Bug 17057 - REGRESSION: Frequent random crashes in WebCore::JSNodeList::indexGetter
Summary: REGRESSION: Frequent random crashes in WebCore::JSNodeList::indexGetter
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh OS X 10.5
: P1 Normal
Assignee: Nobody
URL:
Keywords: InRadar, NeedsReduction, Regression
: 17389 17399 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-01-28 20:56 PST by Steven Hollingsworth
Modified: 2008-03-18 18:43 PDT (History)
9 users (show)

See Also:


Attachments
WebKit Crash (42.67 KB, text/plain)
2008-01-28 20:57 PST, Steven Hollingsworth
no flags Details
Problem Report for Webkit (58.10 KB, text/plain)
2008-02-06 20:51 PST, Steven Hollingsworth
no flags Details
Problem Report for Webkit (39.38 KB, text/plain)
2008-02-07 14:47 PST, Steven Hollingsworth
no flags Details
Problem Report for WebKit (50.16 KB, text/plain)
2008-02-16 20:04 PST, Steven Hollingsworth
no flags Details
Problem Report for Webkit (47.29 KB, text/plain)
2008-02-17 23:23 PST, Steven Hollingsworth
no flags Details
Problem Report for WebKit (43.13 KB, text/plain)
2008-02-18 12:34 PST, Steven Hollingsworth
no flags Details
Problem Report for WebKit (56.79 KB, text/plain)
2008-02-18 12:59 PST, Steven Hollingsworth
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Steven Hollingsworth 2008-01-28 20:56:36 PST
WebKit crashes on quit.
Comment 1 Steven Hollingsworth 2008-01-28 20:57:29 PST
Created attachment 18755 [details]
WebKit Crash

Log from WebKit Crash.
Comment 2 Steven Hollingsworth 2008-01-28 20:58:03 PST
WebKit crashed on quit (Cmd + Q).
Comment 3 Alexey Proskuryakov 2008-01-29 00:50:04 PST
Do you remember what Web pages were open at the time? The crash is seemingly caused by something that a page's JavaScript performed.
Comment 4 Steven Hollingsworth 2008-01-29 06:02:15 PST
I cannot remember exactly but it was probably iGoogle, Gmail, Google Calendar, Google Docs, or Google Reader.
Comment 5 Steven Hollingsworth 2008-02-06 20:51:39 PST
Created attachment 18977 [details]
Problem Report for Webkit

Just had this issue appear again while scrolling through Google Reader.
Comment 6 Steven Hollingsworth 2008-02-07 14:47:24 PST
Created attachment 18991 [details]
Problem Report for Webkit

Just had this issue occur again on Google Reader.
Comment 7 Alexey Proskuryakov 2008-02-08 05:37:12 PST
Thanks! The stack traces are different, and the do not really match the "crash on quit" description, but such frequent crashing is worrisome.
Comment 8 Cameron Zwarich (cpst) 2008-02-08 21:02:32 PST
I agree, this is probably not a crash on quit. Google Reader is known for doing some funky things with JS, so it is likely a problem with the ActivationImp tear-off. I will try to find a reliable method of reproduction so that I can figure out exactly what is going wrong.
Comment 9 Cameron Zwarich (cpst) 2008-02-09 13:50:31 PST
I played around with Google Reader for a bit, trying to reproduce the crash, but I couldn't.
Comment 10 Steven Hollingsworth 2008-02-16 17:21:10 PST
*** Bug 17389 has been marked as a duplicate of this bug. ***
Comment 11 Steven Hollingsworth 2008-02-16 17:21:36 PST
Bug continues to occur.
Comment 12 Cameron Zwarich (cpst) 2008-02-16 17:24:49 PST
The third stack trace is probably the same issue as bug 17329, which is now fixed, whereas the first two are likely the same distinct bug.
Comment 13 Steven Hollingsworth 2008-02-16 18:02:18 PST
Comment on attachment 18991 [details]
Problem Report for Webkit

Same as bug 17329, which has been fixed.
Comment 14 Cameron Zwarich (cpst) 2008-02-16 19:12:06 PST
All of the stack traces look the same (I didn't check all the way back) so it is probably the same JS causing the crash each time. It's also sort of strange that the crash is on dereferencing a null pointer rather than something offset from zero. Where would that be happening in JSNodeList::indexGetter()?
Comment 15 Steven Hollingsworth 2008-02-16 20:04:30 PST
Created attachment 19165 [details]
Problem Report for WebKit

Just had this issue again while loading AmpCoder.com in one tab and an already loaded GoDaddy.com in the other.
Comment 16 Alexey Proskuryakov 2008-02-17 00:23:17 PST
(In reply to comment #14)
> It's also sort of strange that the crash is on dereferencing a null pointer
> rather than something offset from zero.

AFAICT, the crash may be happening in a virtual node->nodeType() call in toJS(ExecState*, PassRefPtr<Node> n) in JSNodeCustom.cpp.
Comment 17 Steven Hollingsworth 2008-02-17 23:23:45 PST
Created attachment 19183 [details]
Problem Report for Webkit

Just had another crash while browsing through Gmail.
Comment 18 Alexey Proskuryakov 2008-02-18 03:10:19 PST
*** Bug 17399 has been marked as a duplicate of this bug. ***
Comment 19 Alexey Proskuryakov 2008-02-18 03:13:01 PST
Marking confirmed since this keeps happening, and we have a duplicate - although I never saw this myself.
Comment 20 Alexey Proskuryakov 2008-02-18 03:13:53 PST
<rdar://problem/5749117>
Comment 21 Steven Hollingsworth 2008-02-18 12:34:04 PST
Created attachment 19194 [details]
Problem Report for WebKit

Just had this issue occur while iGoogle loading iGoogle in a single window.
Comment 22 Steven Hollingsworth 2008-02-18 12:59:50 PST
Created attachment 19195 [details]
Problem Report for WebKit

Just had this issue after composing a message in Gmail and clicking "Send".
Comment 23 David Kilzer (:ddkilzer) 2008-02-23 19:02:56 PST
The call stack in the crashing thread is awfully deep (180+ frames).  Could this be related to removing the KJS_MEM_LIMIT in r30492?

http://trac.webkit.org/projects/webkit/changeset/30492

Steven, if you use a WebKit nightly build before r30492, do you still see crashes?
Comment 24 David Kilzer (:ddkilzer) 2008-02-23 19:04:02 PST
I think it's fair to say that this is a regression as well.
Comment 25 David Kilzer (:ddkilzer) 2008-02-23 19:08:11 PST
(In reply to comment #23)
> The call stack in the crashing thread is awfully deep (180+ frames).  Could
> this be related to removing the KJS_MEM_LIMIT in r30492?
> 
> http://trac.webkit.org/projects/webkit/changeset/30492

Hmm...that didn't make much sense.  KJS_MAX_STACK was raised from 100 to 500 in r25161, but that was a while time ago.

Please ignore Comment #23. :)

Comment 26 Ismail Donmez 2008-02-29 14:01:11 PST
I frequently see this at GMail using latest SVN.
Comment 27 Steven Hollingsworth 2008-03-02 07:41:02 PST
I just had this issue while working on a Spreadsheet in Google Docs.
Comment 28 Maciej Stachowiak 2008-03-13 22:22:03 PDT
We're actively investigating this bug. If anyone can reproduce it running under gdb, please find a WebKit developer (especially weinig, bdash, darin or maciej) on IRC.
Comment 29 Sam Weinig 2008-03-18 18:43:18 PDT
Fix landed in r31144.