Bug 53376
| Summary: | r76727-r77034: REGRESSION: Crash on page load in JSC::JSValue::toString | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Kevin M. Dean <kevin> |
| Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Critical | CC: | alin0steglinski, ggaren, laszlo.gombos, msaboff, oliver, paroga, simon.fraser |
| Priority: | P1 | Keywords: | InRadar, Regression |
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac | ||
| OS: | All | ||
| URL: | http://safariextensions.tumblr.com/ | ||
Kevin M. Dean
Loading the page crashes before display.
Process: Safari [411]
Path: /Applications/WebKit.app/Contents/MacOS/WebKit
Identifier: org.webkit.nightly.WebKit
Version: r77034 (77034)
Code Type: PPC (Native)
Parent Process: launchd [136]
Date/Time: 2011-01-29 09:07:45.263 -0500
OS Version: Mac OS X 10.5.8 (9L30)
Report Version: 6
Anonymous UUID: F41C1802-6457-4B49-A738-107FEBA3B7F7
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread: 0
Thread 0 Crashed:
0 com.apple.JavaScriptCore 0x0074ecdc JSC::JSValue::toString(JSC::ExecState*) const + 1212
1 com.apple.JavaScriptCore 0x00742474 __ZN3JSCL18arrayProtoFuncJoinEPNS_9ExecStateE + 4820
2 com.apple.JavaScriptCore 0x007c8f3c JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) + 54684
3 com.apple.JavaScriptCore 0x007d077c JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 780
4 com.apple.JavaScriptCore 0x0077a3e0 JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 352
5 com.apple.WebCore 0x021f08e8 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*, WebCore::ShouldAllowXSS) + 696
6 com.apple.WebCore 0x021f11a8 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 56
7 com.apple.WebCore 0x021fb844 WebCore::ScriptElement::evaluateScript(WebCore::ScriptSourceCode const&) + 212
8 com.apple.WebCore 0x021fbb30 WebCore::ScriptElement::execute(WebCore::CachedScript*) + 496
9 com.apple.WebCore 0x016a1900 WebCore::AsyncScriptRunner::timerFired(WebCore::Timer<WebCore::AsyncScriptRunner>*) + 176
10 com.apple.WebCore 0x0237c390 WebCore::ThreadTimers::sharedTimerFiredInternal() + 128
11 com.apple.WebCore 0x02237f98 __ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 72
12 com.apple.CoreFoundation 0x97108818 CFRunLoopRunSpecific + 2968
13 com.apple.HIToolbox 0x904d5b14 RunCurrentEventLoopInMode + 264
14 com.apple.HIToolbox 0x904d5938 ReceiveNextEventCommon + 412
15 com.apple.HIToolbox 0x904d5778 BlockUntilNextEventMatchingListInMode + 84
16 com.apple.AppKit 0x925c0244 _DPSNextEvent + 596
17 com.apple.AppKit 0x925bfbfc -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 112
18 com.apple.Safari 0x00018d74 0x1000 + 97652
19 com.apple.AppKit 0x925b989c -[NSApplication run] + 744
20 com.apple.AppKit 0x9258a298 NSApplicationMain + 440
21 com.apple.Safari 0x0000b378 0x1000 + 41848
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Kevin M. Dean
http://www.macworld.com/
http://www.macupdate.com/
Also crashes with same javascript, but after a partial display of page (macworld).
Kevin M. Dean
Some of the other link crashes have a little more data in them.
Process: Safari [466]
Path: /Applications/WebKit.app/Contents/MacOS/WebKit
Identifier: org.webkit.nightly.WebKit
Version: r77034 (77034)
Code Type: PPC (Native)
Parent Process: launchd [136]
Date/Time: 2011-01-29 09:15:07.119 -0500
OS Version: Mac OS X 10.5.8 (9L30)
Report Version: 6
Anonymous UUID: F41C1802-6457-4B49-A738-107FEBA3B7F7
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread: 0
Thread 0 Crashed:
0 com.apple.JavaScriptCore 0x0074ecdc JSC::JSValue::toString(JSC::ExecState*) const + 1212
1 com.apple.JavaScriptCore 0x0079a848 JSC::createNotAnObjectError(JSC::ExecState*, JSC::JSValue) + 56
2 com.apple.JavaScriptCore 0x008418d8 JSC::JSValue::synthesizePrototype(JSC::ExecState*) const + 136
3 com.apple.JavaScriptCore 0x007d1f68 JSC::JSValue::get(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) const + 56
4 com.apple.JavaScriptCore 0x007c1f74 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) + 26068
5 com.apple.JavaScriptCore 0x007d077c JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 780
6 com.apple.JavaScriptCore 0x0077a3e0 JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 352
7 com.apple.WebCore 0x021f08e8 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*, WebCore::ShouldAllowXSS) + 696
8 com.apple.WebCore 0x021f11a8 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 56
9 com.apple.WebCore 0x021f3aac WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 396
10 com.apple.WebCore 0x021f9d3c WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 108
11 com.apple.WebCore 0x01a04e44 WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 468
12 com.apple.WebCore 0x01a0571c WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 700
13 com.apple.WebCore 0x01a05968 WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 56
14 com.apple.WebCore 0x019b2220 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 96
15 com.apple.WebCore 0x016d5774 WebCore::CachedScript::checkNotify() + 84
16 com.apple.WebCore 0x016d47ac WebCore::CachedResourceRequest::didFinishLoading(WebCore::SubresourceLoader*) + 412
17 com.apple.WebCore 0x02268734 WebCore::SubresourceLoader::didFinishLoading(double) + 84
18 com.apple.Foundation 0x94467814 _NSURLConnectionDidFinishLoading + 120
19 com.apple.CFNetwork 0x94b29d8c URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 236
20 com.apple.CFNetwork 0x94b2aa08 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 172
21 com.apple.CFNetwork 0x94b29500 URLConnectionClient::processEvents() + 132
22 com.apple.CFNetwork 0x94ad3000 MultiplexerSource::perform() + 168
23 com.apple.CoreFoundation 0x971080d0 CFRunLoopRunSpecific + 1104
24 com.apple.HIToolbox 0x904d5b14 RunCurrentEventLoopInMode + 264
25 com.apple.HIToolbox 0x904d5938 ReceiveNextEventCommon + 412
26 com.apple.HIToolbox 0x904d5778 BlockUntilNextEventMatchingListInMode + 84
27 com.apple.AppKit 0x925c0244 _DPSNextEvent + 596
28 com.apple.AppKit 0x925bfbfc -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 112
29 com.apple.Safari 0x00018d74 0x1000 + 97652
30 com.apple.AppKit 0x925b989c -[NSApplication run] + 744
31 com.apple.AppKit 0x9258a298 NSApplicationMain + 440
32 com.apple.Safari 0x0000b378 0x1000 + 41848
Patrick R. Gansterer
I get the following crash with a debug build:
ASSERTION FAILED: m_runtimeObjects.get(object)
(/Users/paroga/WebKit/Source/WebCore/bridge/runtime_root.cpp:189 void JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*))
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 com.apple.WebCore 0x000000010202d3ff JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*) + 143 (runtime_root.cpp:189)
1 com.apple.WebCore 0x00000001015c037e JSC::Bindings::Instance::willDestroyRuntimeObject(JSC::Bindings::RuntimeObject*) + 184 (BridgeJSC.cpp:111)
2 com.apple.WebCore 0x000000010202cfb9 JSC::Bindings::RuntimeObject::~RuntimeObject() + 75 (runtime_object.cpp:59)
3 com.apple.WebKit 0x0000000100f5fac7 WebKit::ProxyRuntimeObject::~ProxyRuntimeObject() + 35 (ProxyRuntimeObject.mm:45)
4 com.apple.JavaScriptCore 0x000000010088f9d8 JSC::MarkedSpace::sweep() + 122 (MarkedSpace.cpp:285)
5 com.apple.JavaScriptCore 0x00000001007d3f3c JSC::Heap::collectAllGarbage() + 138 (Heap.cpp:403)
6 com.apple.JavaScriptCore 0x00000001007d19e3 JSC::DefaultGCActivityCallbackPlatformData::trigger(__CFRunLoopTimer*, void*) + 59 (GCActivityCallbackCF.cpp:61)
7 com.apple.CoreFoundation 0x00007fff80571be8 __CFRunLoopRun + 6488
8 com.apple.CoreFoundation 0x00007fff8056fdbf CFRunLoopRunSpecific + 575
9 com.apple.HIToolbox 0x00007fff8736c93a RunCurrentEventLoopInMode + 333
10 com.apple.HIToolbox 0x00007fff8736c73f ReceiveNextEventCommon + 310
11 com.apple.HIToolbox 0x00007fff8736c5f8 BlockUntilNextEventMatchingListInMode + 59
12 com.apple.AppKit 0x00007fff81691e64 _DPSNextEvent + 718
13 com.apple.AppKit 0x00007fff816917a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
14 com.apple.Safari 0x00000001000162f4 0x100000000 + 90868
15 com.apple.AppKit 0x00007fff8165748b -[NSApplication run] + 395
16 com.apple.AppKit 0x00007fff816501a8 NSApplicationMain + 364
17 com.apple.Safari 0x000000010000a1c0 0x100000000 + 41408
Oliver Hunt
Based on this stack trace i blame r76969 -- Michael can you have a look?
(In reply to comment #3)
> I get the following crash with a debug build:
>
> ASSERTION FAILED: m_runtimeObjects.get(object)
> (/Users/paroga/WebKit/Source/WebCore/bridge/runtime_root.cpp:189 void JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*))
>
>
> Thread 0 Crashed: Dispatch queue: com.apple.main-thread
> 0 com.apple.WebCore 0x000000010202d3ff JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*) + 143 (runtime_root.cpp:189)
> 1 com.apple.WebCore 0x00000001015c037e JSC::Bindings::Instance::willDestroyRuntimeObject(JSC::Bindings::RuntimeObject*) + 184 (BridgeJSC.cpp:111)
> 2 com.apple.WebCore 0x000000010202cfb9 JSC::Bindings::RuntimeObject::~RuntimeObject() + 75 (runtime_object.cpp:59)
> 3 com.apple.WebKit 0x0000000100f5fac7 WebKit::ProxyRuntimeObject::~ProxyRuntimeObject() + 35 (ProxyRuntimeObject.mm:45)
> 4 com.apple.JavaScriptCore 0x000000010088f9d8 JSC::MarkedSpace::sweep() + 122 (MarkedSpace.cpp:285)
> 5 com.apple.JavaScriptCore 0x00000001007d3f3c JSC::Heap::collectAllGarbage() + 138 (Heap.cpp:403)
> 6 com.apple.JavaScriptCore 0x00000001007d19e3 JSC::DefaultGCActivityCallbackPlatformData::trigger(__CFRunLoopTimer*, void*) + 59 (GCActivityCallbackCF.cpp:61)
> 7 com.apple.CoreFoundation 0x00007fff80571be8 __CFRunLoopRun + 6488
> 8 com.apple.CoreFoundation 0x00007fff8056fdbf CFRunLoopRunSpecific + 575
> 9 com.apple.HIToolbox 0x00007fff8736c93a RunCurrentEventLoopInMode + 333
> 10 com.apple.HIToolbox 0x00007fff8736c73f ReceiveNextEventCommon + 310
> 11 com.apple.HIToolbox 0x00007fff8736c5f8 BlockUntilNextEventMatchingListInMode + 59
> 12 com.apple.AppKit 0x00007fff81691e64 _DPSNextEvent + 718
> 13 com.apple.AppKit 0x00007fff816917a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
> 14 com.apple.Safari 0x00000001000162f4 0x100000000 + 90868
> 15 com.apple.AppKit 0x00007fff8165748b -[NSApplication run] + 395
> 16 com.apple.AppKit 0x00007fff816501a8 NSApplicationMain + 364
> 17 com.apple.Safari 0x000000010000a1c0 0x100000000 + 41408
Alexey Proskuryakov
*** Bug 53403 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Per the duplicate, crashes under createNotAnObjectError() also occur on Intel Macs.
Alin S
(In reply to comment #5)
> *** Bug 53403 has been marked as a duplicate of this bug. ***
calendar.google.com too
Simon Fraser (smfr)
<rdar://problem/8935837>
Michael Saboff
Reproduced this crash with ToT plus the changes in r76925 (appropriately modified for other changes).
Applying the changes in r76969 and the crash went away. The crash trace of the debug build shows the assertion failure of
ASSERTION FAILED: m_runtimeObjects.get(object)
This is what was fixed in r76969. With 76969, the assertion on line 189 is
ASSERT(m_runtimeObjects.uncheckedGet(object));
*** This bug has been marked as a duplicate of bug 53271 ***