Bug 60854

Summary:	REGRESSION (r86482-r86499): Crash in JSC::slowValidateCell
Product:	WebKit	Reporter:	Kevin M. Dean <kevin>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED WORKSFORME
Severity:	Critical	CC:	ggaren, oliver
Priority:	P2	Keywords:	Regression
Version:	528+ (Nightly build)
Hardware:	Mac (PowerPC)
OS:	OS X 10.5

Kevin M. Dean

Reported 2011-05-15 08:38:02 PDT

Having trouble determing a consistent repeatable link, but I've crashed 3 times today with the current nightly. The crash is triggered when I close an existing tab with multiple tabs open. Here's 2 crash log variations. Process: Safari [2373] Path: /Applications/WebKit.app/Contents/MacOS/WebKit Identifier: org.webkit.nightly.WebKit Version: r86499 (86499) Code Type: PPC (Native) Parent Process: launchd [118] Date/Time: 2011-05-15 11:11:07.265 -0400 OS Version: Mac OS X 10.5.8 (9L30) Report Version: 6 Anonymous UUID: F41C1802-6457-4B49-A738-107FEBA3B7F7 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000001f3443a4 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x007f4b30 JSC::slowValidateCell(JSC::JSCell*) + 64 1 com.apple.JavaScriptCore 0x007c7dc0 JSC::Interpreter::tryCacheGetByID(JSC::ExecState*, JSC::CodeBlock*, JSC::Instruction*, JSC::JSValue, JSC::Identifier const&, JSC::PropertySlot const&) + 448 2 com.apple.JavaScriptCore 0x007d0bd0 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) + 32128 3 com.apple.JavaScriptCore 0x007e45f8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1816 4 com.apple.JavaScriptCore 0x0077a8b4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 84 5 com.apple.WebCore 0x01f77ae0 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 2768 6 com.apple.WebCore 0x01ba42e8 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 376 7 com.apple.WebCore 0x01ba43f4 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 116 8 com.apple.WebCore 0x01b8c848 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 136 9 com.apple.WebCore 0x01b8d2ec WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 956 10 com.apple.WebCore 0x01b8c708 WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 56 11 com.apple.WebCore 0x01b8d61c WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::EventDispatchMediator const&) + 60 12 com.apple.WebCore 0x0247935c WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 60 13 com.apple.WebCore 0x01ba4108 WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 152 14 com.apple.WebCore 0x01b92a98 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 1016 15 com.apple.WebKit 0x00a15154 -[WebHTMLView flagsChanged:] + 180 16 com.apple.AppKit 0x96a36e3c -[NSWindow sendEvent:] + 7428 17 com.apple.Safari 0x00045b9c 0x1000 + 281500 18 com.apple.Safari 0x00045b28 0x1000 + 281384 19 com.apple.AppKit 0x96a0967c -[NSApplication sendEvent:] + 3256 20 com.apple.Safari 0x0003bc88 0x1000 + 240776 21 com.apple.AppKit 0x969768d4 -[NSApplication run] + 800 22 com.apple.AppKit 0x96947298 NSApplicationMain + 440 23 com.apple.Safari 0x0000c068 0x1000 + 45160 Process: Safari [2393] Path: /Applications/WebKit.app/Contents/MacOS/WebKit Identifier: org.webkit.nightly.WebKit Version: r86499 (86499) Code Type: PPC (Native) Parent Process: launchd [118] Date/Time: 2011-05-15 11:23:15.184 -0400 OS Version: Mac OS X 10.5.8 (9L30) Report Version: 6 Anonymous UUID: F41C1802-6457-4B49-A738-107FEBA3B7F7 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000005 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x007f4b34 JSC::slowValidateCell(JSC::JSCell*) + 68 1 com.apple.JavaScriptCore 0x007c5334 JSC::Interpreter::tryCachePutByID(JSC::ExecState*, JSC::CodeBlock*, JSC::Instruction*, JSC::JSValue, JSC::PutPropertySlot const&) + 196 2 com.apple.JavaScriptCore 0x007d285c JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) + 39436 3 com.apple.JavaScriptCore 0x007e45f8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1816 4 com.apple.JavaScriptCore 0x0077a8b4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 84 5 com.apple.WebCore 0x01f77ae0 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 2768 6 com.apple.WebCore 0x01ba42e8 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 376 7 com.apple.WebCore 0x01ba43f4 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 116 8 com.apple.WebCore 0x01b4af74 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 340 9 com.apple.WebCore 0x01bec124 WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy) + 1060 10 com.apple.WebCore 0x01bec4f4 WebCore::FrameLoader::closeURL() + 68 11 com.apple.WebCore 0x01bec564 WebCore::FrameLoader::detachFromParent() + 68 12 com.apple.WebKit 0x00a62bf4 -[WebView(WebPrivate) _close] + 148 13 com.apple.Safari 0x0008bcb4 0x1000 + 568500 14 com.apple.Safari 0x0008bc40 0x1000 + 568384 15 com.apple.Safari 0x0008b1d4 0x1000 + 565716 16 com.apple.Safari 0x000d44b4 0x1000 + 865460 17 com.apple.Safari 0x000d5dcc 0x1000 + 871884 18 com.apple.AppKit 0x96a39354 -[NSApplication sendAction:to:from:] + 104 19 com.apple.Safari 0x0004e350 0x1000 + 316240 20 com.apple.AppKit 0x96ad4d14 -[NSMenu performActionForItemAtIndex:] + 408 21 com.apple.AppKit 0x96ad4a44 -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 228 22 com.apple.AppKit 0x96ad470c -[NSMenu performKeyEquivalent:] + 744 23 com.apple.AppKit 0x96ad31f0 -[NSApplication _handleKeyEquivalent:] + 456 24 com.apple.AppKit 0x96a09820 -[NSApplication sendEvent:] + 3676 25 com.apple.Safari 0x0003bc88 0x1000 + 240776 26 com.apple.AppKit 0x969768d4 -[NSApplication run] + 800 27 com.apple.AppKit 0x96947298 NSApplicationMain + 440 28 com.apple.Safari 0x0000c068 0x1000 + 45160

Attachments
Add attachment proposed patch, testcase, etc.

Oliver Hunt

Comment 1 2011-05-16 08:48:09 PDT

Interpreter gc bug possibly, or perhaps a null check that is too agressive. Need symbols :-/

Kevin M. Dean

Comment 2 2011-05-16 13:55:52 PDT

I've been running r86536 today and I haven't had a reoccurance of the crashes like I was the other day. So, possibly resolved by another fix?

Oliver Hunt

Comment 3 2011-05-16 14:11:49 PDT

I suspect it's mostly luck unfortunately. Still I expect something slightly mmore reproducible will turn up eventually.

Kevin M. Dean

Comment 4 2011-05-20 12:10:15 PDT

When I was having crashes, it was all within minutes of using webkit. While it wasn't always consistent what triggered it, it would reliably crash. As I mentioned previously, I'm no longer having the crashes and haven't since Monday the 16th, so I'm marking this as resolved.

Note You need to log in before you can comment on or make changes to this bug.