Bug 48311
| Summary: | [CRASH] While using the Web Inspector on zimbra.com | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Barth <abarth> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | ap, bburg, ggaren, oliver, yong.li.webkit |
| Priority: | P1 | Keywords: | InRadar, NeedsReduction |
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Adam Barth
I was enabling resource tracking and clicking around the inspector tabs. The value of |this| in the top frame is 0x3f00000046.
#0 0x10077eabc in JSC::TypeInfo::type at JSTypeInfo.h:62
#1 0x1007b4f05 in JSC::MarkStack::drain at JSArray.h:247
#2 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688
#3 0x100845405 in JSC::RegisterFile::markGlobals at RegisterFile.h:134
#4 0x1008406d5 in JSC::JSGlobalObject::markChildren at JSGlobalObject.cpp:354
#5 0x101b261b8 in WebCore::JSDOMGlobalObject::markChildren at JSDOMGlobalObject.cpp:52
#6 0x101b59d5d in WebCore::JSDOMWindow::markChildren at JSDOMWindowCustom.cpp:97
#7 0x1007b4cdc in JSC::MarkStack::markChildren at JSArray.h:220
#8 0x1007b4fd7 in JSC::MarkStack::drain at JSArray.h:261
#9 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688
#10 0x1007ad232 in JSC::Heap::markCurrentThreadConservativelyInternal at Collector.cpp:699
#11 0x1007ad26c in JSC::Heap::markCurrentThreadConservatively at Collector.cpp:721
#12 0x1007ad28b in JSC::Heap::markStackObjectsConservatively at Collector.cpp:873
#13 0x1007ad442 in JSC::Heap::markRoots at Collector.cpp:1043
#14 0x1007ae22f in JSC::Heap::reset at Collector.cpp:1179
#15 0x1007ae57c in JSC::Heap::allocate at Collector.cpp:344
#16 0x10078e092 in JSC::JSCell::operator new at JSCell.h:177
#17 0x100813b2a in cti_op_push_activation at JITStubs.cpp:2166
#18 0x10080bb11 in WTF::doubleHash at HashTable.h:447
#19 0x1007ea5c6 in JSC::JITCode::execute at JITCode.h:77
#20 0x1007e5916 in JSC::Interpreter::executeCall at Interpreter.cpp:825
#21 0x10079cdf3 in JSC::call at CallData.cpp:38
#22 0x101ad0df5 in WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:48
#23 0x101b6d396 in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:124
#24 0x10181fbcc in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:335
#25 0x101820236 in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:304
#26 0x101dc3573 in WebCore::Node::handleLocalEvents at Node.cpp:2484
#27 0x101dc3c1f in WebCore::Node::dispatchGenericEvent at Node.cpp:2602
#28 0x101dc40cd in WebCore::Node::dispatchEvent at Node.cpp:2547
#29 0x101985d9e in WebCore::HTMLScriptElement::dispatchLoadEvent at HTMLScriptElement.cpp:189
#30 0x101fc0842 in WebCore::ScriptElementData::execute at ScriptElement.cpp:223
#31 0x101506ede in WebCore::AsyncScriptRunner::timerFired at AsyncScriptRunner.cpp:87
#32 0x1015075c3 in WebCore::Timer<WebCore::AsyncScriptRunner>::fired at Timer.h:98
#33 0x10212ee56 in WebCore::ThreadTimers::sharedTimerFiredInternal at ThreadTimers.cpp:112
#34 0x10212efe5 in WebCore::ThreadTimers::sharedTimerFired at ThreadTimers.cpp:90
#35 0x10200000b in WebCore::timerFired at SharedTimerMac.mm:166
#36 0x7fff800aa678 in __CFRunLoopRun
#37 0x7fff800a884f in CFRunLoopRunSpecific
#38 0x7fff815ed91a in RunCurrentEventLoopInMode
#39 0x7fff815ed71f in ReceiveNextEventCommon
#40 0x7fff815ed5d8 in BlockUntilNextEventMatchingListInMode
#41 0x7fff869c229e in _DPSNextEvent
#42 0x7fff869c1bed in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
#43 0x1000165d8 in ??
#44 0x7fff869878d3 in -[NSApplication run]
#45 0x7fff869805f8 in NSApplicationMain
#46 0x10000a4a4 in ??
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Barth
Another seemingly related stack. Maybe related to using the debugger? This happened soon after enabling the debugger:
#0 0x100762447 in JSC::CollectorBitmap::getset at Collector.h:235
#1 0x100762481 in JSC::Heap::checkMarkCell at Collector.h:302
#2 0x1007b4ea6 in JSC::MarkStack::drain at JSArray.h:239
#3 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688
#4 0x100845405 in JSC::RegisterFile::markGlobals at RegisterFile.h:134
#5 0x1008406d5 in JSC::JSGlobalObject::markChildren at JSGlobalObject.cpp:354
#6 0x101b261b8 in WebCore::JSDOMGlobalObject::markChildren at JSDOMGlobalObject.cpp:52
#7 0x101b59d5d in WebCore::JSDOMWindow::markChildren at JSDOMWindowCustom.cpp:97
#8 0x1007b4cdc in JSC::MarkStack::markChildren at JSArray.h:220
#9 0x1007b4f67 in JSC::MarkStack::drain at JSArray.h:258
#10 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688
#11 0x1007ad232 in JSC::Heap::markCurrentThreadConservativelyInternal at Collector.cpp:699
#12 0x1007ad26c in JSC::Heap::markCurrentThreadConservatively at Collector.cpp:721
#13 0x1007ad28b in JSC::Heap::markStackObjectsConservatively at Collector.cpp:873
#14 0x1007ad442 in JSC::Heap::markRoots at Collector.cpp:1043
#15 0x1007ae22f in JSC::Heap::reset at Collector.cpp:1179
#16 0x1007ae57c in JSC::Heap::allocate at Collector.cpp:344
#17 0x10078e092 in JSC::JSCell::operator new at JSCell.h:177
#18 0x10087d14e in JSC::jsOwnedString at JSString.h:548
#19 0x100779c9a in JSC::BytecodeGenerator::emitLoad at BytecodeGenerator.cpp:1094
#20 0x1008a06df in JSC::StringNode::emitBytecode at NodesCodegen.cpp:142
#21 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217
#22 0x10089b689 in JSC::BinaryOpNode::emitStrcat at NodesCodegen.cpp:947
#23 0x10089c7ba in JSC::BinaryOpNode::emitBytecode at NodesCodegen.cpp:979
#24 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217
#25 0x100899c96 in JSC::AssignBracketNode::emitBytecode at NodesCodegen.cpp:1282
#26 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217
#27 0x100896edf in JSC::ExprStatementNode::emitBytecode at NodesCodegen.cpp:1414
#28 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217
#29 0x1008a2df7 in JSC::SourceElements::emitBytecode at NodesCodegen.cpp:1370
#30 0x100896d5c in JSC::BlockNode::emitBytecode at NodesCodegen.cpp:1388
#31 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217
#32 0x1008a2df7 in JSC::SourceElements::emitBytecode at NodesCodegen.cpp:1370
#33 0x1008a2e5b in JSC::ScopeNode::emitStatementsBytecode at NodesCodegen.cpp:1998
#34 0x1008971cf in JSC::FunctionBodyNode::emitBytecode at NodesCodegen.cpp:2036
#35 0x10077e399 in JSC::BytecodeGenerator::generate at BytecodeGenerator.cpp:144
#36 0x1007d2cb7 in JSC::FunctionExecutable::compileForCallInternal at Executable.cpp:197
#37 0x10076cb22 in JSC::FunctionExecutable::compileForCall at Executable.h:315
#38 0x100814009 in cti_vm_lazyLinkCall at JITStubs.cpp:2106
#39 0x10080bb11 in WTF::doubleHash at HashTable.h:447
#40 0x1007ea5c6 in JSC::JITCode::execute at JITCode.h:77
#41 0x1007e5916 in JSC::Interpreter::executeCall at Interpreter.cpp:825
#42 0x10079cdf3 in JSC::call at CallData.cpp:38
#43 0x101ad0df5 in WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:48
#44 0x101b6d396 in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:124
#45 0x10181fbcc in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:335
#46 0x101820236 in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:304
#47 0x101dc3573 in WebCore::Node::handleLocalEvents at Node.cpp:2484
#48 0x101dc3d1b in WebCore::Node::dispatchGenericEvent at Node.cpp:2614
#49 0x101dc40cd in WebCore::Node::dispatchEvent at Node.cpp:2547
#50 0x101dc248f in WebCore::Node::dispatchMouseEvent at Node.cpp:2811
#51 0x101dc2973 in WebCore::Node::dispatchMouseEvent at Node.cpp:2720
#52 0x10180e4dc in WebCore::EventHandler::dispatchMouseEvent at EventHandler.cpp:1843
#53 0x101811fa0 in WebCore::EventHandler::handleMouseReleaseEvent at EventHandler.cpp:1569
#54 0x10181a71d in WebCore::EventHandler::mouseUp at EventHandlerMac.mm:545
#55 0x100f6f4f1 in -[WebHTMLView mouseUp:] at WebHTMLView.mm:3761
#56 0x7fff86abb7ed in -[NSWindow sendEvent:]
#57 0x10004261d in ??
#58 0x1000425aa in ??
#59 0x7fff869f0ee2 in -[NSApplication sendEvent:]
#60 0x1000392ee in ??
#61 0x7fff86987922 in -[NSApplication run]
#62 0x7fff869805f8 in NSApplicationMain
#63 0x10000a4a4 in ??
Adam Barth
Yeah, repros very quickly on Zimbra by enabling the debugger and then clicking around the page:
#0 0x100762447 in JSC::CollectorBitmap::getset at Collector.h:235
#1 0x100762481 in JSC::Heap::checkMarkCell at Collector.h:302
#2 0x1007b4ea6 in JSC::MarkStack::drain at JSArray.h:239
#3 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688
#4 0x100845405 in JSC::RegisterFile::markGlobals at RegisterFile.h:134
#5 0x1008406d5 in JSC::JSGlobalObject::markChildren at JSGlobalObject.cpp:354
#6 0x101b261b8 in WebCore::JSDOMGlobalObject::markChildren at JSDOMGlobalObject.cpp:52
#7 0x101b59d5d in WebCore::JSDOMWindow::markChildren at JSDOMWindowCustom.cpp:97
#8 0x1007b4cdc in JSC::MarkStack::markChildren at JSArray.h:220
#9 0x1007b4fd7 in JSC::MarkStack::drain at JSArray.h:261
#10 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688
#11 0x1007ad232 in JSC::Heap::markCurrentThreadConservativelyInternal at Collector.cpp:699
#12 0x1007ad26c in JSC::Heap::markCurrentThreadConservatively at Collector.cpp:721
#13 0x1007ad28b in JSC::Heap::markStackObjectsConservatively at Collector.cpp:873
#14 0x1007ad442 in JSC::Heap::markRoots at Collector.cpp:1043
#15 0x1007ae22f in JSC::Heap::reset at Collector.cpp:1179
#16 0x1007ae57c in JSC::Heap::allocate at Collector.cpp:344
#17 0x10078e092 in JSC::JSCell::operator new at JSCell.h:177
#18 0x1008135d4 in cti_op_create_arguments_no_params at JITStubs.cpp:2226
#19 0x10080bb11 in WTF::doubleHash at HashTable.h:447
#20 0x1007ea5c6 in JSC::JITCode::execute at JITCode.h:77
#21 0x1007e5916 in JSC::Interpreter::executeCall at Interpreter.cpp:825
#22 0x10079cdf3 in JSC::call at CallData.cpp:38
#23 0x101ad0df5 in WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:48
#24 0x101b6d396 in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:124
#25 0x10181fbcc in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:335
#26 0x101820236 in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:304
#27 0x101dc3573 in WebCore::Node::handleLocalEvents at Node.cpp:2484
#28 0x101dc3d1b in WebCore::Node::dispatchGenericEvent at Node.cpp:2614
#29 0x101dc40cd in WebCore::Node::dispatchEvent at Node.cpp:2547
#30 0x101dc248f in WebCore::Node::dispatchMouseEvent at Node.cpp:2811
#31 0x101dc2973 in WebCore::Node::dispatchMouseEvent at Node.cpp:2720
#32 0x10180e3a4 in WebCore::EventHandler::updateMouseEventTargetNode at EventHandler.cpp:1824
#33 0x10180e48e in WebCore::EventHandler::dispatchMouseEvent at EventHandler.cpp:1838
#34 0x10181372c in WebCore::EventHandler::handleMouseMoveEvent at EventHandler.cpp:1514
#35 0x101813813 in WebCore::EventHandler::mouseMoved at EventHandler.cpp:1395
#36 0x10181a5a4 in WebCore::EventHandler::mouseMoved at EventHandlerMac.mm:625
#37 0x100f78d2d in -[WebHTMLView(WebPrivate) _updateMouseoverWithEvent:] at WebHTMLView.mm:1654
#38 0x100f62de5 in -[WebHTMLView mouseMovedNotification:] at WebHTMLView.mm:3770
#39 0x7fff876e984e in _nsnote_callback
#40 0x7fff800b5a90 in __CFXNotificationPost
#41 0x7fff800a2008 in _CFXNotificationPostNotification
#42 0x7fff876e07b8 in -[NSNotificationCenter postNotificationName:object:userInfo:]
#43 0x7fff869ee5ee in forwardMethod
#44 0x7fff869ee5ee in forwardMethod
#45 0x7fff869ee5ee in forwardMethod
#46 0x7fff869ee5ee in forwardMethod
#47 0x7fff869ee5ee in forwardMethod
#48 0x7fff869ee5ee in forwardMethod
#49 0x7fff869ee5ee in forwardMethod
#50 0x7fff869ee5ee in forwardMethod
#51 0x7fff86abc483 in -[NSWindow sendEvent:]
#52 0x10004261d in ??
#53 0x1000425aa in ??
#54 0x7fff869f0cd9 in -[NSApplication sendEvent:]
#55 0x1000392ee in ??
#56 0x7fff86987922 in -[NSApplication run]
#57 0x7fff869805f8 in NSApplicationMain
#58 0x10000a4a4 in ??
Geoffrey Garen
<rdar://problem/8606082>
Alexey Proskuryakov
Adam, is this still reproducible for you?
Adam Barth
I haven't tried since I reported the bug.
Blaze Burg
Not reproducible, closing.