RESOLVED FIXED 114328
REGRESSION (r148032-r148044): Reproducible crash in JSC::JSObject 
https://bugs.webkit.org/show_bug.cgi?id=114328
Summary REGRESSION (r148032-r148044): Reproducible crash in JSC::JSObject
Kevin M. Dean
Reported 2013-04-09 19:18:19 PDT
Process: WebProcess [24605] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.37+) Code Type: X86-64 (Native) Parent Process: ??? [1] User ID: 501 Date/Time: 2013-04-09 21:12:46.547 -0400 OS Version: Mac OS X 10.8.3 (12D78) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000009 VM Regions Near 0x9: --> __TEXT 000000010111e000-000000010111f000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010174fdd0 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 256 1 com.apple.JavaScriptCore 0x000000010173bac9 JSC::JSFunction::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 377 2 com.apple.JavaScriptCore 0x000000010179bf2d llint_slow_path_put_by_val + 1213 3 com.apple.JavaScriptCore 0x00000001017a3856 llint_op_put_by_val + 562 4 com.apple.JavaScriptCore 0x00000001016c9bae JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4318 5 com.apple.JavaScriptCore 0x00000001015e390b JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 619 6 com.apple.WebCore 0x000000010254f88a WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 442 7 com.apple.WebCore 0x000000010254fa19 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 8 com.apple.WebCore 0x0000000102558f6d WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 525 9 com.apple.WebCore 0x0000000101e446e4 WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 228 10 com.apple.WebCore 0x0000000101e445e1 WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 273 11 com.apple.WebCore 0x0000000101e44cc8 WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 24 12 com.apple.WebCore 0x0000000101df0cff WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 63 13 com.apple.WebCore 0x0000000101ab60bd WebCore::CachedResource::checkNotify() + 93 14 com.apple.WebCore 0x0000000102627250 WebCore::SubresourceLoader::didFinishLoading(double) + 128 15 com.apple.Foundation 0x00007fff8a4cd528 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28 16 com.apple.Foundation 0x00007fff8a4cd46c -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227 17 com.apple.Foundation 0x00007fff8a4cd368 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63 18 com.apple.CFNetwork 0x00007fff8cf205c1 ___delegate_didFinishLoading_block_invoke_0 + 40 19 com.apple.CFNetwork 0x00007fff8cf12a7a ___withDelegateAsync_block_invoke_0 + 90 20 com.apple.CFNetwork 0x00007fff8cfa32ea __block_global_1 + 28 21 com.apple.CoreFoundation 0x00007fff8f394154 CFArrayApplyFunction + 68 22 com.apple.CFNetwork 0x00007fff8cf037e4 RunloopBlockContext::perform() + 124 23 com.apple.CFNetwork 0x00007fff8cf036bb MultiplexerSource::perform() + 221 24 com.apple.CoreFoundation 0x00007fff8f375b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 25 com.apple.CoreFoundation 0x00007fff8f375455 __CFRunLoopDoSources0 + 245 26 com.apple.CoreFoundation 0x00007fff8f3987f5 __CFRunLoopRun + 789 27 com.apple.CoreFoundation 0x00007fff8f3980e2 CFRunLoopRunSpecific + 290 28 com.apple.HIToolbox 0x00007fff8bf66eb4 RunCurrentEventLoopInMode + 209 29 com.apple.HIToolbox 0x00007fff8bf66c52 ReceiveNextEventCommon + 356 30 com.apple.HIToolbox 0x00007fff8bf66ae3 BlockUntilNextEventMatchingListInMode + 62 31 com.apple.AppKit 0x00007fff90949563 _DPSNextEvent + 685 32 com.apple.AppKit 0x00007fff90948e22 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 33 com.apple.AppKit 0x00007fff909401d3 -[NSApplication run] + 517 34 com.apple.WebCore 0x000000010254613d WebCore::RunLoop::run() + 77 35 com.apple.WebKit2 0x000000010120162d int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 631 36 com.apple.WebProcess 0x000000010111ee43 main + 307 37 libdyld.dylib 0x00007fff8a81c7e1 start + 1
Attachments
Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2013-04-10 08:34:36 PDT
Can you supply a URL where this happened?
Kevin M. Dean
Comment 2 2013-04-10 08:50:15 PDT
Don't have a specific url since it didn't appear to be repeating in the same place but happened 3 times on different sites after updating the nightly before I switched back to a previous version.
Kevin M. Dean
Comment 3 2013-04-10 08:52:54 PDT
Can't even try with the latest r148082 since that crashes on launch with another javascript error.
Kevin M. Dean
Comment 4 2013-04-10 09:00:55 PDT
OK, here's one that repeats somewhat. I launch the r148055 Nightly. Open http://www.macworld.com/ from a bookmark. Click the "The sync conundrum: Rethinking Apple's cloud services" article. After it loads, I open http://www.macupdate.com/ from a bookmark and it crashes before loading. It seems to rely on those specific events. Loading the pages differently in another order or after other pages doesn't necessarily result in a crash, but I was able to repeat it after a clean launch following those steps immediately.
Kevin M. Dean
Comment 5 2013-04-10 09:03:38 PDT
Bug 114333 seems to be about the same crash and they provide this link that crashes: http://sf.streetsblog.org/2013/04/09/raised-bike-lanes-a-solution-to-help-taxis-and-cyclists-share-the-streets/
Alexey Proskuryakov
Comment 6 2013-04-10 09:55:38 PDT
Based on regression range, this has to be <http://trac.webkit.org/changeset/148036>. We are currently internally tracking a crash with a different stack trace caused by this patch, <rdar://problem/13613932>.
Alexey Proskuryakov
Comment 7 2013-04-10 09:55:42 PDT
*** Bug 114333 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 8 2013-04-10 10:02:08 PDT
(In reply to comment #3) > Can't even try with the latest r148082 since that crashes on launch with another javascript error. That's bug 114341.
Alexey Proskuryakov
Comment 9 2013-04-10 15:35:38 PDT
Mark, is <http://trac.webkit.org/changeset/148142> expected to fix this too?
Mark Hahnenberg
Comment 10 2013-04-10 15:39:33 PDT
(In reply to comment #9) > Mark, is <http://trac.webkit.org/changeset/148142> expected to fix this too? I believe it should. I tested with and without the patch using Kevin's repro steps and it no longer crashes with the fix.
Alexey Proskuryakov
Comment 11 2013-04-10 22:05:31 PDT
*** Bug 114408 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.