Bug 55671

<rdar://problem/9082329>

Just a note that I've had this crash on some other sites as well:

myspace.com
amazon.com or camelcamelcamel.com (not sure which crashed me since I was switching between the two).

Do you have any extensions installed?

(In reply to comment #3)
> Do you have any extensions installed?

Yes, but it doesn't seem specific to any one extension.

If I have just one of the following and no others enabled, I can still get the crash. Other extensions seem fine alone, but sometimes crash when other extenstion are enables. Seems that there's something broken with a variety of extension's ability to inject content onto the page. All of these extensions work fine in the previous nightly.

Franker 1.0.2
http://code.google.com/p/franker/

NinjaKit 0.8
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fd.hatena.ne.jp%2Fos0x%2F20100612%2F1276330696&sl=auto&tl=en

Builtwith 1.0
http://builtwith.com/

InvisibleHand 2.5
http://www.getinvisiblehand.com/

Copy All Links
http://blog.firdau.si/?s=copy+all+links

BetterSource 1.0
http://www.awarepixel.com/safari/bettersource/

QuickNuke 1.0
http://canisbos.com/

Can you attach a complete crash report?  you should be able to get to the log file through console.app

(In reply to comment #5)
> Can you attach a complete crash report?  you should be able to get to the log file through console.app

Since the crash report sometimes varies between crashes, I've uploaded all 20 of them from when I was doing by extensions tests in a zip file.

http://development.rhubarbproductions.com/webkit/safari-crashes.zip

Since it's been a while between nightlies, I'm just confirming that it still crashes with r80761.

(In reply to comment #7)
> Since it's been a while between nightlies, I'm just confirming that it still crashes with r80761.

Are you able to do some debugging for us?  It will need you to checkout and build all of webkit (which will unfortunately take a looong time), but with any luck will tell us exactly where everything is going horribly wrong.

Basically i'm after a stack trace of the crash from a debug build of webkit as that will give me slightly more insight into what's happening.

(In reply to comment #8)
> (In reply to comment #7)
> > Since it's been a while between nightlies, I'm just confirming that it still crashes with r80761.
> 
> Are you able to do some debugging for us?  It will need you to checkout and build all of webkit (which will unfortunately take a looong time), but with any luck will tell us exactly where everything is going horribly wrong.
> 
> Basically i'm after a stack trace of the crash from a debug build of webkit as that will give me slightly more insight into what's happening.

I don't know how to do that or if I have the tools to do that. Don't have any developer tools installed here. If I don't need anything special then I can try or I'll need someone to make a debug build that runs on 10.5.8/PPC.

Downloading Xcode 3.1.4 and Java Developer 10.5....

Building a debug build now.... wow, talk about a processor killer.

OK, new problem.

I can run a debug build, but when I trigger the crash it just hangs now. The ReportCrash process launches and eats some CPU along with Safari, but a Crash Report window never appears and eventually I have to force quit the ReportCrash process. I shouldn't have to wait 5-10 minutes or more for it to fully Crash, right?

I believe I'm running r80853. Is there anyway to get the r version when running the build or from the files?

What should I do now?

Maybe r80853 has other issues becuase it's crashing on other pages that don't usually crash for me. The terminal shows the following after one of the newer hangs on a new page:


Multiverse:~ kdean$ run-safari --debug
Starting Safari with DYLD_FRAMEWORK_PATH set to point to built WebKit in /Users/kdean/WebKit/WebKitBuild/Debug.
ASSERTION FAILED: scriptExecutionContext
/Users/kdean/WebKit/Source/WebCore/bindings/js/JSDOMBinding.cpp(513) : void WebCore::reportException(JSC::ExecState*, JSC::JSValue)
1   WebCore::reportException(JSC::ExecState*, JSC::JSValue)
2   WebLocalizedString
3   _mh_execute_header
4   _mh_execute_header
5   _mh_execute_header
6   _mh_execute_header
7   _mh_execute_header
8   WTF::callOnMainThread(void (*)(void*), void*)
9   WTF::isMainThread()
10  CFRunLoopRunSpecific
11  BlockUntilNextEventMatchingListInMode
12  BlockUntilNextEventMatchingListInMode
13  BlockUntilNextEventMatchingListInMode
14  _DPSNextEvent
15  _NSUpdateMenuRefWithChangedMenuItem
16  _mh_execute_header
17  _NSSetViewMultiClipDrawingHelper
18  NSApplicationMain
19  _mh_execute_header
20  0xbffff8cc

(In reply to comment #12)
> OK, new problem.
> 
> I can run a debug build, but when I trigger the crash it just hangs now. The ReportCrash process launches and eats some CPU along with Safari, but a Crash Report window never appears and eventually I have to force quit the ReportCrash process. I shouldn't have to wait 5-10 minutes or more for it to fully Crash, right?
> 
> I believe I'm running r80853. Is there anyway to get the r version when running the build or from the files?
> 
> What should I do now?

Actually it can take a huge amount of time in a debug build.  The easiest solution will be to run inside a debugger.  If you use the gdb-safari script that should launch gdb in a way that will be setup to run safari with your build of webkit.

once you're given a prompt just type run and hit enter.  Then trigger the crash.

At that point gdb should say where the code is.  then type bt and hit enter to get a full backtrace

Replace
 ASSERT(scriptExecutionContext)

with

if (!scriptExecutionContext) return;

--Oliver

(In reply to comment #13)
> Maybe r80853 has other issues becuase it's crashing on other pages that don't usually crash for me. The terminal shows the following after one of the newer hangs on a new page:
> 
> 
> Multiverse:~ kdean$ run-safari --debug
> Starting Safari with DYLD_FRAMEWORK_PATH set to point to built WebKit in /Users/kdean/WebKit/WebKitBuild/Debug.
> ASSERTION FAILED: scriptExecutionContext
> /Users/kdean/WebKit/Source/WebCore/bindings/js/JSDOMBinding.cpp(513) : void WebCore::reportException(JSC::ExecState*, JSC::JSValue)
> 1   WebCore::reportException(JSC::ExecState*, JSC::JSValue)
> 2   WebLocalizedString
> 3   _mh_execute_header
> 4   _mh_execute_header
> 5   _mh_execute_header
> 6   _mh_execute_header
> 7   _mh_execute_header
> 8   WTF::callOnMainThread(void (*)(void*), void*)
> 9   WTF::isMainThread()
> 10  CFRunLoopRunSpecific
> 11  BlockUntilNextEventMatchingListInMode
> 12  BlockUntilNextEventMatchingListInMode
> 13  BlockUntilNextEventMatchingListInMode
> 14  _DPSNextEvent
> 15  _NSUpdateMenuRefWithChangedMenuItem
> 16  _mh_execute_header
> 17  _NSSetViewMultiClipDrawingHelper
> 18  NSApplicationMain
> 19  _mh_execute_header
> 20  0xbffff8cc

(In reply to comment #14)
>
> Actually it can take a huge amount of time in a debug build.  The easiest solution will be to run inside a debugger.  If you use the gdb-safari script that should launch gdb in a way that will be setup to run safari with your build of webkit.

running gdb-safari fails with:

Can't find built framework at "/Users/kdean/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore".

(In reply to comment #15)
> Replace
>  ASSERT(scriptExecutionContext)
> 
> with
> 
> if (!scriptExecutionContext) return;

Ok, I replaced that. Will I need to rebuild? That's basically a 2 hour process with max-ed out cpu during that time for me, unless a subsequent build is quicker after an initial build.

(In reply to comment #16)
> (In reply to comment #14)
> >
> > Actually it can take a huge amount of time in a debug build.  The easiest solution will be to run inside a debugger.  If you use the gdb-safari script that should launch gdb in a way that will be setup to run safari with your build of webkit.
> 
> running gdb-safari fails with:
> 
> Can't find built framework at "/Users/kdean/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore".

Do gdb-safari --debug and see if that works

(In reply to comment #17)
> (In reply to comment #15)
> > Replace
> >  ASSERT(scriptExecutionContext)
> > 
> > with
> > 
> > if (!scriptExecutionContext) return;
> 
> Ok, I replaced that. Will I need to rebuild? That's basically a 2 hour process with max-ed out cpu during that time for me, unless a subsequent build is quicker after an initial build.

just build webcore (you don't need to rebuild anything else) and it should only recompile that one file, although linking will still probably take 10 minutes or so.

Do not do "clean" or anything like that though :)

Thanks for helping out with this.

(In reply to comment #18)

> Do gdb-safari --debug and see if that works

That worked, here's the result:


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000090
0x007dba9c in JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock (this=0xbfffb1d0, globalData=0x18, registerThread=true) at APIShims.h:40
40	        , m_entryIdentifierTable(wtfThreadData().setCurrentIdentifierTable(globalData->identifierTable))
(gdb) bt
#0  0x007dba9c in JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock (this=0xbfffb1d0, globalData=0x18, registerThread=true) at APIShims.h:40
#1  0x008210d0 in JSC::APIEntryShim::APIEntryShim (this=0xbfffb1d0, exec=0x1d929a0, registerThread=true) at APIShims.h:67
#2  0x008a8928 in JSWeakObjectMapClear (ctx=0x1d929a0, map=0x244af1e0, key=0x1c4b6f90, object=0x1c3f7a00) at /Users/kdean/WebKit/Source/JavaScriptCore/API/JSWeakObjectMapRefPrivate.cpp:74
#3  0x001b402c in ?? ()
#4  0x001b3778 in ?? ()
#5  0x008335d8 in JSC::JSCallbackObject<JSC::JSObjectWithGlobalObject>::~JSCallbackObject (this=Cannot access memory at address 0x79
) at JSCallbackObjectFunctions.h:100
#6  0x008bb1a8 in JSC::MarkedBlock::allocate (this=0x1c3f4000) at JSCell.h:404
#7  0x008ba0bc in JSC::MarkedSpace::allocateFromSizeClass (this=0x99006b4, sizeClass=@0x9900714) at /Users/kdean/WebKit/Source/JavaScriptCore/runtime/MarkedSpace.cpp:77
#8  0x04a946cc in JSC::MarkedSpace::allocate (this=0x99006b4, bytes=52) at JSCell.h:424
#9  0x04a95024 in JSC::Heap::allocate (this=0x99006b0, bytes=52) at JSCell.h:436
#10 0x04a950b4 in JSC::JSCell::operator new (size=52, exec=0x1a9d6078) at JSCell.h:451
#11 0x0538d92c in WebCore::createDOMNodeWrapper<WebCore::JSHTMLImageElement, WebCore::HTMLImageElement> (exec=0x1a9d6078, globalObject=0x2398da20, node=0x234dbe60) at JSDOMBinding.h:181
#12 0x05380044 in WebCore::createHTMLImageElementWrapper (exec=0x1a9d6078, globalObject=0x2398da20, element=@0xbfffb5dc) at /Users/kdean/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:389
#13 0x0537f2a0 in WebCore::createJSHTMLWrapper (exec=0x1a9d6078, globalObject=0x2398da20, element=@0xbfffc000) at /Users/kdean/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:694
#14 0x0543b06c in WebCore::createWrapperInline (exec=0x1a9d6078, globalObject=0x2398da20, node=0x234dbe60) at /Users/kdean/WebKit/Source/WebCore/bindings/js/JSNodeCustom.cpp:173
#15 0x0543b334 in WebCore::createWrapper (exec=0x1a9d6078, globalObject=0x2398da20, node=0x234dbe60) at /Users/kdean/WebKit/Source/WebCore/bindings/js/JSNodeCustom.cpp:223
#16 0x04db4980 in WebCore::toJS (exec=0x1a9d6078, globalObject=0x2398da20, node=0x234dbe60) at js/JSNodeCustom.h:57
#17 0x054423a0 in WebCore::JSNodeList::indexGetter (exec=0x1a9d6078, slotBase={u = {asEncodedJSValue = -16595110272, asDouble = -nan(0xffffc22dab680), asBits = {tag = -4, payload = 584758912}}}, index=106) at /Users/kdean/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSNodeList.cpp:257
#18 0x0073aa84 in JSC::PropertySlot::getValue (this=0xbfffc240, exec=0x1a9d6078, propertyName=106) at PropertySlot.h:83
#19 0x0080cd10 in JSC::JSValue::get (this=0xbfffd598, exec=0x1a9d6078, propertyName=106, slot=@0xbfffc240) at JSObject.h:781
#20 0x0080cdec in JSC::JSValue::get (this=0xbfffd598, exec=0x1a9d6078, propertyName=106) at JSObject.h:767
#21 0x007fb8dc in JSC::Interpreter::privateExecute (this=0x9871a00, flag=JSC::Interpreter::Normal, registerFile=0x9871a0c, callFrame=0x1a9d6078) at /Users/kdean/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:3278
#22 0x00803da8 in JSC::Interpreter::execute (this=0x9871a00, program=0x22dab648, callFrame=0x2398daa0, scopeChain=0x22ec7660, thisObj=0x21d39578) at /Users/kdean/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:776
#23 0x007a5a9c in JSC::evaluate (exec=0x2398daa0, scopeChain=0x22ec7660, source=@0xbfffdd04, thisValue={u = {asEncodedJSValue = -16612354696, asDouble = -nan(0xffffc21d39578), asBits = {tag = -4, payload = 567514488}}}) at /Users/kdean/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:67
#24 0x059ddeec in WebCore::JSMainThreadExecState::evaluate (exec=0x2398daa0, chain=0x22ec7660, source=@0xbfffdd04, thisValue={u = {asEncodedJSValue = -16612354696, asDouble = -nan(0xffffc21d39578), asBits = {tag = -4, payload = 567514488}}}) at JSMainThreadExecState.h:54
#25 0x059d5fa4 in WebCore::ScriptController::evaluateInWorld (this=0x9a137e8, sourceCode=@0xbfffdd00, world=0x967dbb0) at /Users/kdean/WebKit/Source/WebCore/bindings/js/ScriptController.cpp:142
#26 0x059d6178 in WebCore::ScriptController::evaluate (this=0x9a137e8, sourceCode=@0xbfffdd00) at /Users/kdean/WebKit/Source/WebCore/bindings/js/ScriptController.cpp:165
#27 0x059f1a04 in WebCore::ScriptElement::executeScript (this=0x22a74d58, sourceCode=@0xbfffdd00) at /Users/kdean/WebKit/Source/WebCore/dom/ScriptElement.cpp:256
#28 0x059f228c in WebCore::ScriptElement::prepareScript (this=0x22a74d58, scriptStartPosition=@0xbfffdf30, supportLegacyTypes=WebCore::ScriptElement::DisallowLegacyTypeInTypeAttribute) at /Users/kdean/WebKit/Source/WebCore/dom/ScriptElement.cpp:213
#29 0x05084320 in WebCore::HTMLScriptRunner::runScript (this=0x2265e2f0, script=0x22a74d10, scriptStartPosition=@0xbfffdf30) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:289
#30 0x05085240 in WebCore::HTMLScriptRunner::execute (this=0x2265e2f0, scriptElement=@0xbfffdf28, scriptStartPosition=@0xbfffdf30) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:173
#31 0x050038e8 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0x209ce200) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:205
#32 0x05003998 in WebCore::HTMLDocumentParser::canTakeNextToken (this=0x209ce200, mode=WebCore::HTMLDocumentParser::AllowYield, session=@0xbfffe008) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:216
#33 0x050051ac in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x209ce200, mode=WebCore::HTMLDocumentParser::AllowYield) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:255
#34 0x05005494 in WebCore::HTMLDocumentParser::resumeParsingAfterYield (this=0x209ce200) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:192
#35 0x0507d3e4 in WebCore::HTMLParserScheduler::continueNextChunkTimerFired (this=0x2265e1a0, timer=0x2265e1b0) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLParserScheduler.cpp:86
#36 0x0507d79c in WebCore::Timer<WebCore::HTMLParserScheduler>::fired (this=0x2265e1b0) at Timer.h:100
#37 0x05c0ee78 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x93b5c40) at /Users/kdean/WebKit/Source/WebCore/platform/ThreadTimers.cpp:112
#38 0x05c0f1f0 in WebCore::ThreadTimers::sharedTimerFired () at /Users/kdean/WebKit/Source/WebCore/platform/ThreadTimers.cpp:90
#39 0x05a597a0 in WebCore::timerFired () at /Users/kdean/WebKit/Source/WebCore/platform/mac/SharedTimerMac.mm:166
#40 0x901cc81c in CFRunLoopRunSpecific ()
#41 0x91f71b18 in RunCurrentEventLoopInMode ()
#42 0x91f7193c in ReceiveNextEventCommon ()
#43 0x91f7177c in BlockUntilNextEventMatchingListInMode ()
#44 0x90831248 in _DPSNextEvent ()
#45 0x90830c00 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#46 0x00019a14 in ?? ()
#47 0x9082a8a0 in -[NSApplication run] ()
#48 0x907fb29c in NSApplicationMain ()
#49 0x0000c05c in ?? ()
Current language:  auto; currently c++

(In reply to comment #19)

> just build webcore (you don't need to rebuild anything else) and it should only recompile that one file, although linking will still probably take 10 minutes or so.
> 
> Do not do "clean" or anything like that though :)
> 
> Thanks for helping out with this.

Since I've only got so far by following instructions off webkit.org and your help, I'd need a more specific instruction on how to just build webcore. Basically I only know about the build-webkit script.

(In reply to comment #21)
> (In reply to comment #19)
> 
> > just build webcore (you don't need to rebuild anything else) and it should only recompile that one file, although linking will still probably take 10 minutes or so.
> > 
> > Do not do "clean" or anything like that though :)
> > 
> > Thanks for helping out with this.
> 
> Since I've only got so far by following instructions off webkit.org and your help, I'd need a more specific instruction on how to just build webcore. Basically I only know about the build-webkit script.

build-webkit will do the right thing :)

Did my previous backtrace give you what you need or do you need me to do it again after a rebuild?

(In reply to comment #23)
> Did my previous backtrace give you what you need or do you need me to do it again after a rebuild?

I have an idea for how to deal with this, but i probably won't get to it for a couple of days.

(In reply to comment #24)
> (In reply to comment #23)
> > Did my previous backtrace give you what you need or do you need me to do it again after a rebuild?
> 
> I have an idea for how to deal with this, but i probably won't get to it for a couple of days.

Great, here's another backtrace that's a little different that I ran after doing a update / rebuild.


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000007e
0x007dba9c in JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock (this=0xbfffba30, globalData=0x6, registerThread=true) at APIShims.h:40
40	        , m_entryIdentifierTable(wtfThreadData().setCurrentIdentifierTable(globalData->identifierTable))
(gdb) bt
#0  0x007dba9c in JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock (this=0xbfffba30, globalData=0x6, registerThread=true) at APIShims.h:40
#1  0x008210d0 in JSC::APIEntryShim::APIEntryShim (this=0xbfffba30, exec=0x22409d20, registerThread=true) at APIShims.h:67
#2  0x008a8928 in JSWeakObjectMapClear (ctx=0x22409d20, map=0x2045ede0, key=0x1c45a120, object=0x2248e8b8) at /Users/kdean/WebKit/Source/JavaScriptCore/API/JSWeakObjectMapRefPrivate.cpp:74
#3  0x001b402c in ?? ()
#4  0x001b3778 in ?? ()
#5  0x008335d8 in JSC::JSCallbackObject<JSC::JSObjectWithGlobalObject>::~JSCallbackObject (this=Cannot access memory at address 0x79
) at JSCallbackObjectFunctions.h:100
#6  0x008bb1a8 in JSC::MarkedBlock::allocate (this=0x2248c000) at JSCell.h:404
#7  0x008ba0bc in JSC::MarkedSpace::allocateFromSizeClass (this=0x98d7cb4, sizeClass=@0x98d7d14) at /Users/kdean/WebKit/Source/JavaScriptCore/runtime/MarkedSpace.cpp:77
#8  0x0073c988 in JSC::MarkedSpace::allocate (this=0x98d7cb4, bytes=56) at JSCell.h:424
#9  0x0073d2a4 in JSC::Heap::allocate (this=0x98d7cb0, bytes=56) at JSCell.h:436
#10 0x0073d334 in JSC::JSCell::operator new (size=56, exec=0x1a9d6038) at JSCell.h:451
#11 0x0081109c in JSC::FunctionExecutable::make (this=0x224f0510, exec=0x1a9d6038, scopeChain=0x2240f7e0) at Executable.h:312
#12 0x007fdc98 in JSC::Interpreter::privateExecute (this=0x98d0800, flag=JSC::Interpreter::Normal, registerFile=0x98d080c, callFrame=0x1a9d6038) at /Users/kdean/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:3793
#13 0x00803da8 in JSC::Interpreter::execute (this=0x98d0800, program=0x2248e7a0, callFrame=0x22409aa0, scopeChain=0x2240f7e0, thisObj=0x2248da48) at /Users/kdean/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:776
#14 0x007a5a9c in JSC::evaluate (exec=0x22409aa0, scopeChain=0x2240f7e0, source=@0xbfffd754, thisValue={u = {asEncodedJSValue = -16604669368, asDouble = -nan(0xffffc2248da48), asBits = {tag = -4, payload = 575199816}}}) at /Users/kdean/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:67
#15 0x059ddeec in WebCore::JSMainThreadExecState::evaluate (exec=0x22409aa0, chain=0x2240f7e0, source=@0xbfffd754, thisValue={u = {asEncodedJSValue = -16604669368, asDouble = -nan(0xffffc2248da48), asBits = {tag = -4, payload = 575199816}}}) at JSMainThreadExecState.h:54
#16 0x059d5fa4 in WebCore::ScriptController::evaluateInWorld (this=0x20b21fe8, sourceCode=@0xbfffd750, world=0x1b01f420) at /Users/kdean/WebKit/Source/WebCore/bindings/js/ScriptController.cpp:142
#17 0x04f28d80 in WebCore::Frame::injectUserScriptsForWorld (this=0x20b21c00, world=0x1b01f420, userScripts=@0x1c44abb0, injectionTime=WebCore::InjectAtDocumentEnd) at /Users/kdean/WebKit/Source/WebCore/page/Frame.cpp:550
#18 0x04f28ec4 in WebCore::Frame::injectUserScripts (this=0x20b21c00, injectionTime=WebCore::InjectAtDocumentEnd) at /Users/kdean/WebKit/Source/WebCore/page/Frame.cpp:530
#19 0x04f43248 in WebCore::FrameLoader::finishedParsing (this=0x20b21c78) at /Users/kdean/WebKit/Source/WebCore/loader/FrameLoader.cpp:764
#20 0x04d11210 in WebCore::Document::finishedParsing (this=0x24098200) at /Users/kdean/WebKit/Source/WebCore/dom/Document.cpp:4282
#21 0x050a7fec in WebCore::HTMLTreeBuilder::finished (this=0x230ea5e0) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2807
#22 0x05003f5c in WebCore::HTMLDocumentParser::end (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:354
#23 0x050040d8 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:363
#24 0x05005f60 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:151
#25 0x05003df4 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:375
#26 0x05003e58 in WebCore::HTMLDocumentParser::finish (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:403
#27 0x04cfa04c in WebCore::Document::finishParsing (this=0x24098200) at /Users/kdean/WebKit/Source/WebCore/dom/Document.cpp:2271
#28 0x04d6aec0 in WebCore::DocumentWriter::endIfNotLoadingMainResource (this=0x20c036ec) at /Users/kdean/WebKit/Source/WebCore/loader/DocumentWriter.cpp:222
#29 0x04d6af1c in WebCore::DocumentWriter::end (this=0x20c036ec) at /Users/kdean/WebKit/Source/WebCore/loader/DocumentWriter.cpp:207
#30 0x04d4bacc in WebCore::DocumentLoader::finishedLoading (this=0x20c03600) at /Users/kdean/WebKit/Source/WebCore/loader/DocumentLoader.cpp:284
#31 0x04f42454 in WebCore::FrameLoader::finishedLoading (this=0x20b21c78) at /Users/kdean/WebKit/Source/WebCore/loader/FrameLoader.cpp:2188
#32 0x0564a25c in WebCore::MainResourceLoader::didFinishLoading (this=0x20be0e00, finishTime=0) at /Users/kdean/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:467
#33 0x0599cc0c in WebCore::ResourceLoader::didFinishLoading (this=0x20be0e00, finishTime=0) at /Users/kdean/WebKit/Source/WebCore/loader/ResourceLoader.cpp:436
#34 0x05997a58 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x230dfe60, _cmd=0x917a1300, connection=0x230dc930) at /Users/kdean/WebKit/Source/WebCore/platform/network/mac/ResourceHandleMac.mm:969
#35 0x937d8818 in _NSURLConnectionDidFinishLoading ()
#36 0x9636bd90 in URLConnectionClient::_clientDidFinishLoading ()
#37 0x9636ca0c in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
#38 0x9636ccdc in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
#39 0x9636b504 in URLConnectionClient::processEvents ()
#40 0x96315004 in MultiplexerSource::perform ()
#41 0x901cc1a0 in CFRunLoopRunSpecific ()
#42 0x91f71b18 in RunCurrentEventLoopInMode ()
#43 0x91f7193c in ReceiveNextEventCommon ()
#44 0x91f7177c in BlockUntilNextEventMatchingListInMode ()
#45 0x90831248 in _DPSNextEvent ()
#46 0x90830c00 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#47 0x00019a14 in ?? ()
#48 0x9082a8a0 in -[NSApplication run] ()
#49 0x907fb29c in NSApplicationMain ()
#50 0x0000c05c in ?? ()
Current language:  auto; currently c++

You're getting slightly different traces as the crash occurs during an object's finalization, which can happen anytime there's a gc sweep.  The top of the trace is always the same.

(In reply to comment #25)
> (In reply to comment #24)
> > (In reply to comment #23)
> > > Did my previous backtrace give you what you need or do you need me to do it again after a rebuild?
> > 
> > I have an idea for how to deal with this, but i probably won't get to it for a couple of days.
> 
> Great, here's another backtrace that's a little different that I ran after doing a update / rebuild.
> 
> 
> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_PROTECTION_FAILURE at address: 0x0000007e
> 0x007dba9c in JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock (this=0xbfffba30, globalData=0x6, registerThread=true) at APIShims.h:40
> 40            , m_entryIdentifierTable(wtfThreadData().setCurrentIdentifierTable(globalData->identifierTable))
> (gdb) bt
> #0  0x007dba9c in JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock (this=0xbfffba30, globalData=0x6, registerThread=true) at APIShims.h:40
> #1  0x008210d0 in JSC::APIEntryShim::APIEntryShim (this=0xbfffba30, exec=0x22409d20, registerThread=true) at APIShims.h:67
> #2  0x008a8928 in JSWeakObjectMapClear (ctx=0x22409d20, map=0x2045ede0, key=0x1c45a120, object=0x2248e8b8) at /Users/kdean/WebKit/Source/JavaScriptCore/API/JSWeakObjectMapRefPrivate.cpp:74
> #3  0x001b402c in ?? ()
> #4  0x001b3778 in ?? ()
> #5  0x008335d8 in JSC::JSCallbackObject<JSC::JSObjectWithGlobalObject>::~JSCallbackObject (this=Cannot access memory at address 0x79
> ) at JSCallbackObjectFunctions.h:100
> #6  0x008bb1a8 in JSC::MarkedBlock::allocate (this=0x2248c000) at JSCell.h:404
> #7  0x008ba0bc in JSC::MarkedSpace::allocateFromSizeClass (this=0x98d7cb4, sizeClass=@0x98d7d14) at /Users/kdean/WebKit/Source/JavaScriptCore/runtime/MarkedSpace.cpp:77
> #8  0x0073c988 in JSC::MarkedSpace::allocate (this=0x98d7cb4, bytes=56) at JSCell.h:424
> #9  0x0073d2a4 in JSC::Heap::allocate (this=0x98d7cb0, bytes=56) at JSCell.h:436
> #10 0x0073d334 in JSC::JSCell::operator new (size=56, exec=0x1a9d6038) at JSCell.h:451
> #11 0x0081109c in JSC::FunctionExecutable::make (this=0x224f0510, exec=0x1a9d6038, scopeChain=0x2240f7e0) at Executable.h:312
> #12 0x007fdc98 in JSC::Interpreter::privateExecute (this=0x98d0800, flag=JSC::Interpreter::Normal, registerFile=0x98d080c, callFrame=0x1a9d6038) at /Users/kdean/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:3793
> #13 0x00803da8 in JSC::Interpreter::execute (this=0x98d0800, program=0x2248e7a0, callFrame=0x22409aa0, scopeChain=0x2240f7e0, thisObj=0x2248da48) at /Users/kdean/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:776
> #14 0x007a5a9c in JSC::evaluate (exec=0x22409aa0, scopeChain=0x2240f7e0, source=@0xbfffd754, thisValue={u = {asEncodedJSValue = -16604669368, asDouble = -nan(0xffffc2248da48), asBits = {tag = -4, payload = 575199816}}}) at /Users/kdean/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:67
> #15 0x059ddeec in WebCore::JSMainThreadExecState::evaluate (exec=0x22409aa0, chain=0x2240f7e0, source=@0xbfffd754, thisValue={u = {asEncodedJSValue = -16604669368, asDouble = -nan(0xffffc2248da48), asBits = {tag = -4, payload = 575199816}}}) at JSMainThreadExecState.h:54
> #16 0x059d5fa4 in WebCore::ScriptController::evaluateInWorld (this=0x20b21fe8, sourceCode=@0xbfffd750, world=0x1b01f420) at /Users/kdean/WebKit/Source/WebCore/bindings/js/ScriptController.cpp:142
> #17 0x04f28d80 in WebCore::Frame::injectUserScriptsForWorld (this=0x20b21c00, world=0x1b01f420, userScripts=@0x1c44abb0, injectionTime=WebCore::InjectAtDocumentEnd) at /Users/kdean/WebKit/Source/WebCore/page/Frame.cpp:550
> #18 0x04f28ec4 in WebCore::Frame::injectUserScripts (this=0x20b21c00, injectionTime=WebCore::InjectAtDocumentEnd) at /Users/kdean/WebKit/Source/WebCore/page/Frame.cpp:530
> #19 0x04f43248 in WebCore::FrameLoader::finishedParsing (this=0x20b21c78) at /Users/kdean/WebKit/Source/WebCore/loader/FrameLoader.cpp:764
> #20 0x04d11210 in WebCore::Document::finishedParsing (this=0x24098200) at /Users/kdean/WebKit/Source/WebCore/dom/Document.cpp:4282
> #21 0x050a7fec in WebCore::HTMLTreeBuilder::finished (this=0x230ea5e0) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2807
> #22 0x05003f5c in WebCore::HTMLDocumentParser::end (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:354
> #23 0x050040d8 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:363
> #24 0x05005f60 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:151
> #25 0x05003df4 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:375
> #26 0x05003e58 in WebCore::HTMLDocumentParser::finish (this=0x20ba3e00) at /Users/kdean/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:403
> #27 0x04cfa04c in WebCore::Document::finishParsing (this=0x24098200) at /Users/kdean/WebKit/Source/WebCore/dom/Document.cpp:2271
> #28 0x04d6aec0 in WebCore::DocumentWriter::endIfNotLoadingMainResource (this=0x20c036ec) at /Users/kdean/WebKit/Source/WebCore/loader/DocumentWriter.cpp:222
> #29 0x04d6af1c in WebCore::DocumentWriter::end (this=0x20c036ec) at /Users/kdean/WebKit/Source/WebCore/loader/DocumentWriter.cpp:207
> #30 0x04d4bacc in WebCore::DocumentLoader::finishedLoading (this=0x20c03600) at /Users/kdean/WebKit/Source/WebCore/loader/DocumentLoader.cpp:284
> #31 0x04f42454 in WebCore::FrameLoader::finishedLoading (this=0x20b21c78) at /Users/kdean/WebKit/Source/WebCore/loader/FrameLoader.cpp:2188
> #32 0x0564a25c in WebCore::MainResourceLoader::didFinishLoading (this=0x20be0e00, finishTime=0) at /Users/kdean/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:467
> #33 0x0599cc0c in WebCore::ResourceLoader::didFinishLoading (this=0x20be0e00, finishTime=0) at /Users/kdean/WebKit/Source/WebCore/loader/ResourceLoader.cpp:436
> #34 0x05997a58 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x230dfe60, _cmd=0x917a1300, connection=0x230dc930) at /Users/kdean/WebKit/Source/WebCore/platform/network/mac/ResourceHandleMac.mm:969
> #35 0x937d8818 in _NSURLConnectionDidFinishLoading ()
> #36 0x9636bd90 in URLConnectionClient::_clientDidFinishLoading ()
> #37 0x9636ca0c in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
> #38 0x9636ccdc in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
> #39 0x9636b504 in URLConnectionClient::processEvents ()
> #40 0x96315004 in MultiplexerSource::perform ()
> #41 0x901cc1a0 in CFRunLoopRunSpecific ()
> #42 0x91f71b18 in RunCurrentEventLoopInMode ()
> #43 0x91f7193c in ReceiveNextEventCommon ()
> #44 0x91f7177c in BlockUntilNextEventMatchingListInMode ()
> #45 0x90831248 in _DPSNextEvent ()
> #46 0x90830c00 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
> #47 0x00019a14 in ?? ()
> #48 0x9082a8a0 in -[NSApplication run] ()
> #49 0x907fb29c in NSApplicationMain ()
> #50 0x0000c05c in ?? ()
> Current language:  auto; currently c++

Just checking in on this one... maybe it can get fixed in the next Nightly, Monthly, or whatever it is now.  8)

(In reply to comment #27)
> Just checking in on this one... maybe it can get fixed in the next Nightly, Monthly, or whatever it is now.  8)

...and not sooner than making this comment, a new nightly finally comes out... although it still crashes, so back to r79987 for me.

Created attachment 86812 [details]
Patch

Comment on attachment 86812 [details]
Patch

r=me

Would be worth a comment like "We need to keep this function present so nightly builds still work," to reduce mystery.

Committed r81900: <http://trac.webkit.org/changeset/81900>