Bug 91505

Summary:

[Mac] REGRESSION (r122494): Running platform/mac/plugins/root-object-premature-delete-crash.html results in a crash

Product:

WebKit

Reporter:

Andy Estes <aestes>

Component:

WebCore JavaScript

Assignee:

Andy Estes <aestes>

Status:

RESOLVED WORKSFORME

Severity:

Normal

CC:

aestes, enrica, fpizlo, rniwa, webkit.review.bot

Priority:

Keywords:

LayoutTestFailure, Regression

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

90849

Bug Blocks:

Attachments:

Description	Flags
Patch	none
Patch	none

Andy Estes

Reported 2012-07-17 09:01:38 PDT

See http://build.webkit.org/results/Apple%20Lion%20Debug%20WK1%20(Tests)/r122845%20(1006)/platform/mac/plugins/root-object-premature-delete-crash-crash-log.txt for an example crash log. In case that link dies, here's the important part: Process: DumpRenderTree [22005] Path: /Volumes/VOLUME/*/DumpRenderTree Identifier: DumpRenderTree Version: ??? (???) Code Type: X86-64 (Native) Parent Process: Python [20826] Date/Time: 2012-07-17 08:48:57.936 -0700 OS Version: Mac OS X 10.7.3 (11D50) Report Version: 9 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000030 VM Regions Near 0x30: --> __TEXT 000000010328b000-0000000103322000 [ 604K] r-x/rwx SM=COW /Volumes/VOLUME/* Application Specific Information: objc[22005]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000105cac4f8 JSC::Bindings::RootObject::globalObject() const + 24 (runtime_root.cpp:177) 1 com.apple.WebCore 0x00000001060a5673 -[WebScriptObject JSObject] + 51 (WebScriptObject.mm:533) 2 DumpRenderTree 0x00000001032dc2ad -[ObjCController accessStoredWebScriptObject] + 125 (ObjCController.m:244) 3 com.apple.CoreFoundation 0x00007fff89329f4c __invoking___ + 140 4 com.apple.CoreFoundation 0x00007fff89329de4 -[NSInvocation invoke] + 132 5 com.apple.WebCore 0x00000001059366a0 JSC::Bindings::ObjcInstance::invokeObjcMethod(JSC::ExecState*, JSC::Bindings::ObjcMethod*) + 1920 (objc_instance.mm:323) 6 com.apple.WebCore 0x0000000105935ed7 JSC::Bindings::ObjcInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*) + 343 (objc_instance.mm:235) 7 com.apple.WebCore 0x0000000105caa426 _ZN3JSCL17callRuntimeMethodEPNS_9ExecStateE + 534 (runtime_method.cpp:128) 8 com.apple.JavaScriptCore 0x000000010387d684 _ZN3JSC5LLIntL14handleHostCallEPNS_9ExecStateEPNS_11InstructionENS_7JSValueENS_22CodeSpecializationKindE + 324 (LLIntSlowPaths.cpp:1321) 9 com.apple.JavaScriptCore 0x000000010387e43c JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 92 (LLIntSlowPaths.cpp:1365) 10 com.apple.JavaScriptCore 0x000000010387e3c1 JSC::LLInt::genericCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind) + 241 (LLIntSlowPaths.cpp:1421) 11 com.apple.JavaScriptCore 0x000000010387badc llint_slow_path_call + 60 (LLIntSlowPaths.cpp:1427) 12 com.apple.JavaScriptCore 0x0000000103882c56 llint_op_call + 153 13 com.apple.JavaScriptCore 0x0000000103696054 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 84 (JITCode.h:133) 14 com.apple.JavaScriptCore 0x0000000103692ddc JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1724 (Interpreter.cpp:1303) 15 com.apple.JavaScriptCore 0x00000001035486d8 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 296 (CallData.cpp:39) 16 com.apple.WebCore 0x0000000105325442 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 (JSMainThreadExecState.h:56) 17 com.apple.WebCore 0x000000010545101e WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1294 (JSEventListener.cpp:132) 18 com.apple.WebCore 0x0000000104ec4b07 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 359 (EventTarget.cpp:232) 19 com.apple.WebCore 0x0000000104ec496b WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 315 (EventTarget.cpp:200) 20 com.apple.WebCore 0x0000000105911acb WebCore::Node::handleLocalEvents(WebCore::Event*) + 155 (Node.cpp:2526) 21 com.apple.WebCore 0x0000000104e96334 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 276 (EventContext.cpp:55) 22 com.apple.WebCore 0x0000000104e9785e WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 1406 (EventDispatcher.cpp:283) 23 com.apple.WebCore 0x0000000104e9db04 WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 68 (EventDispatchMediator.cpp:51) 24 com.apple.WebCore 0x0000000104e96d1c WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 140 (EventDispatcher.cpp:128) 25 com.apple.WebCore 0x0000000105911bba WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 58 (Node.cpp:2541) 26 com.apple.WebCore 0x0000000104e22530 WebCore::DOMWindow::dispatchLoadEvent() + 576 (DOMWindow.cpp:1646) 27 com.apple.WebCore 0x0000000104c6f93a WebCore::Document::dispatchWindowLoadEvent() + 138 (Document.cpp:4083) 28 com.apple.WebCore 0x0000000104c6d180 WebCore::Document::implicitClose() + 480 (Document.cpp:2497) 29 com.apple.WebCore 0x0000000104f6696b WebCore::FrameLoader::checkCallImplicitClose() + 155 (FrameLoader.cpp:764) 30 com.apple.WebCore 0x0000000104f66663 WebCore::FrameLoader::checkCompleted() + 323 (FrameLoader.cpp:711) 31 com.apple.WebCore 0x0000000104f65623 WebCore::FrameLoader::finishedParsing() + 179 (FrameLoader.cpp:644) 32 com.apple.WebCore 0x0000000104c789f4 WebCore::Document::finishedParsing() + 532 (Document.cpp:4863) 33 com.apple.WebCore 0x000000010513d18c WebCore::HTMLTreeBuilder::finished() + 140 (HTMLTreeBuilder.cpp:2786) 34 com.apple.WebCore 0x0000000105077963 WebCore::HTMLDocumentParser::end() + 211 (HTMLDocumentParser.cpp:377) 35 com.apple.WebCore 0x0000000105076ac6 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 262 (HTMLDocumentParser.cpp:386) 36 com.apple.WebCore 0x00000001050768c2 WebCore::HTMLDocumentParser::prepareToStopParsing() + 242 (HTMLDocumentParser.cpp:154) 37 com.apple.WebCore 0x00000001050779b3 WebCore::HTMLDocumentParser::attemptToEnd() + 67 (HTMLDocumentParser.cpp:398) 38 com.apple.WebCore 0x0000000105077a08 WebCore::HTMLDocumentParser::finish() + 72 (HTMLDocumentParser.cpp:425) 39 com.apple.WebCore 0x0000000104cd50cf WebCore::DocumentWriter::end() + 383 (DocumentWriter.cpp:242) 40 com.apple.WebCore 0x0000000104cb546f WebCore::DocumentLoader::finishedLoading() + 207 (DocumentLoader.cpp:300) 41 com.apple.WebCore 0x000000010587ae96 WebCore::MainResourceLoader::didFinishLoading(double) + 278 (MainResourceLoader.cpp:517) 42 com.apple.WebCore 0x0000000105c82a05 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 53 (ResourceLoader.cpp:437) 43 com.apple.WebCore 0x0000000105c7f59b -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 187 (ResourceHandleMac.mm:861) 44 com.apple.Foundation 0x00007fff8acf5662 ___NSURLConnectionDidFinishLoading_block_invoke_1 + 122 45 com.apple.Foundation 0x00007fff8acf55e2 _NSURLConnectionDidFinishLoading + 81 46 com.apple.CFNetwork 0x00007fff8859b4fe URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 296 47 com.apple.CFNetwork 0x00007fff8864b91e URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 862 48 com.apple.CFNetwork 0x00007fff8864bb0a URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 1354 49 com.apple.CFNetwork 0x00007fff88576389 URLConnectionClient::processEvents() + 185 50 com.apple.CFNetwork 0x00007fff8857622e MultiplexerSource::perform() + 212 51 com.apple.CoreFoundation 0x00007fff892a66e1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 52 com.apple.CoreFoundation 0x00007fff892a5f4d __CFRunLoopDoSources0 + 253 53 com.apple.CoreFoundation 0x00007fff892ccd39 __CFRunLoopRun + 905 54 com.apple.CoreFoundation 0x00007fff892cc676 CFRunLoopRunSpecific + 230 55 com.apple.Foundation 0x00007fff8ac98f9f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 267 56 DumpRenderTree 0x00000001032a4229 _ZL7runTestRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE + 5657 (DumpRenderTree.mm:1363) 57 DumpRenderTree 0x00000001032a2b6a _ZL20runTestingServerLoopv + 282 (DumpRenderTree.mm:829) 58 DumpRenderTree 0x00000001032a23fa dumpRenderTree(int, char const**) + 394 (DumpRenderTree.mm:876) 59 DumpRenderTree 0x00000001032a4a69 main + 105 (DumpRenderTree.mm:913) 60 DumpRenderTree 0x000000010328d284 start + 52

Attachments
Patch (1.33 KB, patch) 2012-07-17 09:51 PDT, Andy Estes	no flags	Details Formatted Diff Diff
Patch (1.36 KB, patch) 2012-07-17 10:06 PDT, Andy Estes	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Andy Estes

Comment 1 2012-07-17 09:51:37 PDT

Created attachment 152772 [details] Patch

WebKit Review Bot

Comment 2 2012-07-17 09:54:08 PDT

Comment on attachment 152772 [details] Patch Rejecting attachment 152772 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 1 ERROR: /mnt/git/webkit-commit-queue/LayoutTests/ChangeLog neither lists a valid reviewer nor contains the string "Unreviewed" or "Rubber stamp" (case insensitive). Full output: http://queues.webkit.org/results/13284170

Andy Estes

Comment 3 2012-07-17 10:06:18 PDT

Created attachment 152774 [details] Patch

WebKit Review Bot

Comment 4 2012-07-17 11:10:10 PDT

Comment on attachment 152774 [details] Patch Clearing flags on attachment: 152774 Committed r122858: <http://trac.webkit.org/changeset/122858>

WebKit Review Bot

Comment 5 2012-07-17 11:10:22 PDT

All reviewed patches have been landed. Closing bug.

Andy Estes

Comment 6 2012-07-17 11:12:25 PDT

r122858 just skipped the test. Reopening.

Filip Pizlo

Comment 7 2012-07-17 16:13:46 PDT

Also skipped in http://trac.webkit.org/changeset/122890

Ryosuke Niwa

Comment 8 2013-05-22 18:05:00 PDT

Not crashing anymore.

Note You need to log in before you can comment on or make changes to this bug.