Bug 11891 - REGRESSION(r18328): Webkit crashing shortly after startup (YUI Animation)
Summary: REGRESSION(r18328): Webkit crashing shortly after startup (YUI Animation)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Alexey Proskuryakov
URL: http://address.yahoo.com/
Keywords: InRadar, Regression
Depends on:
Blocks:
 
Reported: 2006-12-20 05:14 PST by Patricia Warwick
Modified: 2007-01-03 11:51 PST (History)
3 users (show)

See Also:


Attachments
Safari crash log (79.10 KB, text/plain)
2006-12-20 05:15 PST, Patricia Warwick
no flags Details
Webarchive of Y! Address page (crashes every time) (237.63 KB, application/x-webarchive)
2006-12-21 04:07 PST, David Kilzer (:ddkilzer)
no flags Details
Web Page, Complete version of Webarchive (crashes) (59.14 KB, application/zip)
2006-12-21 04:17 PST, David Kilzer (:ddkilzer)
no flags Details
Patch v1 (1.47 KB, patch)
2006-12-21 20:13 PST, David Kilzer (:ddkilzer)
no flags Details | Formatted Diff | Diff
Crash log (27.81 KB, text/plain)
2007-01-03 07:21 PST, Patricia Warwick
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Patricia Warwick 2006-12-20 05:14:48 PST
After launching the 18338 nightly update, I open a few pages in tabs and whether or not I do anything else a few minutes later WebKit crashes. I suspect it is due to the fact that one of the sites automatically reloads every few minutes.
Comment 1 Patricia Warwick 2006-12-20 05:15:48 PST
Created attachment 11931 [details]
Safari crash log
Comment 2 Alexey Proskuryakov 2006-12-20 06:03:43 PST
While there is a chance that these crash logs will be sufficient to fix this problem, it will be much more likely if there were steps to reproduce the problem. What are the sites you seeing this problem with?


Beginning of crash log for easier searching:

Thread 0 Crashed:
0   com.apple.WebCore        	0x01270908 KJS::DOMCSSStyleDeclaration::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 568
1   com.apple.JavaScriptCore 	0x00131040 KJS::AssignBracketNode::evaluate(KJS::ExecState*) + 3360
2   com.apple.JavaScriptCore 	0x00131528 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104
3   com.apple.JavaScriptCore 	0x0013491c KJS::SourceElementsNode::execute(KJS::ExecState*) + 252
4   com.apple.JavaScriptCore 	0x0013380c KJS::CaseClauseNode::evalStatements(KJS::ExecState*) + 76
Comment 3 Patricia Warwick 2006-12-20 06:29:21 PST
I think the site responsible is http://www.huffingtonpost.com/
Comment 4 David Kilzer (:ddkilzer) 2006-12-20 07:38:22 PST
Confirming.  I'm seeing this every time I connect to http://address.yahoo.com/ after logging in to my Yahoo! account.

Using a locally-built debug build of WebKit r18344 with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8L127).

Console prints:  Bus error

Stack trace from debug build:

Date/Time:      2006-12-20 09:27:51.016 -0600
OS Version:     10.4.8 (Build 8L127)
Report Version: 4

Command: Safari
Path:    /Applications/Safari.app/Contents/MacOS/Safari
Parent:  bash [412]

Version:        2.0.4 (419.3)
Build Version:  1
Project Name:   WebBrowser
Source Version: 4190300

PID:    15300
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   com.apple.WebCore        	0x013081a4 KJS::DOMCSSStyleDeclaration::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 424 (kjs_css.cpp:222)
1   com.apple.JavaScriptCore 	0x00531334 KJS::AssignBracketNode::evaluate(KJS::ExecState*) + 3684 (nodes.cpp:1506)
2   com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
3   com.apple.JavaScriptCore 	0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450)
4   com.apple.JavaScriptCore 	0x00522ce8 KJS::CaseClauseNode::evalStatements(KJS::ExecState*) + 168 (nodes.cpp:2065)
5   com.apple.JavaScriptCore 	0x00525130 KJS::CaseBlockNode::evalBlock(KJS::ExecState*, KJS::JSValue*) + 1272 (nodes.cpp:2183)
6   com.apple.JavaScriptCore 	0x00525548 KJS::SwitchNode::execute(KJS::ExecState*) + 488 (nodes.cpp:2235)
7   com.apple.JavaScriptCore 	0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450)
8   com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
9   com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
10  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
11  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
12  com.apple.JavaScriptCore 	0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138)
13  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
14  com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
15  com.apple.JavaScriptCore 	0x00525c04 KJS::ReturnNode::execute(KJS::ExecState*) + 384 (nodes.cpp:2021)
16  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
17  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
18  com.apple.JavaScriptCore 	0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691)
19  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
20  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
21  com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
22  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
23  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
24  com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
25  com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
26  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
27  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
28  com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
29  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
30  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
31  com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
32  com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
33  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
34  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
35  com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
36  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
37  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
38  com.apple.JavaScriptCore 	0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138)
39  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
40  com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
41  com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
42  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
43  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
44  com.apple.JavaScriptCore 	0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691)
45  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
46  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
47  com.apple.JavaScriptCore 	0x00526128 KJS::ForNode::execute(KJS::ExecState*) + 1056 (nodes.cpp:1820)
48  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
49  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
50  com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
51  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
52  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
53  com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
54  com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
55  com.apple.JavaScriptCore 	0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450)
56  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
57  com.apple.JavaScriptCore 	0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691)
58  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
59  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
60  com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
61  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
62  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
63  com.apple.JavaScriptCore 	0x0052b854 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 856 (nodes.cpp:679)
64  com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
65  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
66  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
67  com.apple.JavaScriptCore 	0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691)
68  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
69  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
70  com.apple.JavaScriptCore 	0x00526128 KJS::ForNode::execute(KJS::ExecState*) + 1056 (nodes.cpp:1820)
71  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
72  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
73  com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
74  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
75  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
76  com.apple.JavaScriptCore 	0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138)
77  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
78  com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
79  com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
80  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
81  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
82  com.apple.JavaScriptCore 	0x00527224 KJS::IfNode::execute(KJS::ExecState*) + 520 (nodes.cpp:1691)
83  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
84  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
85  com.apple.JavaScriptCore 	0x00526128 KJS::ForNode::execute(KJS::ExecState*) + 1056 (nodes.cpp:1820)
86  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
87  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
88  com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
89  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
90  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
91  com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
92  com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
93  com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
94  com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
95  com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
96  com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
97  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
98  com.apple.JavaScriptCore 	0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138)
99  com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
100 com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
101 com.apple.JavaScriptCore 	0x00525c04 KJS::ReturnNode::execute(KJS::ExecState*) + 384 (nodes.cpp:2021)
102 com.apple.JavaScriptCore 	0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450)
103 com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
104 com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
105 com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
106 com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
107 com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
108 com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
109 com.apple.JavaScriptCore 	0x00524938 KJS::SourceElementsNode::execute(KJS::ExecState*) + 656 (nodes.cpp:2456)
110 com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
111 com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
112 com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
113 com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
114 com.apple.JavaScriptCore 	0x0052b854 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 856 (nodes.cpp:679)
115 com.apple.JavaScriptCore 	0x0052739c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1672)
116 com.apple.JavaScriptCore 	0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450)
117 com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
118 com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
119 com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
120 com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
121 com.apple.JavaScriptCore 	0x0050e71c KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1808 (function_object.cpp:138)
122 com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
123 com.apple.JavaScriptCore 	0x0052af68 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 972 (nodes.cpp:772)
124 com.apple.JavaScriptCore 	0x00525c04 KJS::ReturnNode::execute(KJS::ExecState*) + 384 (nodes.cpp:2021)
125 com.apple.JavaScriptCore 	0x005247d4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 300 (nodes.cpp:2450)
126 com.apple.JavaScriptCore 	0x005222cc KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1649)
127 com.apple.JavaScriptCore 	0x0050ff10 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:361)
128 com.apple.JavaScriptCore 	0x00513114 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:111)
129 com.apple.JavaScriptCore 	0x00536de0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96)
130 com.apple.WebCore        	0x01313b08 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 736 (kjs_events.cpp:121)
131 com.apple.WebCore        	0x0113ca54 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 416 (Document.cpp:2240)
132 com.apple.WebCore        	0x012d3d5c WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 360 (EventTargetNode.cpp:327)
133 com.apple.WebCore        	0x0113f8e0 WebCore::Document::implicitClose() + 796 (Document.cpp:1329)
134 com.apple.WebCore        	0x014b8d9c WebCore::FrameLoader::checkEmitLoadEvent() + 596 (FrameLoader.cpp:1079)
135 com.apple.WebCore        	0x014bd764 WebCore::FrameLoader::checkCompleted() + 468 (FrameLoader.cpp:1050)
136 com.apple.WebCore        	0x014bd9a0 WebCore::FrameLoader::finishedParsing() + 100 (FrameLoader.cpp:1007)
137 com.apple.WebCore        	0x0113a3f8 WebCore::Document::finishedParsing() + 84 (Document.cpp:3328)
138 com.apple.WebCore        	0x01022f3c WebCore::HTMLParser::finished() + 300 (HTMLParser.cpp:1405)
139 com.apple.WebCore        	0x010284c8 WebCore::HTMLTokenizer::end() + 336 (HTMLTokenizer.cpp:1549)
140 com.apple.WebCore        	0x0102ce6c WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 2620 (HTMLTokenizer.cpp:1485)
141 com.apple.WebCore        	0x01026864 WebCore::HTMLTokenizer::timerFired(WebCore::Timer<WebCore::HTMLTokenizer>*) + 320 (HTMLTokenizer.cpp:1523)
142 com.apple.WebCore        	0x015cb318 WebCore::Timer<WebCore::HTMLTokenizer>::fired() + 152 (Timer.h:96)
143 com.apple.WebCore        	0x012acea0 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 236 (Timer.cpp:322)
144 com.apple.WebCore        	0x012acf6c WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:355)
145 com.apple.WebCore        	0x012ac318 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47)
146 com.apple.CoreFoundation 	0x907f0550 __CFRunLoopDoTimer + 184
147 com.apple.CoreFoundation 	0x907dcec8 __CFRunLoopRun + 1680
148 com.apple.CoreFoundation 	0x907dc47c CFRunLoopRunSpecific + 268
149 com.apple.HIToolbox      	0x93208740 RunCurrentEventLoopInMode + 264
150 com.apple.HIToolbox      	0x93207d4c ReceiveNextEventCommon + 244
151 com.apple.HIToolbox      	0x93207c40 BlockUntilNextEventMatchingListInMode + 96
152 com.apple.AppKit         	0x9370bae4 _DPSNextEvent + 384
153 com.apple.AppKit         	0x9370b7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
154 com.apple.Safari         	0x00006740 0x1000 + 22336
155 com.apple.AppKit         	0x93707cec -[NSApplication run] + 472
156 com.apple.AppKit         	0x937f887c NSApplicationMain + 452
157 com.apple.Safari         	0x0005c77c 0x1000 + 374652
158 com.apple.Safari         	0x0005c624 0x1000 + 374308
Comment 5 Alexey Proskuryakov 2006-12-20 11:09:35 PST
So, it looks like my mistake; the crashing line is:

      ASSERT(styleDecl.stylesheet()->isCSSStyleSheet());
Comment 6 Alexey Proskuryakov 2006-12-20 13:41:16 PST
Then again, maybe not - a rule without a stylesheet seems wrong.

The crash happens in Yahoo UI animation code, but I couldn't reproduce it with their demos.
Comment 7 David Kilzer (:ddkilzer) 2006-12-20 16:53:50 PST
(In reply to comment #6)
> Then again, maybe not - a rule without a stylesheet seems wrong.

Do we really need to crash the debug browser when this happens, though?  That's awfully annoying.  :(  Could we log an error instead?
Comment 8 David Kilzer (:ddkilzer) 2006-12-21 04:07:45 PST
Created attachment 11947 [details]
Webarchive of Y! Address page (crashes every time)

This webarchive crashes every time when I open it.  I will provide a web-page-complete version of it next for easier reduction.
Comment 9 David Kilzer (:ddkilzer) 2006-12-21 04:17:04 PST
Created attachment 11948 [details]
Web Page, Complete version of Webarchive (crashes)

This is the contents of the webarchive (Attachment 11947 [details]) converted to a "Web Page, Complete" format as if it were saved from Firefox.  (The conversion isn't perfect, but it's close.  The *.html.orig file is the original content from the webarchive file with no URLs rewritten to use the *_files directory.  I wrote this utility to "fix" Bug 7241, but it's not quite ready for prime time yet.)
Comment 10 David Kilzer (:ddkilzer) 2006-12-21 05:20:30 PST
I tried reducing this myself, but I got stuck in the bowels of address.yahoo.com-crash_files/yab.js.  Basically, if you put an alert() statement before the "function setup_region_encoding_pulldowns(region2encodings, encoding2name, opt_on_enc_change)" definition, you will see the alert before the crash.  Anywhere after that and you won't see the alert before Safari crashes.

The other "interesting" thing about this page is that there is JavaScript in the address.yahoo.com-crash_files/yab_blue.css file.

Comment 11 David Kilzer (:ddkilzer) 2006-12-21 20:10:58 PST
The change to kjs_css.cpp occurred in r18320.

I have a fix that works for the Y! Address webarchive, but I'm not sure I understand how to reproduce the issue in a test.  Do all CSSStyleDeclaration objects have a stylesheet, or are there cases when a CSSStyleDeclaration won't have a stylesheet (perhaps during a race condition)?

Also, is there a way to get the frame for a given CSSStyleDeclaration without going through  static_cast<CSSStyleSheet*>(styleDecl.stylesheet())->doc()->frame()?  The only reason the stylesheet is needed is to get a reference to the frame to check the shouldUseDashboardBackwardCompatibilityMode setting.

Comment 12 David Kilzer (:ddkilzer) 2006-12-21 20:13:21 PST
Created attachment 11960 [details]
Patch v1

This patch fixes the issue I'm seeing with the Y! Address webarchive (attachment 11947 [details]), but I'm not sure how to write a test for it.
Comment 13 Alexey Proskuryakov 2006-12-21 22:09:14 PST
(In reply to comment #11)
> Do all CSSStyleDeclaration
> objects have a stylesheet, or are there cases when a CSSStyleDeclaration won't
> have a stylesheet (perhaps during a race condition)?

I have now found a way to reproduce the crash - computed styles don't have a stylesheet, e.g.:
element.getComputedStyle(...).color = "blue";

Computed styles are of course immutable, but the check is only performed later (in DOM implementation). This makes me think that the approach in this patch is correct. For better performance, it would be nice to avoid re-calculating styleDecl.stylesheet() several times.

Not sure if it's the same case that causes a crash at these sites, still investigating.

> Also, is there a way to get the frame for a given CSSStyleDeclaration without
> going through <...>

I haven't found one. But it looks like a logical way to get one!
Comment 14 Alexey Proskuryakov 2006-12-21 22:21:31 PST
Beth has just checked in a fix for what looks like a real life cause for these crashes, r18386!
Comment 15 David Kilzer (:ddkilzer) 2006-12-22 01:45:47 PST
Per r18386 and Comment #14, this appears to be in Radar as well:

<rdar://problem/4897162> REGRESSION: Attempting to create a new message in .Mac web mail causes Safari to crash ( KJS::DOMCSSStyleDeclaration::put() + 368 )

Also, buildbot is claiming 2 regressions were found in testjks with this commit:

http://build.webkit.org/post-commit-powerpc-mac-os-x/builds/4803

Comment 16 David Kilzer (:ddkilzer) 2006-12-22 02:01:33 PST
r18386 definitely fixed the crashing for me on attachment 11947 [details] (the webarchive)!

I'm running the JavaScriptCore tests locally, but my guess is that the Date tests failed because they were run during a midnight boundary change.  (Purely a guess, though.)

Comment 17 David Kilzer (:ddkilzer) 2006-12-22 02:07:13 PST
(In reply to comment #16)
> I'm running the JavaScriptCore tests locally, but my guess is that the Date
> tests failed because they were run during a midnight boundary change.  (Purely
> a guess, though.)

0 regressions found.
0 tests fixed.
OK.

W00t!  I'm closing this bug.

Comment 18 David Kilzer (:ddkilzer) 2006-12-22 02:11:27 PST
(In reply to comment #15)
> Per r18386 and Comment #14, this appears to be in Radar as well:
> 
> <rdar://problem/4897162> REGRESSION: Attempting to create a new message in .Mac
> web mail causes Safari to crash ( KJS::DOMCSSStyleDeclaration::put() + 368 )

Per Beth's comments, this was originally broken in r18328.

Comment 19 Alexey Proskuryakov 2006-12-22 03:52:56 PST
> r18386 definitely fixed the crashing for me on attachment 11947 [details] [edit] (the
> webarchive)!

  What about http://www.huffingtonpost.com/ (the original URL)? 

> W00t!  I'm closing this bug.

  I'll file a new one for the computed style problem.
Comment 20 David Kilzer (:ddkilzer) 2006-12-22 06:57:03 PST
(In reply to comment #19)
> > r18386 definitely fixed the crashing for me on attachment 11947 [details] [edit] [edit] (the
> > webarchive)!
> 
>   What about http://www.huffingtonpost.com/ (the original URL)?

This page does not crash in a locally-built debug build of WebKit r18386, nor did it crash with WebKit nightly r18377 (which I would have expected it to).  Either way it seems to work.

Patricia, let us know if you see a similar crash again (by commenting on this bug).

Comment 21 Patricia Warwick 2006-12-22 07:18:47 PST
Todays version (18386) has fixed my problem with Huffingtonpost ... thanks.
Comment 22 Alexey Proskuryakov 2006-12-22 10:40:51 PST
Marking as verified per comment 21

(In reply to comment #19)
>   I'll file a new one for the computed style problem.

Bug 11933.
Comment 23 Beth Dakin 2006-12-22 11:20:40 PST
Oh yay!
Comment 24 Patricia Warwick 2007-01-03 07:21:29 PST
Created attachment 12187 [details]
Crash log
Comment 25 Patricia Warwick 2007-01-03 07:22:21 PST
This crash is occurring regularly today. Once again it will crash about 5 minutes after I open HuffingtonPost.com (I think that 5 minutes is the refresh period.) 
Comment 26 Alexey Proskuryakov 2007-01-03 08:13:02 PST
This new problem is tracked as bug 12089. In most cases, it's better not re-open old bugs, even if the symptoms are very similar, as this tends to create confusion.
Comment 27 Patricia Warwick 2007-01-03 11:51:39 PST
I still have a lot to learn about reporting Webkit bugs ... I'll open a new bug in future. Thanks