2 FB-DIMM, 667 MHz
Memory Module: DIMM Riser A/DIMM 4, 1 GB, DDR2 FB-DIMM, 667 MHz
Memory Module: DIMM Riser B/DIMM 3, 1 GB, DDR2 FB-DIMM, 667 MHz
Memory Module: DIMM Riser B/DIMM 4, 1 GB, DDR2 FB-DIMM, 667 MHz
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x87), Broadcom BCM43xx 1.0 (4.170.13.1)
Bluetooth: Version 1.9.5f4, 2 service, 1 devices, 1 incoming serial ports
Network Service: Built-in Ethernet 1, Ethernet, en0
PCI Card: NVIDIA GeForce 7300 GT, Display, Slot-4
PCI Card: NVIDIA GeForce 7300 GT, Display, Slot-1
Serial ATA Device: WDC WD5000AAKS-41TMA0, 465.76 GB
Parallel ATA Device: OPTIARC DVD RW AD-7170A
USB Device: Keyboard Hub, Apple, Inc., Up to 480 Mb/sec, 500 mA
USB Device: USB-PS/2 Optical Mouse, Logitech, Up to 1.5 Mb/sec, 100 mA
USB Device: psc 1310 series, hp, Up to 12 Mb/sec, 100 mA
USB Device: Apple Keyboard, Apple, Inc, Up to 1.5 Mb/sec, 100 mA
USB Device: Bluetooth USB Host Controller, Apple, Inc., Up to 12 Mb/sec, 500 mA
FireWire Device: built-in_hub, unknown_value, Unknown
FireWire Device: d2 Quadra (button), LaCie SA, Up to 800 Mb/sec
FireWire Device: (Rev 1.00), Tri-Select, Up to 400 Mb/sec
Comment 5 Dylan Schiemann 2008-02-12 21:04:22 PST
(In reply to comment #3)
> Can you please attach the crash logs from this crash?  See
> <http://webkit.org/quality/crashlogs.html> for details.
> 

Also crashes Leopard:

Process:         Safari [92873]
Path:            /Applications/WebKit.app/Contents/MacOS/WebKit
Identifier:      org.webkit.nightly.WebKit
Version:         r30153 (30153)
Code Type:       X86 (Native)
Parent Process:  launchd [78]

Date/Time:       2008-02-12 21:02:34.961 -0800
OS Version:      Mac OS X 10.5.1 (9B18)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000e8042488
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.WebCore             	0x00f0c48b WebCore::TextIterator::handleTextBox() + 587
1   com.apple.WebCore             	0x00f0d706 WebCore::TextIterator::advance() + 54
2   com.apple.WebCore             	0x00f0dbfb WebCore::plainTextToMallocAllocatedBuffer(WebCore::Range const*, unsigned int&) + 187
3   com.apple.WebCore             	0x00f28042 -[WebCoreFrameBridge stringForRange:] + 50
4   com.apple.WebKit              	0x001be474 -[WebHTMLView(WebDocumentPrivateProtocols) string] + 84
5   com.apple.Safari              	0x00034ba1 0x1000 + 211873
6   com.apple.Safari              	0x00034724 0x1000 + 210724
7   com.apple.Safari              	0x00034416 0x1000 + 209942
8   com.apple.Safari              	0x00034302 0x1000 + 209666
9   com.apple.Foundation          	0x966c5663 __NSFireTimer + 147
10  com.apple.CoreFoundation      	0x95eaab7e CFRunLoopRunSpecific + 4494
11  com.apple.CoreFoundation      	0x95eaad38 CFRunLoopRunInMode + 88
12  com.apple.HIToolbox           	0x915d08a4 RunCurrentEventLoopInMode + 283
13  com.apple.HIToolbox           	0x915d06bd ReceiveNextEventCommon + 374
14  com.apple.HIToolbox           	0x915d0531 BlockUntilNextEventMatchingListInMode + 106
15  com.apple.AppKit              	0x9344fd5b _DPSNextEvent + 657
16  com.apple.AppKit              	0x9344f6a0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
17  com.apple.Safari              	0x00009d4e 0x1000 + 36174
18  com.apple.AppKit              	0x934486d1 -[NSApplication run] + 795
19  com.apple.AppKit              	0x934159ba NSApplicationMain + 574
20  com.apple.Safari              	0x00002876 0x1000 + 6262

Thread 1:
0   libSystem.B.dylib             	0x92144ace __semwait_signal + 10
1   libSystem.B.dylib             	0x9216eced pthread_cond_wait$UNIX2003 + 73
2   com.apple.WebCore             	0x00c3a85f WebCore::IconDatabase::syncThreadMainLoop() + 239
3   com.apple.WebCore             	0x00c3a975 WebCore::IconDatabase::iconDatabaseSyncThread() + 181
4   libSystem.B.dylib             	0x9216e075 _pthread_start + 321
5   libSystem.B.dylib             	0x9216df32 thread_start + 34

Thread 2:
0   libSystem.B.dylib             	0x9213d8e6 mach_msg_trap + 10
1   libSystem.B.dylib             	0x921450dc mach_msg + 72
2   com.apple.CoreFoundation      	0x95eaa0fe CFRunLoopRunSpecific + 1806
3   com.apple.CoreFoundation      	0x95eaad38 CFRunLoopRunInMode + 88
4   com.apple.CFNetwork           	0x933a17ba CFURLCacheWorkerThread(void*) + 396
5   libSystem.B.dylib             	0x9216e075 _pthread_start + 321
6   libSystem.B.dylib             	0x9216df32 thread_start + 34

Thread 3:
0   libSystem.B.dylib             	0x9213d8e6 mach_msg_trap + 10
1   libSystem.B.dylib             	0x921450dc mach_msg + 72
2   com.apple.CoreFoundation      	0x95eaa0fe CFRunLoopRunSpecific + 1806
3   com.apple.CoreFoundation      	0x95eaad38 CFRunLoopRunInMode + 88
4   com.apple.Foundation          	0x966f4560 +[NSURLConnection(NSURLConnectionReallyInternal) _resourceLoadLoop:] + 320
5   com.apple.Foundation          	0x9669104d -[NSThread main] + 45
6   com.apple.Foundation          	0x96690bf4 __NSThread__main__ + 308
7   libSystem.B.dylib             	0x9216e075 _pthread_start + 321
8   libSystem.B.dylib             	0x9216df32 thread_start + 34

Thread 4:
0   libSystem.B.dylib             	0x9218cf5a select$DARWIN_EXTSN + 10
1   libSystem.B.dylib             	0x9216e075 _pthread_start + 321
2   libSystem.B.dylib             	0x9216df32 thread_start + 34

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x0015867b  ebx: 0x00f2801a  ecx: 0xe8042454  edx: 0xe8042454
  edi: 0xbfffea44  esi: 0xe8042454  ebp: 0xbfffe9b8  esp: 0xbfffe950
   ss: 0x0000001f  efl: 0x00010282  eip: 0x00f0c48b   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
  cr2: 0xe8042488

Binary Images:
    0x1000 -   0x12efef  com.apple.Safari 3.0.4 (5523.10.6) <53d219fd878088543fd2e1af460bed18> /Applications/Safari.app/Contents/MacOS/Safari
  0x176000 -   0x177ffc +WebKitNightlyEnabler.dylib ??? (???) /Applications/WebKit.app/Contents/Resources/WebKitNightlyEnabler.dylib
  0x17c000 -   0x23afff  com.apple.WebKit 525.8+ (525.8+) /Applications/WebKit.app/Contents/Frameworks/10.5/WebKit.framework/Versions/A/WebKit
  0x2d6000 -   0x2e4ff8  SyndicationUI ??? (???) <8adc35e1eb5001dead3c18ee25f2e8db> /System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI
  0x2f3000 -   0x3c1ff7  com.apple.JavaScriptCore 525.8+ (525.8+) /Applications/WebKit.app/Contents/Frameworks/10.5/JavaScriptCore.framework/Versions/A/JavaScriptCore
  0x47f000 -   0x481fff +net.culater.SIMBL 0.8.2 (8) /Library/InputManagers/SIMBL/SIMBL.bundle/Contents/MacOS/SIMBL
  0x61a000 -   0x61fff3  libCGXCoreImage.A.dylib ??? (???) <1d164317677d5eb499d27388a0f0bb29> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGXCoreImage.A.dylib
  0xa3a000 -  0x1090fff  com.apple.WebCore 525.8+ (525.8+) /Applications/WebKit.app/Contents/Frameworks/10.5/WebCore.framework/Versions/A/WebCore
 0x1700000 -  0x17e6ff7  com.apple.RawCamera.bundle 2.0 (2.0) /System/Library/CoreServices/RawCamera.bundle/Contents/MacOS/RawCamera
0x16f4b000 - 0x16f4bffe  com.apple.JavaPluginCocoa 12.0.0 (12.0.0) <02a9f23a8bfc902c32ac0adfb66d6816> /Library/Internet Plug-Ins/JavaPluginCocoa.bundle/Contents/MacOS/JavaPluginCocoa
0x17593000 - 0x1759affd  com.apple.JavaVM 12.0.0 (12.0.0) <44b9536fe4d7c7fcb3506adb695a180f> /System/Library/Frameworks/JavaVM.framework/Versions/A/JavaVM
0x17cf4000 - 0x17cf5ff3  ATSHI.dylib ??? (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Resources/ATSHI.dylib
0x8fe00000 - 0x8fe2d883  dyld 95.3 (???) <3896c718b33f3e065e199a659baf1a2b> /usr/lib/dyld
0x90fbc000 - 0x91352ff7  com.apple.QuartzCore 1.5.1 (1.5.1) <deb61cbeb3f734a1b2f4669f6268b9de> /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
0x91353000 - 0x91371ff3  com.apple.DirectoryService.Framework 3.5 (3.5) <55f196eadfd3ca73497d85aabd53c082> /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService
0x91372000 - 0x91404ff3  com.apple.ApplicationServices.ATS 3.0 (???) <d994740916f7aa6495a3372def0e7b61> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x91405000 - 0x91411ff5  libGL.dylib ??? (???) /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib
0x914f2000 - 0x9154fffb  libstdc++.6.dylib ??? (???) <04b812dcec670daa8b7d2852ab14be60> /usr/lib/libstdc++.6.dylib
0x91550000 - 0x915a0ff7  com.apple.HIServices 1.6.0 (???) <d74aa73e4cfd30a08fb169198a8d2539> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x915a1000 - 0x918a7fff  com.apple.HIToolbox 1.5.0 (???) <baa49e74751bc3c4738509ba8cc512b1> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x91ab3000 - 0x91ab7fff  libGIF.dylib ??? (???) <b8f61e346fa243a7138910bed3dcdb6b> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91ae2000 - 0x91bc3ff7  libxml2.2.dylib ??? (???) <450ec38b57fb46013847cce851001a2f> /usr/lib/libxml2.2.dylib
0x91bc4000 - 0x91d8dfef  com.apple.security 5.0.1 (32736) <8c9eda0fcc1d8a571543025ac900715f> /System/Library/Frameworks/Security.framework/Versions/A/Security
0x91d8e000 - 0x91dbdfe3  com.apple.AE 402 (402) <994ba8e884aefe7bf1fc5987df099e7b> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x91e4f000 - 0x91e51fff  com.apple.CrashReporterSupport 10.5.0 (156) <a9cf092be7a554b3cda00fe946d1c1a7> /System/Library/PrivateFrameworks/CrashReporterSupport.framework/Versions/A/CrashReporterSupport
0x91e52000 - 0x91e53ffc  libffi.dylib ??? (???) <a3b573eb950ca583290f7b2b4c486d09> /usr/lib/libffi.dylib
0x91e54000 - 0x91e59fff  com.apple.CommonPanels 1.2.4 (85) <ea0665f57cd267609466ed8b2b20e893> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels
0x91e5a000 - 0x91e60fff  com.apple.print.framework.Print 218 (220) <c35172175abbe554ddadd9b6401351fa> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print
0x91e7e000 - 0x91fa2fe3  com.apple.audio.toolbox.AudioToolbox 1.5 (1.5) /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x92013000 - 0x92021ffd  libz.1.dylib ??? (???) <5ddd8539ae2ebfd8e7cc1c57525385c7> /usr/lib/libz.1.dylib
0x92022000 - 0x9205bffe  com.apple.securityfoundation 3.0 (32768) <1e9885d63ced51f81bc1f39af624637d> /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
0x92124000 - 0x92131fe7  com.apple.opengl 1.5.5 (1.5.5) <aa08b52d2a84b44dc6ee5d544a53fe8a> /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
0x92132000 - 0x9213bfff  com.apple.speech.recognition.framework 3.7.24 (3.7.24) <d3180f9edbd9a5e6f283d6156aa3c602> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition
0x9213c000 - 0x9213cff8  com.apple.Cocoa 6.5 (???) <e064f94d969ce25cb7de3cfb980c3249> /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0x9213d000 - 0x92297fe3  libSystem.B.dylib ??? (???) <08d9ec2f36455fc197b9b44adf62f304> /usr/lib/libSystem.B.dylib
0x92298000 - 0x92299fef  libmathCommon.A.dylib ??? (???) /usr/lib/system/libmathCommon.A.dylib
0x9229a000 - 0x9230efef  libvMisc.dylib ??? (???) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x92783000 - 0x9278dfeb  com.apple.audio.SoundManager 3.9.2 (3.9.2) <0f2ba6e891d3761212cf5a5e6134d683> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x9278e000 - 0x9278effa  com.apple.CoreServices 32 (32) <2fcc8f3bd5bbfc000b476cad8e6a3dd2> /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x9278f000 - 0x927c5fef  libtidy.A.dylib ??? (???) <e4d3e7399fb83d7f145f9b4ec8196242> /usr/lib/libtidy.A.dylib
0x927c6000 - 0x927eeff7  com.apple.shortcut 1 (1.0) <057783867138902b52bc0941fedb74d1> /System/Library/PrivateFrameworks/Shortcut.framework/Versions/A/Shortcut
0x927ef000 - 0x927fffff  com.apple.speech.synthesis.framework 3.6.59 (3.6.59) <4ffef145fad3d4d787e0c33eab26b336> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x92800000 - 0x928dffff  libobjc.A.dylib ??? (???) <5eda47fec2d0e7853b3506aa1fd2dafa> /usr/lib/libobjc.A.dylib
0x9292d000 - 0x9296efe7  libRIP.A.dylib ??? (???) <8aa8d17b338ebde48df7f01a8dc28eac> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x9296f000 - 0x9296fffd  com.apple.Accelerate 1.4 (Accelerate 1.4) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x92970000 - 0x929ecfeb  com.apple.audio.CoreAudio 3.1.0 (3.1) <483e0d3879d52ba9ac10b4bcfb0728d6> /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x92a68000 - 0x92b69fff  com.apple.PubSub 1.0.1 (59) /System/Library/Frameworks/PubSub.framework/Versions/A/PubSub
0x92b6a000 - 0x92bf6ff7  com.apple.LaunchServices 286 (286) <72b15e7a01e42d510f0339e90113d5d6> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
0x92c2c000 - 0x92c5efff  com.apple.LDAPFramework 1.4.3 (106) <94a26abfc0a5d88c752763b44a10ae51> /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP
0x92c5f000 - 0x92cbbff7  com.apple.htmlrendering 68 (1.1.3) <fe87a9dede38db00e6c8949942c6bd4f> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x92cbc000 - 0x92cbcffd  com.apple.vecLib 3.4 (vecLib 3.4) /System/Library/Frameworks/vecLib.framework/Versions/A/vecLib
0x92cbd000 - 0x92cd3fff  com.apple.DictionaryServices 1.0.0 (1.0.0) <ad0aa0252e3323d182e17f50defe56fc> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/DictionaryServices
0x92cd4000 - 0x92cd9fff  com.apple.backup.framework 1.0 (1.0) /System/Library/PrivateFrameworks/Backup.framework/Versions/A/Backup
0x9323e000 - 0x9327bff7  libGLImage.dylib ??? (???) <202d73e6a4688fc06ff11b71910c2ce7> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib
0x9327c000 - 0x9327eff5  libRadiance.dylib ??? (???) <b9e04afa91e4b597a00797d67a7268fb> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib
0x9327f000 - 0x932b9ff7  com.apple.coreui 0.1 (60) /System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI
0x932ba000 - 0x93385fff  com.apple.ColorSync 4.5.0 (4.5.0) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x93386000 - 0x93395fff  libsasl2.2.dylib ??? (???) <b9e1ca0b6612e280b6cbea6df0eec5f6> /usr/lib/libsasl2.2.dylib
0x93396000 - 0x9340dfe3  com.apple.CFNetwork 220 (221) <972a41911805859205b057a6f5b91e8d> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x9340f000 - 0x93c09fef  com.apple.AppKit 6.5 (949) <b7c57a0df7821668815329f17698d7ba> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x93c0a000 - 0x93c89ff5  com.apple.SearchKit 1.2.0 (1.2.0) <277b460da86bc222785159fe77e2e2ed> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x93c8a000 - 0x93c92fff  com.apple.DiskArbitration 2.2 (2.2) <1551b2af557fdf6f368f93e093933852> /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x93cd1000 - 0x93d36ffb  com.apple.ISSupport 1.6 (34) /System/Library/PrivateFrameworks/ISSupport.framework/Versions/A/ISSupport
0x93d3d000 - 0x93d3dffb  com.apple.installserver.framework 1.0 (8) /System/Library/PrivateFrameworks/InstallServer.framework/Versions/A/InstallServer
0x93d3e000 - 0x93d41fff  com.apple.help 1.1 (36) <b507b08e484cb89033e9cf23062d77de> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help
0x93d93000 - 0x941a3fef  libBLAS.dylib ??? (???) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x944c6000 - 0x94540ff8  com.apple.print.framework.PrintCore 5.5 (245) <9441d178f4b430cf92b67bf346646693> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore
0x9463b000 - 0x9464affe  com.apple.DSObjCWrappers.Framework 1.2 (1.2) <f5b58d1d3a855a63d493ccbec417a1e9> /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers
0x946ea000 - 0x9477dfff  com.apple.ink.framework 101.3 (86) <bf3fa8927b4b8baae92381a976fd2079> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink
0x9477e000 - 0x947abfeb  libvDSP.dylib ??? (???) <a26683d121ee0f96df9a9d0bfca36049> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x94819000 - 0x94ce5ffe  libGLProgrammability.dylib ??? (???) <e8bc0af671427cf2b6279a035805a086> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib
0x94ce6000 - 0x94d98ffb  libcrypto.0.9.7.dylib ??? (???) <330b0e48e67faffc8c22dfc069ca7a47> /usr/lib/libcrypto.0.9.7.dylib
0x94d99000 - 0x94dd8fef  libTIFF.dylib ??? (???) <76301b3506f310fb454b58897c8d0a9f> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x94dd9000 - 0x94de9ffc  com.apple.LangAnalysis 1.6.4 (1.6.4) <cbeb17ab39f28351fe2ab5b82bf465bc> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis
0x94dea000 - 0x94e2cfef  com.apple.NavigationServices 3.5.1 (161) <cc6bd78eabf1e2e7166914e9f12f5850> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices
0x94e2d000 - 0x94e2dffd  com.apple.Accelerate.vecLib 3.4 (vecLib 3.4) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib
0x94e2e000 - 0x94e87fff  libGLU.dylib ??? (???) /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib
0x94e96000 - 0x95014fff  com.apple.AddressBook.framework 4.1 (687) <65b801e9f2cd16f4227d472aecb5deaf> /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook
0x95015000 - 0x95020fe7  libCSync.A.dylib ??? (???) <482d16ba55f91a5dc05f78cc9db707a7> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
0x95021000 - 0x956b8fff  com.apple.CoreGraphics 1.351.0 (???) <fc69a86d38421778ad5675b82c9c7da7> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
0x956b9000 - 0x956d8ffa  libJPEG.dylib ??? (???) <0dd7e9d7fb22174b78205a944144f9c3> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x956d9000 - 0x956e4ff9  com.apple.helpdata 1.0 (14) /System/Library/PrivateFrameworks/HelpData.framework/Versions/A/HelpData
0x956e5000 - 0x956fdfff  com.apple.openscripting 1.2.6 (???) <b8e553df643f2aec68fa968b3b459b2b> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x956ff000 - 0x95759ff7  com.apple.CoreText 2.0.0 (???) <7fa39cd5bc847615ec02e7c7a37c0508> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x9575a000 - 0x957e1ff7  libsqlite3.0.dylib ??? (???) <273efcb717e89c21207c851d7d33fda4> /usr/lib/libsqlite3.0.dylib
0x957e2000 - 0x95abbfe7  com.apple.CoreServices.CarbonCore 783 (783) <fe663a790344f1c5bac1645f68c7c661> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
0x95b66000 - 0x95cabff7  com.apple.ImageIO.framework 2.0.0 (2.0.0) <d6bf5dfae212dce267c2f6e50b2f23c6> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x95cac000 - 0x95cb3ff7  libCGATS.A.dylib ??? (???) <dd3161e6653fa6400b9ef9c144309fa5> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
0x95d70000 - 0x95d70fff  com.apple.Carbon 136 (136) <9961570a497d79f13b8ea159826af42d> /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
0x95d71000 - 0x95d78fe9  libgcc_s.1.dylib ??? (???) <a9ab135a5f81f6e345527df87f51bfc9> /usr/lib/libgcc_s.1.dylib
0x95d79000 - 0x95e20fff  com.apple.QD 3.11.50 (???) <e2f71720ae1dad06a8883ac80775b21a> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x95e21000 - 0x95e37fe7  com.apple.CoreVideo 1.5.0 (1.5.0) <7e010557527a0e6d49147c297d16850a> /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo
0x95e38000 - 0x95f6afe7  com.apple.CoreFoundation 6.5 (476) <8bfebc0dbad6fc33bea0fa00a1b9ec37> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x95f6b000 - 0x95f95fef  libauto.dylib ??? (???) <d468bc4a8a69343f1748c293db1b57fb> /usr/lib/libauto.dylib
0x95f96000 - 0x96354fea  libLAPACK.dylib ??? (???) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x96355000 - 0x96379feb  libssl.0.9.7.dylib ??? (???) <acee7fc534674498dcac211318aa23e8> /usr/lib/libssl.0.9.7.dylib
0x963ac000 - 0x96490ffb  com.apple.CoreData 100 (185) <a4e63784275e25e62f57e75e0af0b94d> /System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
0x96491000 - 0x96491ffc  com.apple.audio.units.AudioUnit 1.5 (1.5) /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x96492000 - 0x96492ff8  com.apple.ApplicationServices 34 (34) <8f910fa65f01d401ad8d04cc933cf887> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x96493000 - 0x96543fff  edu.mit.Kerberos 6.0.11 (6.0.11) <33c25789baedcd70a7e24881775dd9ad> /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos
0x96544000 - 0x96558ff3  com.apple.ImageCapture 4.0 (5.0.0) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x96559000 - 0x965a3fe1  com.apple.securityinterface 3.0 (32532) <f521dae416ce7a3bdd594b0d4e2fb517> /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
0x965a4000 - 0x965dafff  com.apple.SystemConfiguration 1.9.0 (1.9.0) <d78573acfd26322c0324e51b171f016c> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x965db000 - 0x965f9fff  libresolv.9.dylib ??? (???) <8538164a282c147c3543550ae49d4bd4> /usr/lib/libresolv.9.dylib
0x965fa000 - 0x96621fff  libcups.2.dylib ??? (???) <5521498e8902ddd0b15cfaa7db384e29> /usr/lib/libcups.2.dylib
0x96622000 - 0x9663dffb  libPng.dylib ??? (???) <85ca18172d7a4b5a5be3574e4e879880> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x9663e000 - 0x96640fff  com.apple.securityhi 3.0 (30817) <dbe328cd62d603a952a4226342711e8b> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x9667f000 - 0x96686ffe  libbsm.dylib ??? (???) <d25c63378a5029648ffd4b4669be31bf> /usr/lib/libbsm.dylib
0x96687000 - 0x96900fe7  com.apple.Foundation 6.5.1 (677.1) <85ac18c7cd454378db6122bea0c00965> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x9694f000 - 0x96a87ff7  libicucore.A.dylib ??? (???) <afcea652ff2ec36885b2c81c57d06d4c> /usr/lib/libicucore.A.dylib
0x96a88000 - 0x96b4fff2  com.apple.vImage 3.0 (3.0) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x96b64000 - 0x96c1afe3  com.apple.CoreServices.OSServices 210.2 (210.2) <4ed69f07fc0f211ab32d1ee96e281fc2> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
0x96d72000 - 0x96e21fff  com.apple.DesktopServices 1.4.3 (1.4.3) <66d5ed56111c43d234e235d365d02469> /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x96e28000 - 0x96e6dfef  com.apple.Metadata 10.5.0 (398) <96d857e02d199e768919047b28ec95b3> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x96e6e000 - 0x96e92fff  libxslt.1.dylib ??? (???) <4933ddc7f6618743197aadc85b33b5ab> /usr/lib/libxslt.1.dylib
0x96e93000 - 0x96f1dfff  com.apple.framework.IOKit 1.5.1 (???) <5176a7383151a19c962334009fef2c6d> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0xba900000 - 0xba916fff  libJapaneseConverter.dylib ??? (???) <1e92e348e73fc6fce723936c11e4b25c> /System/Library/CoreServices/Encodings/libJapaneseConverter.dylib
0xfffe8000 - 0xfffebfff  libobjc.A.dylib ??? (???) /usr/lib/libobjc.A.dylib
0xffff0000 - 0xffff1780  libSystem.B.dylib ??? (???) /usr/lib/libSystem.B.dylib

Comment 6 Alexey Proskuryakov 2008-02-12 23:55:53 PST
The dojotoolkit.org server doesn't respond currently, waiting for it to come back.
Comment 7 Matthew Knapp 2008-02-13 02:06:00 PST
I am able to access dojotoolkit.org now, so it appears to be back online.
(In reply to comment #6)
> The dojotoolkit.org server doesn't respond currently, waiting for it to come
> back.
> 
Comment 8 Alexey Proskuryakov 2008-02-13 02:30:58 PST
I can reproduce this with a nightly, but not with a local debug build.
Comment 9 Mark Rowe (bdash) 2008-03-03 00:02:39 PST
<rdar://problem/5776397>
Comment 10 David Smith 2008-03-03 02:02:17 PST
http://paste.lisp.org/display/56721

Crashlogs from a debug build while we were testing this on irc tonight.
Comment 11 Mark Rowe (bdash) 2008-03-03 03:45:04 PST
I suspect the debug crash is a different issue, as the stack trace in a release build is very different.
Comment 12 Mark Rowe (bdash) 2008-03-03 04:02:04 PST
Created attachment 19491 [details]
Reduction (will crash Release builds of TOT)
Comment 13 Mark Rowe (bdash) 2008-03-03 04:06:54 PST
I've been debugging this for a few hours now and the situation seems quite bizarre.  It crashes consistently within RenderText::deleteTextBoxes while attempting to destroy a InlineTextBox.  This is due to the RenderText's m_firstTextBox having a bogus m_nextLine pointer.  This m_nextLine pointer is being set from CSSStyleSelector.cpp:1665.  Yes, that seems crazy, but at that point CSSStyleSelector's m_style/childStyle points to the same memory that is used by the InlineTextBox.  childStyle->setFirstChildState() ends up setting m_nextLine to 0x1000 rather than setting the bitfield member it intends to.  As to *why* a single memory location is being treated as a RenderStyle and InlineTextBox simultaneously... I have no idea at this point!
Comment 14 Mark Rowe (bdash) 2008-03-03 04:08:48 PST
Created attachment 19492 [details]
Transcript of debugging session from point of crash

Points of interest here are the stack trace, and the value of this->m_firstTextBox->m_nextLine (0x1000).
Comment 15 Mark Rowe (bdash) 2008-03-03 04:11:12 PST
Created attachment 19493 [details]
Transcript of debugging session from point of bogus write

Points of interest here are that childStyle looks like garbage when interpreted as a RenderStyle ($3), but looks sane and matches the InlineTextBox at point of crash when interpreted as an InlineTextBox ($4).  The transcript also shows the instruction that stores 0x1000 into memory, and that the address of the store corresponds to the offset of the m_nextLine member of an InlineTextBox instance.
Comment 16 Mark Rowe (bdash) 2008-03-03 04:30:24 PST
Created attachment 19494 [details]
Crash under guard malloc

The reduction is small enough to run quickly under guard malloc, and it confirms the bogus write!  Under guard malloc, we conveniently crash at the point where the write occurs.  A little further poking around shows that the RenderStyle that previously resided at this memory location belonged to the <input> element, and is destroyed at the point of the following backtrace:

Breakpoint 2, WebCore::RenderStyle::~RenderStyle (this=0xd2641fbc) at WebCore/rendering/RenderStyle.cpp:1047
1047	}
#0  WebCore::RenderStyle::~RenderStyle (this=0xd2641fbc) at WebCore/rendering/RenderStyle.cpp:1047
#1  0x01f846f5 in WebCore::RenderStyle::~RenderStyle (this=0xd2641fbc) at WebCore/rendering/RenderStyle.cpp:1047
#2  0x01f84752 in WebCore::RenderStyle::arenaDelete (this=0xd2641fbc, arena=0xd1ea3e50) at WebCore/rendering/RenderStyle.cpp:924
#3  0x01b54139 in WebCore::RenderStyle::deref (this=0xd2641fbc, arena=0xd1ea3e50) at rendering/RenderStyle.h:1377
#4  0x01cb6955 in WebCore::Element::recalcStyle (this=0xd2569f80, change=WebCore::Node::Force) at WebCore/dom/Element.cpp:769
#5  0x01d40814 in WebCore::HTMLGenericFormElement::recalcStyle (this=0xd2569f80, change=WebCore::Node::Force) at WebCore/html/HTMLGenericFormElement.cpp:176
#6  0x01cb6a22 in WebCore::Element::recalcStyle (this=0xd252dfb0, change=WebCore::Node::Force) at WebCore/dom/Element.cpp:781
#7  0x01cb6a22 in WebCore::Element::recalcStyle (this=0xd21b7fb0, change=WebCore::Node::Force) at WebCore/dom/Element.cpp:781
#8  0x01c88a42 in WebCore::Document::recalcStyle (this=0xd1e72950, change=WebCore::Node::Force) at WebCore/dom/Document.cpp:1118
#9  0x01c8ab98 in WebCore::Document::updateStyleSelector (this=0xd1e72950) at WebCore/dom/Document.cpp:2068
#10 0x01cf1a37 in WebCore::Frame::reapplyStyles (this=0xc1d09ff0) at WebCore/page/Frame.cpp:755
#11 0x01d11786 in WebCore::FrameView::layout (this=0xc2ca3fd0, allowSubtree=true) at WebCore/page/FrameView.cpp:376
#12 0x01c85761 in WebCore::Document::implicitClose (this=0xd1e72950) at WebCore/dom/Document.cpp:1512
#13 0x01cf612e in WebCore::FrameLoader::checkCallImplicitClose (this=0xc1d11da0) at WebCore/loader/FrameLoader.cpp:1310
#14 0x01d019ae in WebCore::FrameLoader::checkCompleted (this=0xc1d11da0) at WebCore/loader/FrameLoader.cpp:1263


Perhaps someone that knows something (anything?) about how the CSS style system and rendering fit together would have more luck taking things from here?
Comment 17 Mark Rowe (bdash) 2008-03-03 14:18:17 PST
Created attachment 19503 [details]
Patch

This fixes the reduced test case.  The original test case still crashes, though the crash is because of a different issue that I'll file as a new bug report.
Comment 18 mitz 2008-03-03 14:23:24 PST
Comment on attachment 19503 [details]
Patch

+            styleSelector->initForStyleResolve(static_cast<Element*>(n), 0);

You can use the 'element' variable defined 2 lines above.

r=me
Comment 19 Mark Rowe (bdash) 2008-03-03 14:44:55 PST
Landed in r30722.
Comment 20 Mark Rowe (bdash) 2008-03-03 15:06:11 PST
Filed bug 17655 about the remaining crash.
Comment 21 David Kilzer (:ddkilzer) 2008-05-17 02:29:48 PDT
*** Bug 17408 has been marked as a duplicate of this bug. ***