Bug 91505

Summary: [Mac] REGRESSION (r122494): Running platform/mac/plugins/root-object-premature-delete-crash.html results in a crash
Product: WebKit Reporter: Andy Estes <aestes>
Component: WebCore JavaScriptAssignee: Andy Estes <aestes>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: aestes, enrica, fpizlo, rniwa, webkit.review.bot
Priority: P1 Keywords: LayoutTestFailure, Regression
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 90849    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch none

Description Andy Estes 2012-07-17 09:01:38 PDT 
See http://build.webkit.org/results/Apple%20Lion%20Debug%20WK1%20(Tests)/r122845%20(1006)/platform/mac/plugins/root-object-premature-delete-crash-crash-log.txt for an example crash log. In case that link dies, here's the important part:

Process:         DumpRenderTree [22005]
Path:            /Volumes/VOLUME/*/DumpRenderTree
Identifier:      DumpRenderTree
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  Python [20826]

Date/Time:       2012-07-17 08:48:57.936 -0700
OS Version:      Mac OS X 10.7.3 (11D50)
Report Version:  9

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000030

VM Regions Near 0x30:
--> 
    __TEXT                 000000010328b000-0000000103322000 [  604K] r-x/rwx SM=COW  /Volumes/VOLUME/*

Application Specific Information:
objc[22005]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000105cac4f8 JSC::Bindings::RootObject::globalObject() const + 24 (runtime_root.cpp:177)
1   com.apple.WebCore             	0x00000001060a5673 -[WebScriptObject JSObject] + 51 (WebScriptObject.mm:533)
2   DumpRenderTree                	0x00000001032dc2ad -[ObjCController accessStoredWebScriptObject] + 125 (ObjCController.m:244)
3   com.apple.CoreFoundation      	0x00007fff89329f4c __invoking___ + 140
4   com.apple.CoreFoundation      	0x00007fff89329de4 -[NSInvocation invoke] + 132
5   com.apple.WebCore             	0x00000001059366a0 JSC::Bindings::ObjcInstance::invokeObjcMethod(JSC::ExecState*, JSC::Bindings::ObjcMethod*) + 1920 (objc_instance.mm:323)
6   com.apple.WebCore             	0x0000000105935ed7 JSC::Bindings::ObjcInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*) + 343 (objc_instance.mm:235)
7   com.apple.WebCore             	0x0000000105caa426 _ZN3JSCL17callRuntimeMethodEPNS_9ExecStateE + 534 (runtime_method.cpp:128)
8   com.apple.JavaScriptCore      	0x000000010387d684 _ZN3JSC5LLIntL14handleHostCallEPNS_9ExecStateEPNS_11InstructionENS_7JSValueENS_22CodeSpecializationKindE + 324 (LLIntSlowPaths.cpp:1321)
9   com.apple.JavaScriptCore      	0x000000010387e43c JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 92 (LLIntSlowPaths.cpp:1365)
10  com.apple.JavaScriptCore      	0x000000010387e3c1 JSC::LLInt::genericCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind) + 241 (LLIntSlowPaths.cpp:1421)
11  com.apple.JavaScriptCore      	0x000000010387badc llint_slow_path_call + 60 (LLIntSlowPaths.cpp:1427)
12  com.apple.JavaScriptCore      	0x0000000103882c56 llint_op_call + 153
13  com.apple.JavaScriptCore      	0x0000000103696054 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 84 (JITCode.h:133)
14  com.apple.JavaScriptCore      	0x0000000103692ddc JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1724 (Interpreter.cpp:1303)
15  com.apple.JavaScriptCore      	0x00000001035486d8 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 296 (CallData.cpp:39)
16  com.apple.WebCore             	0x0000000105325442 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 (JSMainThreadExecState.h:56)
17  com.apple.WebCore             	0x000000010545101e WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1294 (JSEventListener.cpp:132)
18  com.apple.WebCore             	0x0000000104ec4b07 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 359 (EventTarget.cpp:232)
19  com.apple.WebCore             	0x0000000104ec496b WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 315 (EventTarget.cpp:200)
20  com.apple.WebCore             	0x0000000105911acb WebCore::Node::handleLocalEvents(WebCore::Event*) + 155 (Node.cpp:2526)
21  com.apple.WebCore             	0x0000000104e96334 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 276 (EventContext.cpp:55)
22  com.apple.WebCore             	0x0000000104e9785e WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 1406 (EventDispatcher.cpp:283)
23  com.apple.WebCore             	0x0000000104e9db04 WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 68 (EventDispatchMediator.cpp:51)
24  com.apple.WebCore             	0x0000000104e96d1c WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 140 (EventDispatcher.cpp:128)
25  com.apple.WebCore             	0x0000000105911bba WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 58 (Node.cpp:2541)
26  com.apple.WebCore             	0x0000000104e22530 WebCore::DOMWindow::dispatchLoadEvent() + 576 (DOMWindow.cpp:1646)
27  com.apple.WebCore             	0x0000000104c6f93a WebCore::Document::dispatchWindowLoadEvent() + 138 (Document.cpp:4083)
28  com.apple.WebCore             	0x0000000104c6d180 WebCore::Document::implicitClose() + 480 (Document.cpp:2497)
29  com.apple.WebCore             	0x0000000104f6696b WebCore::FrameLoader::checkCallImplicitClose() + 155 (FrameLoader.cpp:764)
30  com.apple.WebCore             	0x0000000104f66663 WebCore::FrameLoader::checkCompleted() + 323 (FrameLoader.cpp:711)
31  com.apple.WebCore             	0x0000000104f65623 WebCore::FrameLoader::finishedParsing() + 179 (FrameLoader.cpp:644)
32  com.apple.WebCore             	0x0000000104c789f4 WebCore::Document::finishedParsing() + 532 (Document.cpp:4863)
33  com.apple.WebCore             	0x000000010513d18c WebCore::HTMLTreeBuilder::finished() + 140 (HTMLTreeBuilder.cpp:2786)
34  com.apple.WebCore             	0x0000000105077963 WebCore::HTMLDocumentParser::end() + 211 (HTMLDocumentParser.cpp:377)
35  com.apple.WebCore             	0x0000000105076ac6 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 262 (HTMLDocumentParser.cpp:386)
36  com.apple.WebCore             	0x00000001050768c2 WebCore::HTMLDocumentParser::prepareToStopParsing() + 242 (HTMLDocumentParser.cpp:154)
37  com.apple.WebCore             	0x00000001050779b3 WebCore::HTMLDocumentParser::attemptToEnd() + 67 (HTMLDocumentParser.cpp:398)
38  com.apple.WebCore             	0x0000000105077a08 WebCore::HTMLDocumentParser::finish() + 72 (HTMLDocumentParser.cpp:425)
39  com.apple.WebCore             	0x0000000104cd50cf WebCore::DocumentWriter::end() + 383 (DocumentWriter.cpp:242)
40  com.apple.WebCore             	0x0000000104cb546f WebCore::DocumentLoader::finishedLoading() + 207 (DocumentLoader.cpp:300)
41  com.apple.WebCore             	0x000000010587ae96 WebCore::MainResourceLoader::didFinishLoading(double) + 278 (MainResourceLoader.cpp:517)
42  com.apple.WebCore             	0x0000000105c82a05 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 53 (ResourceLoader.cpp:437)
43  com.apple.WebCore             	0x0000000105c7f59b -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 187 (ResourceHandleMac.mm:861)
44  com.apple.Foundation          	0x00007fff8acf5662 ___NSURLConnectionDidFinishLoading_block_invoke_1 + 122
45  com.apple.Foundation          	0x00007fff8acf55e2 _NSURLConnectionDidFinishLoading + 81
46  com.apple.CFNetwork           	0x00007fff8859b4fe URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 296
47  com.apple.CFNetwork           	0x00007fff8864b91e URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 862
48  com.apple.CFNetwork           	0x00007fff8864bb0a URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 1354
49  com.apple.CFNetwork           	0x00007fff88576389 URLConnectionClient::processEvents() + 185
50  com.apple.CFNetwork           	0x00007fff8857622e MultiplexerSource::perform() + 212
51  com.apple.CoreFoundation      	0x00007fff892a66e1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
52  com.apple.CoreFoundation      	0x00007fff892a5f4d __CFRunLoopDoSources0 + 253
53  com.apple.CoreFoundation      	0x00007fff892ccd39 __CFRunLoopRun + 905
54  com.apple.CoreFoundation      	0x00007fff892cc676 CFRunLoopRunSpecific + 230
55  com.apple.Foundation          	0x00007fff8ac98f9f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 267
56  DumpRenderTree                	0x00000001032a4229 _ZL7runTestRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE + 5657 (DumpRenderTree.mm:1363)
57  DumpRenderTree                	0x00000001032a2b6a _ZL20runTestingServerLoopv + 282 (DumpRenderTree.mm:829)
58  DumpRenderTree                	0x00000001032a23fa dumpRenderTree(int, char const**) + 394 (DumpRenderTree.mm:876)
59  DumpRenderTree                	0x00000001032a4a69 main + 105 (DumpRenderTree.mm:913)
60  DumpRenderTree                	0x000000010328d284 start + 52
Comment 1 Andy Estes 2012-07-17 09:51:37 PDT 
Created attachment 152772 [details]
Patch
Comment 2 WebKit Review Bot 2012-07-17 09:54:08 PDT 
Comment on attachment 152772 [details]
Patch

Rejecting attachment 152772 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 1

ERROR: /mnt/git/webkit-commit-queue/LayoutTests/ChangeLog neither lists a valid reviewer nor contains the string "Unreviewed" or "Rubber stamp" (case insensitive).

Full output: http://queues.webkit.org/results/13284170
Comment 3 Andy Estes 2012-07-17 10:06:18 PDT 
Created attachment 152774 [details]
Patch
Comment 4 WebKit Review Bot 2012-07-17 11:10:10 PDT 
Comment on attachment 152774 [details]
Patch

Clearing flags on attachment: 152774

Committed r122858: <http://trac.webkit.org/changeset/122858>
Comment 5 WebKit Review Bot 2012-07-17 11:10:22 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 6 Andy Estes 2012-07-17 11:12:25 PDT 
r122858 just skipped the test. Reopening.
Comment 7 Filip Pizlo 2012-07-17 16:13:46 PDT 
Also skipped in

http://trac.webkit.org/changeset/122890
Comment 8 Ryosuke Niwa 2013-05-22 18:05:00 PDT 
Not crashing anymore.