RESOLVED INVALID 20241
[retitleme] Safari crashes at JSValueUnprotect() when fontpicker view close 
https://bugs.webkit.org/show_bug.cgi?id=20241
Summary [retitleme] Safari crashes at JSValueUnprotect() when fontpicker view close
808caaa4.8ce9.9cd6c799e9f6
Reported 2008-07-31 04:37:14 PDT
Access violation - code c0000005 (!!! second chance !!!) eax=3ea01c77 ebx=7f53ee38 ecx=0012ef68 edx=0051c0f0 esi=0012ef68 edi=7f194a00 eip=1003078c esp=0012fa70 ebp=0012fa8c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 WebKit!WTF__ThreadSpecific<WTF__OwnPtr<KJS__Heap__ThreadRegistrar> >__operator W TF__OwnPtr<KJS__Heap__ThreadRegistrar> *+c: 1003078c ff30 push dword ptr [eax] ds:0023:3ea01c77=???????? 0:000> k ChildEBP RetAddr 0012fa8c 10022b88 WebKit!WTF__ThreadSpecific<WTF__OwnPtr<KJS__Heap__ThreadRegist rar> >__operator WTF__OwnPtr<KJS__Heap__ThreadRegistrar> *+0xc 0012fac0 1039cd67 WebKit!KJS__Heap__registerThread+0x18 0012fad4 004770f0 WebKit!JSValueUnprotect+0x13 0012fb0c 005085da Safari+0x770f0 00000000 00000000 Safari+0x1085da // Hmmm... uninitialized m_currentThreadRegistrar?
Attachments
Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2008-07-31 06:50:59 PDT
Can you please tell us the steps to reproduce?
808caaa4.8ce9.9cd6c799e9f6
Comment 2 2008-07-31 07:52:56 PDT
ntsdlog above is with: host: v3.1.2 (525.21) webkit: WebKit-r35417 OS: XPSP3 home, ja-JP reproduction summary: - open Preference. - go to Appearance panel, and press Select. FontPicker view appears. - close it. - drwatson invoked.
Adam Roben (:aroben)
Comment 3 2008-07-31 07:54:15 PDT
Thanks!
Alexey Proskuryakov
Comment 4 2008-08-01 10:46:54 PDT
I could reproduce this with a nightly, but not with a local debug build.
Mihnea Ovidenie
Comment 5 2008-10-09 08:48:10 PDT
Hello, I was able to reproduce it using a local debug build and following the steps already mentioned. I currently have revision 37446 on WinXP. Here is the stack trace, taken from Visual Studio debugger: 1.WebKit.dll!JSC::Heap::registerThread() Line 485 + 0x5 bytes C++ 2.WebKit.dll!JSValueUnprotect(const OpaqueJSContext * ctx=0x051e0170, const OpaqueJSValue * value=0x055f2700) Line 266 C++ 3.Safari.exe!FontPicker::~FontPicker() + 0x40 bytes 4.Safari.exe!FontPicker::`vector deleting destructor'() + 0x8 bytes 5.Safari.exe!WindowDeleter::deleteAllWindows() + 0x67 bytes 6.Safari.exe!WindowDeleter::ProcessWindowMessage() + 0x2a bytes 7.Safari.exe!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<2147483648,524416> >::WindowProc() + 0x68 bytes 8.user32.dll!_InternalCallWinProc@20() + 0x28 bytes 9.user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes 10.user32.dll!_DispatchMessageWorker@8() + 0xdc bytes 11.user32.dll!_DispatchMessageW@4() + 0xf bytes 12.Safari.exe!RSSPrefsDlg::`vector deleting destructor'() + 0x20f bytes 13.Safari.exe!run() + 0x9d bytes 14.Safari.exe!_wWinMain@16() + 0x34b bytes 15.Safari.exe!_free() + 0x1a1 bytes 16.kernel32.dll!_BaseProcessStart@4() + 0x23 bytes The problem in function *void Heap::registerThread()* from file javascriptcore/kjs/collector.cpp appears while calling: if (pthread_getspecific(m_currentThreadRegistrar)) The problem is access violation while accessing a memory address. m_currentThreadRegistrar is not defined and cannot be seen in debugger.
Alexey Proskuryakov
Comment 6 2008-10-14 03:26:52 PDT
<rdar://problem/6290576>
Alexey Proskuryakov
Comment 7 2008-10-24 15:19:41 PDT
A provisional fix for this was landed in <http://trac.webkit.org/changeset/37868> - please try a newer nightly!
Alexey Proskuryakov
Comment 8 2008-10-27 01:14:15 PDT
Reportedly, the original bug with crash on close is still present, re-opening.
Alexey Proskuryakov
Comment 9 2008-10-27 01:48:57 PDT
OK, after some more investigation the crash on close turns out to be a Safari bug, now made visible by JSValueUnprotect() actually using the context value passed to it. Closing as INVALID, as a non-WebKit issue. Thank you very much for filing it, and providing additional information!
Note You need to log in before you can comment on or make changes to this bug.