Bug 9031

Summary: REGRESSION: Crash when closing tabs on newegg.com
Product: WebKit Reporter: Leonard Case <len>
Component: WebCore JavaScriptAssignee: Anders Carlsson <andersca>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, darin, ggaren, jonathanjohnsson
Priority: P1 Keywords: InRadar, NeedsReduction, Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.newegg.com
Attachments:
Description Flags
Crash log
none
patch
none
Patch darin: review+

Leonard Case
Reported 2006-05-21 17:16:46 PDT
Open around 5 tabs on www.newegg.com Before they all finish loading start closing them using Cmd-W Crash! Reproduced in nightly r13302 and r14505 (with different backtraces)
Attachments
Crash log (21.60 KB, text/plain)
2006-05-21 17:19 PDT, Leonard Case 		no flags
Details
patch (1.15 KB, patch)
2006-06-04 17:17 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
Patch (2.21 KB, patch)
2006-06-26 14:03 PDT, Anders Carlsson 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Leonard Case
Comment 1 2006-05-21 17:19:33 PDT
Created attachment 8455 [details] Crash log Here is a crash log from nightly WebKit r14505
jonathanjohnsson
Comment 2 2006-05-31 14:17:17 PDT
Confirmed using r14648. I can reproduce it almost every time by 1. Open a window and let www.newegg.com load (newly loaded WebKit) 2. Close the window, using cmd+w or the red pill. This doesn't happen in Safari release. I guess the component could be WebCore JavaScript, as that's how the crash trace starts.
Darin Adler
Comment 3 2006-06-04 17:13:35 PDT
I tried a few times and could not reproduce it. But the backtrace makes it look like a problem where a timer fires after the DOMWindow is gone. Looks like the code is calling defaultView on a document and getting a 0 back. So I think the fix is to add a nil check to the toJS function that takes a DOMWindow in kjs_window.cpp.
Darin Adler
Comment 4 2006-06-04 17:17:26 PDT
Created attachment 8705 [details] patch
Maciej Stachowiak
Comment 5 2006-06-04 17:39:40 PDT
Comment on attachment 8705 [details] patch r=me
Darin Adler
Comment 6 2006-06-04 22:15:45 PDT
Committed revision 14733.
Alexey Proskuryakov
Comment 7 2006-06-05 09:33:50 PDT
I can still reproduce the crash (using the original instructions), although at a later stage: 0 <<00000000>> 0xfffeff18 objc_msgSend_rtp + 24 1 com.apple.WebKit 0x00333328 -[WebFrameBridge webView] + 144 (WebFrameBridge.m:111) 2 com.apple.WebKit 0x00335888 -[WebFrameBridge addMessageToConsole:] + 68 (WebFrameBridge.m:445) 3 com.apple.WebCore 0x018660b8 WebCore::FrameMac::addMessageToConsole(WebCore::String const&, unsigned, WebCore::String const&) + 264 (FrameMac.mm:1335) 4 com.apple.WebCore 0x01a7edf8 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 1228 (kjs_proxy.cpp:77) 5 com.apple.WebCore 0x0185e3c0 WebCore::Frame::executeScript(WebCore::Node*, DeprecatedString const&, bool) + 244 (Frame.cpp:399) 6 com.apple.WebCore 0x01a84abc KJS::ScheduledAction::execute(KJS::Window*) + 968 (kjs_window.cpp:1810) 7 com.apple.WebCore 0x01a8a8f8 KJS::Window::timerFired(KJS::DOMWindowTimer*) + 76 (kjs_window.cpp:1907) 8 com.apple.WebCore 0x01a8a9d0 KJS::DOMWindowTimer::fired() + 44 (kjs_window.cpp:2474) 9 com.apple.WebCore 0x01a05cb8 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 260 (Timer.cpp:321) 10 com.apple.WebCore 0x01a05d6c WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:354) 11 com.apple.WebCore 0x01a05118 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47) 12 com.apple.CoreFoundation 0x907ef550 __CFRunLoopDoTimer + 184
Darin Adler
Comment 8 2006-06-05 13:29:37 PDT
Comment on attachment 8705 [details] patch Clearing the flag so this doesn't show up in the list to be committed.
jonathanjohnsson
Comment 9 2006-06-06 00:47:02 PDT
I can also reproduce it (using my instructions). My crash log starts like this (the toJS function doesn't appear, as it did in the reporter's crash log): 0 com.apple.WebCore 0x0129b120 WebCore::DOMWindow::frame() + 0 1 com.apple.WebCore 0x0126596c WebCore::JSDocument::getValueProperty(KJS::ExecState*, int) const + 380 2 com.apple.WebCore 0x0126596c WebCore::JSDocument::getValueProperty(KJS::ExecState*, int) const + 380 3 com.apple.JavaScriptCore 0x00137c90 KJS::JSObject::get(KJS::ExecState*, KJS::Identifier const&) const + 176 4 com.apple.JavaScriptCore 0x0012a44c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 60 5 com.apple.JavaScriptCore 0x00128518 KJS::VarDeclNode::evaluate(KJS::ExecState*) + 88 6 com.apple.JavaScriptCore 0x0012845c KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 76 7 com.apple.JavaScriptCore 0x0012ec68 KJS::VarStatementNode::execute(KJS::ExecState*) + 104 8 com.apple.JavaScriptCore 0x001324ac KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 9 com.apple.JavaScriptCore 0x0012edf8 KJS::BlockNode::execute(KJS::ExecState*) + 152 10 com.apple.JavaScriptCore 0x0011a758 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56 11 com.apple.JavaScriptCore 0x0011a000 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 432 12 com.apple.JavaScriptCore 0x00138a34 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 13 com.apple.JavaScriptCore 0x0012a678 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 616 14 com.apple.JavaScriptCore 0x0012eec8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 15 com.apple.JavaScriptCore 0x001324ac KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 16 com.apple.JavaScriptCore 0x0012edf8 KJS::BlockNode::execute(KJS::ExecState*) + 152 17 com.apple.JavaScriptCore 0x0011e80c KJS::InterpreterImp::evaluate(KJS::UChar const*, int, KJS::JSValue*, KJS::UString const&, int) + 908 18 com.apple.JavaScriptCore 0x00121bd4 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 68 19 com.apple.WebCore 0x0128c958 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 280 20 com.apple.WebCore 0x010d47e8 WebCore::Frame::executeScript(WebCore::Node*, DeprecatedString const&, bool) + 184
Alice Liu
Comment 10 2006-06-07 19:03:21 PDT
<rdar://problem/4578100>
Anders Carlsson
Comment 11 2006-06-26 14:03:50 PDT
Created attachment 9052 [details] Patch
Darin Adler
Comment 12 2006-06-26 14:09:44 PDT
Comment on attachment 9052 [details] Patch r=me
Anders Carlsson
Comment 13 2006-06-26 14:21:21 PDT
Fixed in r15048
Note You need to log in before you can comment on or make changes to this bug.