RESOLVED FIXED 13124
REGRESSION: Reproducible crash in Widget::getView
https://bugs.webkit.org/show_bug.cgi?id=13124
Summary REGRESSION: Reproducible crash in Widget::getView
Tom Brown
Reported 2007-03-19 17:08:55 PDT
Within my webapp, a certain interaction *always* causes a crash. It appears as though javascript code continues to execute in the context of a GC'd window. As of yet, I have not been able to create a reduction or successfully break before the crash in drosera. The interaction involves 3 windows (1 outer window, 1 outer iframe, and 1 nested iframe): 1) The nested iframe initiates an AJAX request in the context of the outer window. 2) When the AJAX request completes, the outer window replaces the outer iframe with another iframe. 3) One of the iframe elements attempts to initiate another AJAX request in the context of the outer window. 4) The iframe has been cleaned up, and crashes attempting to call "Window::retrieveActive(exec)->frame()->document()" because there is no associated frame.
Attachments
Two html files comprising reduction. (840 bytes, application/octet-stream)
2007-03-21 17:41 PDT, Tom Brown
no flags
Fix crash in getView() (375 bytes, patch)
2007-03-23 02:05 PDT, mitz
no flags
Fix crash in getView() (3.87 KB, patch)
2007-03-23 10:21 PDT, mitz
adele: review+
Tom Brown
Comment 1 2007-03-19 17:09:43 PDT
Backtrace from the crash. Date/Time: 2007-03-19 18:05:20.095 -0600 OS Version: 10.4.8 (Build 8L2127) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: bash [411] Version: 2.0.4 (419.3) Build Version: 2 Project Name: WebBrowser Source Version: 4190300 PID: 13286 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c Thread 0 Crashed: 0 com.apple.WebCore 0x010b5049 WebCore::Frame::document() const + 9 (Frame.cpp:297) 1 com.apple.WebCore 0x0122c3b3 KJS::JSXMLHttpRequestPrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 789 (JSXMLHttpRequest.cpp:218) 2 com.apple.JavaScriptCore 0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 3 com.apple.JavaScriptCore 0x004f15cc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781) 4 com.apple.JavaScriptCore 0x004ee784 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681) 5 com.apple.JavaScriptCore 0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464) 6 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 7 com.apple.JavaScriptCore 0x004de320 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362) 8 com.apple.JavaScriptCore 0x004e01f7 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111) 9 com.apple.JavaScriptCore 0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 10 com.apple.JavaScriptCore 0x004f15cc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781) 11 com.apple.JavaScriptCore 0x004ee784 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681) 12 com.apple.JavaScriptCore 0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464) 13 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 14 com.apple.JavaScriptCore 0x004de320 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362) 15 com.apple.JavaScriptCore 0x004e01f7 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111) 16 com.apple.JavaScriptCore 0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 17 com.apple.JavaScriptCore 0x004f15cc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781) 18 com.apple.JavaScriptCore 0x004ee784 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681) 19 com.apple.JavaScriptCore 0x004ec37c KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458) 20 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 21 com.apple.JavaScriptCore 0x004ee678 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700) 22 com.apple.JavaScriptCore 0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464) 23 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 24 com.apple.JavaScriptCore 0x004de320 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362) 25 com.apple.JavaScriptCore 0x004e01f7 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111) 26 com.apple.JavaScriptCore 0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 27 com.apple.JavaScriptCore 0x004f15cc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781) 28 com.apple.JavaScriptCore 0x004ee784 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681) 29 com.apple.JavaScriptCore 0x004ec37c KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2458) 30 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 31 com.apple.JavaScriptCore 0x004ee6df KJS::IfNode::execute(KJS::ExecState*) + 523 (nodes.cpp:1707) 32 com.apple.JavaScriptCore 0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464) 33 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 34 com.apple.JavaScriptCore 0x004ee678 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700) 35 com.apple.JavaScriptCore 0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464) 36 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 37 com.apple.JavaScriptCore 0x004ee678 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700) 38 com.apple.JavaScriptCore 0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464) 39 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 40 com.apple.JavaScriptCore 0x004ee678 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1700) 41 com.apple.JavaScriptCore 0x004ec4b2 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464) 42 com.apple.JavaScriptCore 0x004eacb4 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 43 com.apple.JavaScriptCore 0x004de320 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362) 44 com.apple.JavaScriptCore 0x004e01f7 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111) 45 com.apple.JavaScriptCore 0x004fa67e KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 46 com.apple.WebCore 0x012398c6 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 574 (kjs_events.cpp:123) 47 com.apple.WebCore 0x011954eb WebCore::XMLHttpRequest::callReadyStateChangeListener() + 281 (xmlhttprequest.cpp:305) 48 com.apple.WebCore 0x01195795 WebCore::XMLHttpRequest::changeState(WebCore::XMLHttpRequestState) + 43 (xmlhttprequest.cpp:297) 49 com.apple.WebCore 0x01195b5a WebCore::XMLHttpRequest::didFinishLoading(WebCore::SubresourceLoader*) + 306 (xmlhttprequest.cpp:625) 50 com.apple.WebCore 0x01389aac WebCore::SubresourceLoader::didFinishLoading() + 168 (SubresourceLoader.cpp:192) 51 com.apple.WebCore 0x0138805a WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 52 com.apple.WebCore 0x01367343 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 79 (ResourceHandleMac.mm:370) 53 com.apple.Foundation 0x9265be00 -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 176 54 com.apple.Foundation 0x92659ea5 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 748 55 com.apple.Foundation 0x92659b41 _sendCallbacks + 201 56 com.apple.CoreFoundation 0x90829379 CFRunLoopRunSpecific + 1213 57 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 58 com.apple.HIToolbox 0x92dcdb90 RunCurrentEventLoopInMode + 285 59 com.apple.HIToolbox 0x92dcd1ce ReceiveNextEventCommon + 184 60 com.apple.HIToolbox 0x92dcd0ee BlockUntilNextEventMatchingListInMode + 81 61 com.apple.AppKit 0x9326f465 _DPSNextEvent + 572 62 com.apple.AppKit 0x9326f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 63 com.apple.Safari 0x00006f96 0x1000 + 24470 64 com.apple.AppKit 0x93268ddb -[NSApplication run] + 512 65 com.apple.AppKit 0x9325cd2f NSApplicationMain + 573 66 com.apple.Safari 0x0005f7de 0x1000 + 387038 67 com.apple.Safari 0x0005f6f9 0x1000 + 386809 Thread 1: 0 libSystem.B.dylib 0x90009857 mach_msg_trap + 7 1 com.apple.CoreFoundation 0x9082969a CFRunLoopRunSpecific + 2014 2 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 3 com.apple.Foundation 0x9262aa9b +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 259 4 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 5 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 2: 0 libSystem.B.dylib 0x90009857 mach_msg_trap + 7 1 com.apple.CoreFoundation 0x9082969a CFRunLoopRunSpecific + 2014 2 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 3 com.apple.Foundation 0x92651c4e +[NSURLCache _diskCacheSyncLoop:] + 206 4 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 5 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 3: 0 libSystem.B.dylib 0x90019d3c select + 12 1 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 4: 0 libSystem.B.dylib 0x90024427 semaphore_wait_signal_trap + 7 1 com.apple.Foundation 0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39 2 com.apple.Syndication 0x9a6d6052 -[AsyncDB _run:] + 181 3 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 4 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00000000 ebx: 0x0122c0af ecx: 0x00000000 edx: 0x193a7a00 edi: 0x00000002 esi: 0x004ee6f0 ebp: 0xbfffd8f8 esp: 0xbfffd8d0 ss: 0x0000001f efl: 0x00010282 eip: 0x010b5049 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 Binary Images Description: 0x1000 - 0xdefff com.apple.Safari 2.0.4 (419.3) /Applications/Safari.app/Contents/MacOS/Safari 0x305000 - 0x3e2fff com.apple.WebKit 522+ /Users/tom/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit 0x4d1000 - 0x576fff com.apple.JavaScriptCore 522+ /Users/tom/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore 0x1008000 - 0x15e5fff com.apple.WebCore 522+ /Users/tom/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore 0x8fe00000 - 0x8fe49fff dyld 46.9 /usr/lib/dyld 0x90000000 - 0x9016ffff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x901bf000 - 0x901c1fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib 0x901c3000 - 0x901fffff com.apple.CoreText 1.1.1 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x90226000 - 0x902fcfff ATS /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x9031c000 - 0x90770fff com.apple.CoreGraphics 1.258.38 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics 0x90807000 - 0x908cffff com.apple.CoreFoundation 6.4.6 (368.27) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x9090d000 - 0x9090dfff com.apple.CoreServices 10.4 (???) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices 0x9090f000 - 0x90a02fff libicucore.A.dylib /usr/lib/libicucore.A.dylib 0x90a52000 - 0x90ad1fff libobjc.A.dylib /usr/lib/libobjc.A.dylib 0x90afa000 - 0x90b5efff libstdc++.6.dylib /usr/lib/libstdc++.6.dylib 0x90bcd000 - 0x90bd4fff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x90bd9000 - 0x90c4cfff com.apple.framework.IOKit 1.4.6 (???) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 0x90c61000 - 0x90c73fff libauto.dylib /usr/lib/libauto.dylib 0x90c79000 - 0x90f1ffff com.apple.CoreServices.CarbonCore 682.16 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore 0x90f62000 - 0x90fcafff com.apple.CoreServices.OSServices 4.1 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices 0x91002000 - 0x91040fff com.apple.CFNetwork 129.19 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork 0x91053000 - 0x91063fff com.apple.WebServices 1.1.3 (1.1.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore 0x9106e000 - 0x910ecfff com.apple.SearchKit 1.0.5 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x91121000 - 0x9113ffff com.apple.Metadata 10.4.4 (121.36) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata 0x9114b000 - 0x91159fff libz.1.dylib /usr/lib/libz.1.dylib 0x9115c000 - 0x912fbfff com.apple.security 4.5.2 (29774) /System/Library/Frameworks/Security.framework/Versions/A/Security 0x913f9000 - 0x91401fff com.apple.DiskArbitration 2.1.1 /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration 0x91408000 - 0x9142efff com.apple.SystemConfiguration 1.8.6 /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x91440000 - 0x91447fff libbsm.dylib /usr/lib/libbsm.dylib 0x9144b000 - 0x914c4fff com.apple.audio.CoreAudio 3.0.4 /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio 0x91512000 - 0x91512fff com.apple.ApplicationServices 10.4 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x91514000 - 0x9153ffff com.apple.AE 314 (313) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x91552000 - 0x91626fff com.apple.ColorSync 4.4.8 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x91661000 - 0x916defff com.apple.print.framework.PrintCore 4.6 (177.13) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore 0x9170b000 - 0x917b4fff com.apple.QD 3.10.21 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x917da000 - 0x91825fff com.apple.HIServices 1.5.2 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x91844000 - 0x9185afff com.apple.LangAnalysis 1.6.3 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis 0x91866000 - 0x91880fff com.apple.FindByContent 1.5 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent 0x9188a000 - 0x918c7fff com.apple.LaunchServices 181 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices 0x918db000 - 0x918e7fff com.apple.speech.synthesis.framework 3.5 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x918ee000 - 0x91929fff com.apple.ImageIO.framework 1.5.0 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO 0x9193b000 - 0x919edfff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib 0x91a33000 - 0x91a49fff libcups.2.dylib /usr/lib/libcups.2.dylib 0x91a4e000 - 0x91a6cfff libJPEG.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x91a71000 - 0x91acffff libJP2.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib 0x91ae1000 - 0x91ae5fff libGIF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x91ae7000 - 0x91b64fff libRaw.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib 0x91b68000 - 0x91ba5fff libTIFF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x91bab000 - 0x91bc5fff libPng.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x91bca000 - 0x91bccfff libRadiance.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib 0x91bce000 - 0x91bcefff com.apple.Accelerate 1.3.1 (Accelerate 1.3.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x91bd0000 - 0x91c5efff com.apple.vImage 2.5 /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x91c65000 - 0x91c65fff com.apple.Accelerate.vecLib 3.3.1 (vecLib 3.3.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib 0x91c67000 - 0x91cc0fff libvMisc.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x91cc9000 - 0x91cedfff libvDSP.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x91cf5000 - 0x920fefff libBLAS.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x92138000 - 0x924ecfff libLAPACK.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x92519000 - 0x92597fff com.apple.DesktopServices 1.3.5 /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x925d8000 - 0x92808fff com.apple.Foundation 6.4.7 (567.28) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x92914000 - 0x929f2fff libxml2.2.dylib /usr/lib/libxml2.2.dylib 0x92a0f000 - 0x92afcfff libiconv.2.dylib /usr/lib/libiconv.2.dylib 0x92b0c000 - 0x92b23fff libGL.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib 0x92b2e000 - 0x92b86fff libGLU.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib 0x92b9a000 - 0x92b9afff com.apple.Carbon 10.4 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon 0x92b9c000 - 0x92bacfff com.apple.ImageCapture 3.0.4 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x92bba000 - 0x92bc2fff com.apple.speech.recognition.framework 3.6 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition 0x92bc8000 - 0x92bcdfff com.apple.securityhi 2.0.1 (24742) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x92bd3000 - 0x92c64fff com.apple.ink.framework 101.2.1 (71) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink 0x92c78000 - 0x92c7bfff com.apple.help 1.0.3 (32.1) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help 0x92c7e000 - 0x92c9bfff com.apple.openscripting 1.2.5 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x92cab000 - 0x92cb1fff com.apple.print.framework.Print 5.2 (192.4) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print 0x92cb7000 - 0x92d1afff com.apple.htmlrendering 66.1 (1.1.3) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering 0x92d3e000 - 0x92d7ffff com.apple.NavigationServices 3.4.4 (3.4.3) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices 0x92da6000 - 0x92db3fff com.apple.audio.SoundManager 3.9.1 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound 0x92dba000 - 0x92dbffff com.apple.CommonPanels 1.2.3 (73) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels 0x92dc4000 - 0x930b6fff com.apple.HIToolbox 1.4.8 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x931bb000 - 0x931c6fff com.apple.opengl 1.4.12 /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL 0x931cb000 - 0x931e6fff com.apple.DirectoryService.Framework 3.2 /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService 0x93256000 - 0x93256fff com.apple.Cocoa 6.4 (???) /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa 0x93258000 - 0x9390efff com.apple.AppKit 6.4.8 (824.42) /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit 0x93c8f000 - 0x93d09fff com.apple.CoreData 90 /System/Library/Frameworks/CoreData.framework/Versions/A/CoreData 0x93d42000 - 0x93e03fff com.apple.audio.toolbox.AudioToolbox 1.4.3 /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x93e43000 - 0x93e43fff com.apple.audio.units.AudioUnit 1.4.2 /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x93e45000 - 0x94017fff com.apple.QuartzCore 1.4.9 /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore 0x94068000 - 0x940a9fff libsqlite3.0.dylib /usr/lib/libsqlite3.0.dylib 0x940b1000 - 0x940ebfff libGLImage.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib 0x94179000 - 0x941b7fff com.apple.vmutils 4.0.2 (93.1) /System/Library/PrivateFrameworks/vmutils.framework/Versions/A/vmutils 0x941fb000 - 0x9420bfff com.apple.securityfoundation 2.2.1 (28150) /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation 0x94218000 - 0x94255fff com.apple.securityinterface 2.2.1 (27695) /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface 0x94271000 - 0x94280fff libCGATS.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib 0x94287000 - 0x94292fff libCSync.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib 0x942de000 - 0x942f8fff libRIP.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib 0x94720000 - 0x94869fff com.apple.AddressBook.framework 4.0.4 (485.1) /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook 0x948f5000 - 0x94904fff com.apple.DSObjCWrappers.Framework 1.1 /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers 0x9490b000 - 0x94934fff com.apple.LDAPFramework 1.4.2 (69.1.1) /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP 0x9493a000 - 0x94949fff libsasl2.2.dylib /usr/lib/libsasl2.2.dylib 0x9494d000 - 0x94972fff libssl.0.9.7.dylib /usr/lib/libssl.0.9.7.dylib 0x9497e000 - 0x9499bfff libresolv.9.dylib /usr/lib/libresolv.9.dylib 0x9574a000 - 0x9576dfff libxslt.1.dylib /usr/lib/libxslt.1.dylib 0x9708b000 - 0x97090fff com.apple.agl 2.5.9 (AGL-2.5.9) /System/Library/Frameworks/AGL.framework/Versions/A/AGL 0x9a6d3000 - 0x9a70afff com.apple.Syndication 1.0.6 (54) /System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Syndication 0x9a726000 - 0x9a738fff com.apple.SyndicationUI 1.0.6 (54) /System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI Model: Macmini1,1, BootROM MM11.0055.B08, 2 processors, Intel Core Duo, 1.66 GHz, 1 GB Graphics: Intel GMA 950, GMA 950, Built-In, spdisplays_integrated_vram Memory Module: BANK 0/DIMM0, 512 MB, DDR2 SDRAM, 667 MHz Memory Module: BANK 1/DIMM1, 512 MB, DDR2 SDRAM, 667 MHz AirPort: spairport_wireless_card_type_airport_extreme (0x168C, 0x86), 0.1.31.1 Bluetooth: Version 1.7.9f12, 2 service, 1 devices, 1 incoming serial ports Network Service: Built-in Ethernet, Ethernet, en0 Serial ATA Device: FUJITSU MHV2080BHPL, 74.53 GB Parallel ATA Device: MATSHITADVD-R UJ-846 USB Device: Microsoft Wheel Mouse Optical®, Microsoft, Up to 1.5 Mb/sec, 500 mA USB Device: DELL USB Keyboard, DELL, Up to 1.5 Mb/sec, 500 mA USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mA USB Device: IR Receiver, Apple Computer, Inc., Up to 12 Mb/sec, 500 mA
Maciej Stachowiak
Comment 2 2007-03-20 03:18:24 PDT
Since we don't have usable steps to reproduce this yet, lowering to P3.
Tom Brown
Comment 3 2007-03-21 17:41:11 PDT
Created attachment 13754 [details] Two html files comprising reduction. Unzip this reduction to a webserver or HD, and point your browser to "outer.html". While the stack trace is different from the stack trace reported earlier, I believe both issues stem from the same cause.
Tom Brown
Comment 4 2007-03-21 17:41:47 PDT
Updated to P1 as a reduction was found.
Alexey Proskuryakov
Comment 5 2007-03-21 22:39:58 PDT
Confirming, since the attached test does cause a crash for me, but I'm not sure whether it's really XHR-related. Thread 0 Crashed: 0 com.apple.WebCore 0x01280638 WebCore::Widget::getView() const + 28 (WidgetMac.mm:218) 1 com.apple.WebCore 0x01295c18 WebCore::ScrollView::windowToContents(WebCore::IntPoint const&) const + 276 (ScrollViewMac.mm:394) 2 com.apple.WebCore 0x014cf3a4 WebCore::EventHandler::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::PlatformMouseEvent const&) + 252 (EventHandler.cpp:1067) 3 com.apple.WebCore 0x014cfaa8 WebCore::EventHandler::hoverTimerFired(WebCore::Timer<WebCore::EventHandler>*) + 124 (EventHandler.cpp:1246) 4 com.apple.WebCore 0x017d99f8 WebCore::Timer<WebCore::EventHandler>::fired() + 152 (Timer.h:96) 5 com.apple.WebCore 0x0127b7cc WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 236 (Timer.cpp:322) 6 com.apple.WebCore 0x0127b898 WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:355) 7 com.apple.WebCore 0x0127ac44 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47) 8 com.apple.CoreFoundation 0x907f2578 __CFRunLoopDoTimer + 184 9 com.apple.CoreFoundation 0x907deef8 __CFRunLoopRun + 1680 10 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 11 com.apple.HIToolbox 0x93298b20 RunCurrentEventLoopInMode + 264 12 com.apple.HIToolbox 0x932981b4 ReceiveNextEventCommon + 380 13 com.apple.HIToolbox 0x93298020 BlockUntilNextEventMatchingListInMode + 96 14 com.apple.AppKit 0x9379eae4 _DPSNextEvent + 384 15 com.apple.AppKit 0x9379e7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 16 com.apple.Safari 0x00006740 0x1000 + 22336 17 com.apple.AppKit 0x9379acec -[NSApplication run] + 472 18 com.apple.AppKit 0x9388b87c NSApplicationMain + 452 19 com.apple.Safari 0x0005c77c 0x1000 + 374652 20 com.apple.Safari 0x0005c624 0x1000 + 374308 Please note that WebKit does not yet store a persistent pointer to the window when creating an XMLHttpRequest object, as required by draft spec - this may be related to the original issue.
mitz
Comment 6 2007-03-23 02:05:07 PDT
Created attachment 13777 [details] Fix crash in getView() This fixes the crash in getView() and seems like a good idea in general but I doubt that it will fix the original crash reported in this bug.
mitz
Comment 7 2007-03-23 09:09:14 PDT
Comment on attachment 13777 [details] Fix crash in getView() Tom confirmed that this patch did not fix the original crash. We agreed to make this bug about the getView() crash and he'll file another bug on the original problem. Having this one fixed should help him make progress on reducing the other one.
mitz
Comment 8 2007-03-23 10:21:38 PDT
Created attachment 13780 [details] Fix crash in getView() Added layout test and change log. Going to ask for a review after I run the tests.
Adele Peterson
Comment 9 2007-03-23 21:24:11 PDT
<rdar://problem/5086211> REGRESSION: Reproducible crash in Widget::getView Committed revision 20458.
Note You need to log in before you can comment on or make changes to this bug.