RESOLVED INVALID48311
[CRASH] While using the Web Inspector on zimbra.com 
https://bugs.webkit.org/show_bug.cgi?id=48311
Summary [CRASH] While using the Web Inspector on zimbra.com
Adam Barth
Reported 2010-10-26 00:10:47 PDT
I was enabling resource tracking and clicking around the inspector tabs. The value of |this| in the top frame is 0x3f00000046. #0 0x10077eabc in JSC::TypeInfo::type at JSTypeInfo.h:62 #1 0x1007b4f05 in JSC::MarkStack::drain at JSArray.h:247 #2 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688 #3 0x100845405 in JSC::RegisterFile::markGlobals at RegisterFile.h:134 #4 0x1008406d5 in JSC::JSGlobalObject::markChildren at JSGlobalObject.cpp:354 #5 0x101b261b8 in WebCore::JSDOMGlobalObject::markChildren at JSDOMGlobalObject.cpp:52 #6 0x101b59d5d in WebCore::JSDOMWindow::markChildren at JSDOMWindowCustom.cpp:97 #7 0x1007b4cdc in JSC::MarkStack::markChildren at JSArray.h:220 #8 0x1007b4fd7 in JSC::MarkStack::drain at JSArray.h:261 #9 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688 #10 0x1007ad232 in JSC::Heap::markCurrentThreadConservativelyInternal at Collector.cpp:699 #11 0x1007ad26c in JSC::Heap::markCurrentThreadConservatively at Collector.cpp:721 #12 0x1007ad28b in JSC::Heap::markStackObjectsConservatively at Collector.cpp:873 #13 0x1007ad442 in JSC::Heap::markRoots at Collector.cpp:1043 #14 0x1007ae22f in JSC::Heap::reset at Collector.cpp:1179 #15 0x1007ae57c in JSC::Heap::allocate at Collector.cpp:344 #16 0x10078e092 in JSC::JSCell::operator new at JSCell.h:177 #17 0x100813b2a in cti_op_push_activation at JITStubs.cpp:2166 #18 0x10080bb11 in WTF::doubleHash at HashTable.h:447 #19 0x1007ea5c6 in JSC::JITCode::execute at JITCode.h:77 #20 0x1007e5916 in JSC::Interpreter::executeCall at Interpreter.cpp:825 #21 0x10079cdf3 in JSC::call at CallData.cpp:38 #22 0x101ad0df5 in WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:48 #23 0x101b6d396 in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:124 #24 0x10181fbcc in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:335 #25 0x101820236 in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:304 #26 0x101dc3573 in WebCore::Node::handleLocalEvents at Node.cpp:2484 #27 0x101dc3c1f in WebCore::Node::dispatchGenericEvent at Node.cpp:2602 #28 0x101dc40cd in WebCore::Node::dispatchEvent at Node.cpp:2547 #29 0x101985d9e in WebCore::HTMLScriptElement::dispatchLoadEvent at HTMLScriptElement.cpp:189 #30 0x101fc0842 in WebCore::ScriptElementData::execute at ScriptElement.cpp:223 #31 0x101506ede in WebCore::AsyncScriptRunner::timerFired at AsyncScriptRunner.cpp:87 #32 0x1015075c3 in WebCore::Timer<WebCore::AsyncScriptRunner>::fired at Timer.h:98 #33 0x10212ee56 in WebCore::ThreadTimers::sharedTimerFiredInternal at ThreadTimers.cpp:112 #34 0x10212efe5 in WebCore::ThreadTimers::sharedTimerFired at ThreadTimers.cpp:90 #35 0x10200000b in WebCore::timerFired at SharedTimerMac.mm:166 #36 0x7fff800aa678 in __CFRunLoopRun #37 0x7fff800a884f in CFRunLoopRunSpecific #38 0x7fff815ed91a in RunCurrentEventLoopInMode #39 0x7fff815ed71f in ReceiveNextEventCommon #40 0x7fff815ed5d8 in BlockUntilNextEventMatchingListInMode #41 0x7fff869c229e in _DPSNextEvent #42 0x7fff869c1bed in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #43 0x1000165d8 in ?? #44 0x7fff869878d3 in -[NSApplication run] #45 0x7fff869805f8 in NSApplicationMain #46 0x10000a4a4 in ??
Attachments
Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2010-10-26 00:23:54 PDT
Another seemingly related stack. Maybe related to using the debugger? This happened soon after enabling the debugger: #0 0x100762447 in JSC::CollectorBitmap::getset at Collector.h:235 #1 0x100762481 in JSC::Heap::checkMarkCell at Collector.h:302 #2 0x1007b4ea6 in JSC::MarkStack::drain at JSArray.h:239 #3 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688 #4 0x100845405 in JSC::RegisterFile::markGlobals at RegisterFile.h:134 #5 0x1008406d5 in JSC::JSGlobalObject::markChildren at JSGlobalObject.cpp:354 #6 0x101b261b8 in WebCore::JSDOMGlobalObject::markChildren at JSDOMGlobalObject.cpp:52 #7 0x101b59d5d in WebCore::JSDOMWindow::markChildren at JSDOMWindowCustom.cpp:97 #8 0x1007b4cdc in JSC::MarkStack::markChildren at JSArray.h:220 #9 0x1007b4f67 in JSC::MarkStack::drain at JSArray.h:258 #10 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688 #11 0x1007ad232 in JSC::Heap::markCurrentThreadConservativelyInternal at Collector.cpp:699 #12 0x1007ad26c in JSC::Heap::markCurrentThreadConservatively at Collector.cpp:721 #13 0x1007ad28b in JSC::Heap::markStackObjectsConservatively at Collector.cpp:873 #14 0x1007ad442 in JSC::Heap::markRoots at Collector.cpp:1043 #15 0x1007ae22f in JSC::Heap::reset at Collector.cpp:1179 #16 0x1007ae57c in JSC::Heap::allocate at Collector.cpp:344 #17 0x10078e092 in JSC::JSCell::operator new at JSCell.h:177 #18 0x10087d14e in JSC::jsOwnedString at JSString.h:548 #19 0x100779c9a in JSC::BytecodeGenerator::emitLoad at BytecodeGenerator.cpp:1094 #20 0x1008a06df in JSC::StringNode::emitBytecode at NodesCodegen.cpp:142 #21 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217 #22 0x10089b689 in JSC::BinaryOpNode::emitStrcat at NodesCodegen.cpp:947 #23 0x10089c7ba in JSC::BinaryOpNode::emitBytecode at NodesCodegen.cpp:979 #24 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217 #25 0x100899c96 in JSC::AssignBracketNode::emitBytecode at NodesCodegen.cpp:1282 #26 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217 #27 0x100896edf in JSC::ExprStatementNode::emitBytecode at NodesCodegen.cpp:1414 #28 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217 #29 0x1008a2df7 in JSC::SourceElements::emitBytecode at NodesCodegen.cpp:1370 #30 0x100896d5c in JSC::BlockNode::emitBytecode at NodesCodegen.cpp:1388 #31 0x10079c6e6 in JSC::BytecodeGenerator::emitNode at BytecodeGenerator.h:217 #32 0x1008a2df7 in JSC::SourceElements::emitBytecode at NodesCodegen.cpp:1370 #33 0x1008a2e5b in JSC::ScopeNode::emitStatementsBytecode at NodesCodegen.cpp:1998 #34 0x1008971cf in JSC::FunctionBodyNode::emitBytecode at NodesCodegen.cpp:2036 #35 0x10077e399 in JSC::BytecodeGenerator::generate at BytecodeGenerator.cpp:144 #36 0x1007d2cb7 in JSC::FunctionExecutable::compileForCallInternal at Executable.cpp:197 #37 0x10076cb22 in JSC::FunctionExecutable::compileForCall at Executable.h:315 #38 0x100814009 in cti_vm_lazyLinkCall at JITStubs.cpp:2106 #39 0x10080bb11 in WTF::doubleHash at HashTable.h:447 #40 0x1007ea5c6 in JSC::JITCode::execute at JITCode.h:77 #41 0x1007e5916 in JSC::Interpreter::executeCall at Interpreter.cpp:825 #42 0x10079cdf3 in JSC::call at CallData.cpp:38 #43 0x101ad0df5 in WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:48 #44 0x101b6d396 in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:124 #45 0x10181fbcc in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:335 #46 0x101820236 in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:304 #47 0x101dc3573 in WebCore::Node::handleLocalEvents at Node.cpp:2484 #48 0x101dc3d1b in WebCore::Node::dispatchGenericEvent at Node.cpp:2614 #49 0x101dc40cd in WebCore::Node::dispatchEvent at Node.cpp:2547 #50 0x101dc248f in WebCore::Node::dispatchMouseEvent at Node.cpp:2811 #51 0x101dc2973 in WebCore::Node::dispatchMouseEvent at Node.cpp:2720 #52 0x10180e4dc in WebCore::EventHandler::dispatchMouseEvent at EventHandler.cpp:1843 #53 0x101811fa0 in WebCore::EventHandler::handleMouseReleaseEvent at EventHandler.cpp:1569 #54 0x10181a71d in WebCore::EventHandler::mouseUp at EventHandlerMac.mm:545 #55 0x100f6f4f1 in -[WebHTMLView mouseUp:] at WebHTMLView.mm:3761 #56 0x7fff86abb7ed in -[NSWindow sendEvent:] #57 0x10004261d in ?? #58 0x1000425aa in ?? #59 0x7fff869f0ee2 in -[NSApplication sendEvent:] #60 0x1000392ee in ?? #61 0x7fff86987922 in -[NSApplication run] #62 0x7fff869805f8 in NSApplicationMain #63 0x10000a4a4 in ??
Adam Barth
Comment 2 2010-10-26 00:26:59 PDT
Yeah, repros very quickly on Zimbra by enabling the debugger and then clicking around the page: #0 0x100762447 in JSC::CollectorBitmap::getset at Collector.h:235 #1 0x100762481 in JSC::Heap::checkMarkCell at Collector.h:302 #2 0x1007b4ea6 in JSC::MarkStack::drain at JSArray.h:239 #3 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688 #4 0x100845405 in JSC::RegisterFile::markGlobals at RegisterFile.h:134 #5 0x1008406d5 in JSC::JSGlobalObject::markChildren at JSGlobalObject.cpp:354 #6 0x101b261b8 in WebCore::JSDOMGlobalObject::markChildren at JSDOMGlobalObject.cpp:52 #7 0x101b59d5d in WebCore::JSDOMWindow::markChildren at JSDOMWindowCustom.cpp:97 #8 0x1007b4cdc in JSC::MarkStack::markChildren at JSArray.h:220 #9 0x1007b4fd7 in JSC::MarkStack::drain at JSArray.h:261 #10 0x1007aceeb in JSC::Heap::markConservatively at Collector.cpp:688 #11 0x1007ad232 in JSC::Heap::markCurrentThreadConservativelyInternal at Collector.cpp:699 #12 0x1007ad26c in JSC::Heap::markCurrentThreadConservatively at Collector.cpp:721 #13 0x1007ad28b in JSC::Heap::markStackObjectsConservatively at Collector.cpp:873 #14 0x1007ad442 in JSC::Heap::markRoots at Collector.cpp:1043 #15 0x1007ae22f in JSC::Heap::reset at Collector.cpp:1179 #16 0x1007ae57c in JSC::Heap::allocate at Collector.cpp:344 #17 0x10078e092 in JSC::JSCell::operator new at JSCell.h:177 #18 0x1008135d4 in cti_op_create_arguments_no_params at JITStubs.cpp:2226 #19 0x10080bb11 in WTF::doubleHash at HashTable.h:447 #20 0x1007ea5c6 in JSC::JITCode::execute at JITCode.h:77 #21 0x1007e5916 in JSC::Interpreter::executeCall at Interpreter.cpp:825 #22 0x10079cdf3 in JSC::call at CallData.cpp:38 #23 0x101ad0df5 in WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:48 #24 0x101b6d396 in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:124 #25 0x10181fbcc in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:335 #26 0x101820236 in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:304 #27 0x101dc3573 in WebCore::Node::handleLocalEvents at Node.cpp:2484 #28 0x101dc3d1b in WebCore::Node::dispatchGenericEvent at Node.cpp:2614 #29 0x101dc40cd in WebCore::Node::dispatchEvent at Node.cpp:2547 #30 0x101dc248f in WebCore::Node::dispatchMouseEvent at Node.cpp:2811 #31 0x101dc2973 in WebCore::Node::dispatchMouseEvent at Node.cpp:2720 #32 0x10180e3a4 in WebCore::EventHandler::updateMouseEventTargetNode at EventHandler.cpp:1824 #33 0x10180e48e in WebCore::EventHandler::dispatchMouseEvent at EventHandler.cpp:1838 #34 0x10181372c in WebCore::EventHandler::handleMouseMoveEvent at EventHandler.cpp:1514 #35 0x101813813 in WebCore::EventHandler::mouseMoved at EventHandler.cpp:1395 #36 0x10181a5a4 in WebCore::EventHandler::mouseMoved at EventHandlerMac.mm:625 #37 0x100f78d2d in -[WebHTMLView(WebPrivate) _updateMouseoverWithEvent:] at WebHTMLView.mm:1654 #38 0x100f62de5 in -[WebHTMLView mouseMovedNotification:] at WebHTMLView.mm:3770 #39 0x7fff876e984e in _nsnote_callback #40 0x7fff800b5a90 in __CFXNotificationPost #41 0x7fff800a2008 in _CFXNotificationPostNotification #42 0x7fff876e07b8 in -[NSNotificationCenter postNotificationName:object:userInfo:] #43 0x7fff869ee5ee in forwardMethod #44 0x7fff869ee5ee in forwardMethod #45 0x7fff869ee5ee in forwardMethod #46 0x7fff869ee5ee in forwardMethod #47 0x7fff869ee5ee in forwardMethod #48 0x7fff869ee5ee in forwardMethod #49 0x7fff869ee5ee in forwardMethod #50 0x7fff869ee5ee in forwardMethod #51 0x7fff86abc483 in -[NSWindow sendEvent:] #52 0x10004261d in ?? #53 0x1000425aa in ?? #54 0x7fff869f0cd9 in -[NSApplication sendEvent:] #55 0x1000392ee in ?? #56 0x7fff86987922 in -[NSApplication run] #57 0x7fff869805f8 in NSApplicationMain #58 0x10000a4a4 in ??
Geoffrey Garen
Comment 3 2010-10-28 11:57:16 PDT
<rdar://problem/8606082>
Alexey Proskuryakov
Comment 4 2011-03-14 14:54:34 PDT
Adam, is this still reproducible for you?
Adam Barth
Comment 5 2011-03-14 14:56:47 PDT
I haven't tried since I reported the bug.
Blaze Burg
Comment 6 2016-08-01 11:46:30 PDT
Not reproducible, closing.
Note You need to log in before you can comment on or make changes to this bug.