Bug 20241 - [retitleme] Safari crashes at JSValueUnprotect() when fontpicker view close
Summary: [retitleme] Safari crashes at JSValueUnprotect() when fontpicker view close
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P3 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2008-07-31 04:37 PDT by 808caaa4.8ce9.9cd6c799e9f6
Modified: 2008-10-27 01:48 PDT (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description 808caaa4.8ce9.9cd6c799e9f6 2008-07-31 04:37:14 PDT
Access violation - code c0000005 (!!! second chance !!!)
eax=3ea01c77 ebx=7f53ee38 ecx=0012ef68 edx=0051c0f0 esi=0012ef68 edi=7f194a00
eip=1003078c esp=0012fa70 ebp=0012fa8c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

WebKit!WTF__ThreadSpecific<WTF__OwnPtr<KJS__Heap__ThreadRegistrar> >__operator W
TF__OwnPtr<KJS__Heap__ThreadRegistrar> *+c:
1003078c ff30             push    dword ptr [eax]   ds:0023:3ea01c77=????????

0:000> k
ChildEBP RetAddr
0012fa8c 10022b88 WebKit!WTF__ThreadSpecific<WTF__OwnPtr<KJS__Heap__ThreadRegist
rar> >__operator WTF__OwnPtr<KJS__Heap__ThreadRegistrar> *+0xc
0012fac0 1039cd67 WebKit!KJS__Heap__registerThread+0x18
0012fad4 004770f0 WebKit!JSValueUnprotect+0x13
0012fb0c 005085da Safari+0x770f0
00000000 00000000 Safari+0x1085da

// Hmmm... uninitialized m_currentThreadRegistrar?
Comment 1 Adam Roben (:aroben) 2008-07-31 06:50:59 PDT
Can you please tell us the steps to reproduce?
Comment 2 808caaa4.8ce9.9cd6c799e9f6 2008-07-31 07:52:56 PDT
ntsdlog above is with:
host: v3.1.2 (525.21)
webkit: WebKit-r35417
OS: XPSP3 home, ja-JP

reproduction summary:
- open Preference.
- go to Appearance panel, and press Select. FontPicker view appears.
- close it.
- drwatson invoked.
Comment 3 Adam Roben (:aroben) 2008-07-31 07:54:15 PDT
Comment 4 Alexey Proskuryakov 2008-08-01 10:46:54 PDT
I could reproduce this with a nightly, but not with a local debug build.
Comment 5 Mihnea Ovidenie 2008-10-09 08:48:10 PDT

I was able to reproduce it using a local debug build and following the steps already mentioned. I currently have revision 37446 on WinXP.

Here is the stack trace, taken from Visual Studio debugger:
1.WebKit.dll!JSC::Heap::registerThread()  Line 485 + 0x5 bytes	C++
2.WebKit.dll!JSValueUnprotect(const OpaqueJSContext * ctx=0x051e0170, const OpaqueJSValue * value=0x055f2700)  Line 266	C++
3.Safari.exe!FontPicker::~FontPicker()  + 0x40 bytes	
4.Safari.exe!FontPicker::`vector deleting destructor'()  + 0x8 bytes	
5.Safari.exe!WindowDeleter::deleteAllWindows()  + 0x67 bytes	
6.Safari.exe!WindowDeleter::ProcessWindowMessage()  + 0x2a bytes	
7.Safari.exe!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<2147483648,524416> >::WindowProc()  + 0x68 bytes	
8.user32.dll!_InternalCallWinProc@20()  + 0x28 bytes	
9.user32.dll!_UserCallWinProcCheckWow@32()  + 0xb7 bytes	
10.user32.dll!_DispatchMessageWorker@8()  + 0xdc bytes	
11.user32.dll!_DispatchMessageW@4()  + 0xf bytes	
12.Safari.exe!RSSPrefsDlg::`vector deleting destructor'()  + 0x20f bytes	
13.Safari.exe!run()  + 0x9d bytes	
14.Safari.exe!_wWinMain@16()  + 0x34b bytes	
15.Safari.exe!_free()  + 0x1a1 bytes	
16.kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes	

The problem in function *void Heap::registerThread()* from file javascriptcore/kjs/collector.cpp appears while calling:
if (pthread_getspecific(m_currentThreadRegistrar))

The problem is access violation while accessing a memory address. m_currentThreadRegistrar is not defined and cannot be seen in debugger.
Comment 6 Alexey Proskuryakov 2008-10-14 03:26:52 PDT
Comment 7 Alexey Proskuryakov 2008-10-24 15:19:41 PDT
A provisional fix for this was landed in <http://trac.webkit.org/changeset/37868> - please try a newer nightly!
Comment 8 Alexey Proskuryakov 2008-10-27 01:14:15 PDT
Reportedly, the original bug with crash on close is still present, re-opening.
Comment 9 Alexey Proskuryakov 2008-10-27 01:48:57 PDT
OK, after some more investigation the crash on close turns out to be a Safari bug, now made visible by JSValueUnprotect() actually using the context value passed to it. Closing as INVALID, as a non-WebKit issue. Thank you very much for filing it, and providing additional information!