Bug 20241
| Summary: | [retitleme] Safari crashes at JSValueUnprotect() when fontpicker view close | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | 808caaa4.8ce9.9cd6c799e9f6 |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | ap, aroben |
| Priority: | P3 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Windows XP | ||
808caaa4.8ce9.9cd6c799e9f6
Access violation - code c0000005 (!!! second chance !!!)
eax=3ea01c77 ebx=7f53ee38 ecx=0012ef68 edx=0051c0f0 esi=0012ef68 edi=7f194a00
eip=1003078c esp=0012fa70 ebp=0012fa8c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
WebKit!WTF__ThreadSpecific<WTF__OwnPtr<KJS__Heap__ThreadRegistrar> >__operator W
TF__OwnPtr<KJS__Heap__ThreadRegistrar> *+c:
1003078c ff30 push dword ptr [eax] ds:0023:3ea01c77=????????
0:000> k
ChildEBP RetAddr
0012fa8c 10022b88 WebKit!WTF__ThreadSpecific<WTF__OwnPtr<KJS__Heap__ThreadRegist
rar> >__operator WTF__OwnPtr<KJS__Heap__ThreadRegistrar> *+0xc
0012fac0 1039cd67 WebKit!KJS__Heap__registerThread+0x18
0012fad4 004770f0 WebKit!JSValueUnprotect+0x13
0012fb0c 005085da Safari+0x770f0
00000000 00000000 Safari+0x1085da
// Hmmm... uninitialized m_currentThreadRegistrar?
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Roben (:aroben)
Can you please tell us the steps to reproduce?
808caaa4.8ce9.9cd6c799e9f6
ntsdlog above is with:
host: v3.1.2 (525.21)
webkit: WebKit-r35417
OS: XPSP3 home, ja-JP
reproduction summary:
- open Preference.
- go to Appearance panel, and press Select. FontPicker view appears.
- close it.
- drwatson invoked.
Adam Roben (:aroben)
Thanks!
Alexey Proskuryakov
I could reproduce this with a nightly, but not with a local debug build.
Mihnea Ovidenie
Hello,
I was able to reproduce it using a local debug build and following the steps already mentioned. I currently have revision 37446 on WinXP.
Here is the stack trace, taken from Visual Studio debugger:
1.WebKit.dll!JSC::Heap::registerThread() Line 485 + 0x5 bytes C++
2.WebKit.dll!JSValueUnprotect(const OpaqueJSContext * ctx=0x051e0170, const OpaqueJSValue * value=0x055f2700) Line 266 C++
3.Safari.exe!FontPicker::~FontPicker() + 0x40 bytes
4.Safari.exe!FontPicker::`vector deleting destructor'() + 0x8 bytes
5.Safari.exe!WindowDeleter::deleteAllWindows() + 0x67 bytes
6.Safari.exe!WindowDeleter::ProcessWindowMessage() + 0x2a bytes
7.Safari.exe!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<2147483648,524416> >::WindowProc() + 0x68 bytes
8.user32.dll!_InternalCallWinProc@20() + 0x28 bytes
9.user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes
10.user32.dll!_DispatchMessageWorker@8() + 0xdc bytes
11.user32.dll!_DispatchMessageW@4() + 0xf bytes
12.Safari.exe!RSSPrefsDlg::`vector deleting destructor'() + 0x20f bytes
13.Safari.exe!run() + 0x9d bytes
14.Safari.exe!_wWinMain@16() + 0x34b bytes
15.Safari.exe!_free() + 0x1a1 bytes
16.kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
The problem in function *void Heap::registerThread()* from file javascriptcore/kjs/collector.cpp appears while calling:
if (pthread_getspecific(m_currentThreadRegistrar))
The problem is access violation while accessing a memory address. m_currentThreadRegistrar is not defined and cannot be seen in debugger.
Alexey Proskuryakov
<rdar://problem/6290576>
Alexey Proskuryakov
A provisional fix for this was landed in <http://trac.webkit.org/changeset/37868> - please try a newer nightly!
Alexey Proskuryakov
Reportedly, the original bug with crash on close is still present, re-opening.
Alexey Proskuryakov
OK, after some more investigation the crash on close turns out to be a Safari bug, now made visible by JSValueUnprotect() actually using the context value passed to it. Closing as INVALID, as a non-WebKit issue. Thank you very much for filing it, and providing additional information!