53376 – r76727-r77034: REGRESSION: Crash on page load in JSC::JSValue::toString

Bug 53376 - r76727-r77034: REGRESSION: Crash on page load in JSC::JSValue::toString

Summary: r76727-r77034: REGRESSION: Crash on page load in JSC::JSValue::toString

Status:	RESOLVED DUPLICATE of bug 53271

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac All

Importance:	P1 Critical
Assignee:	Michael Saboff

URL:	http://safariextensions.tumblr.com/
Keywords:	InRadar, Regression

Duplicates (1):	53403 (view as bug list)
Depends on:
Blocks:

Reported:	2011-01-29 06:12 PST by Kevin M. Dean
Modified:	2011-01-31 14:42 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin M. Dean 2011-01-29 06:12:41 PST

Loading the page crashes before display.


Process:         Safari [411]
Path:            /Applications/WebKit.app/Contents/MacOS/WebKit
Identifier:      org.webkit.nightly.WebKit
Version:         r77034 (77034)
Code Type:       PPC (Native)
Parent Process:  launchd [136]

Date/Time:       2011-01-29 09:07:45.263 -0500
OS Version:      Mac OS X 10.5.8 (9L30)
Report Version:  6
Anonymous UUID:  F41C1802-6457-4B49-A738-107FEBA3B7F7

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x0074ecdc JSC::JSValue::toString(JSC::ExecState*) const + 1212
1   com.apple.JavaScriptCore      	0x00742474 __ZN3JSCL18arrayProtoFuncJoinEPNS_9ExecStateE + 4820
2   com.apple.JavaScriptCore      	0x007c8f3c JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) + 54684
3   com.apple.JavaScriptCore      	0x007d077c JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 780
4   com.apple.JavaScriptCore      	0x0077a3e0 JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 352
5   com.apple.WebCore             	0x021f08e8 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*, WebCore::ShouldAllowXSS) + 696
6   com.apple.WebCore             	0x021f11a8 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 56
7   com.apple.WebCore             	0x021fb844 WebCore::ScriptElement::evaluateScript(WebCore::ScriptSourceCode const&) + 212
8   com.apple.WebCore             	0x021fbb30 WebCore::ScriptElement::execute(WebCore::CachedScript*) + 496
9   com.apple.WebCore             	0x016a1900 WebCore::AsyncScriptRunner::timerFired(WebCore::Timer<WebCore::AsyncScriptRunner>*) + 176
10  com.apple.WebCore             	0x0237c390 WebCore::ThreadTimers::sharedTimerFiredInternal() + 128
11  com.apple.WebCore             	0x02237f98 __ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 72
12  com.apple.CoreFoundation      	0x97108818 CFRunLoopRunSpecific + 2968
13  com.apple.HIToolbox           	0x904d5b14 RunCurrentEventLoopInMode + 264
14  com.apple.HIToolbox           	0x904d5938 ReceiveNextEventCommon + 412
15  com.apple.HIToolbox           	0x904d5778 BlockUntilNextEventMatchingListInMode + 84
16  com.apple.AppKit              	0x925c0244 _DPSNextEvent + 596
17  com.apple.AppKit              	0x925bfbfc -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 112
18  com.apple.Safari              	0x00018d74 0x1000 + 97652
19  com.apple.AppKit              	0x925b989c -[NSApplication run] + 744
20  com.apple.AppKit              	0x9258a298 NSApplicationMain + 440
21  com.apple.Safari              	0x0000b378 0x1000 + 41848

Comment 1 Kevin M. Dean 2011-01-29 06:19:24 PST

http://www.macworld.com/
http://www.macupdate.com/

Also crashes with same javascript, but after a partial display of page (macworld).

Comment 2 Kevin M. Dean 2011-01-29 06:20:33 PST

Some of the other link crashes have a little more data in them.

Process:         Safari [466]
Path:            /Applications/WebKit.app/Contents/MacOS/WebKit
Identifier:      org.webkit.nightly.WebKit
Version:         r77034 (77034)
Code Type:       PPC (Native)
Parent Process:  launchd [136]

Date/Time:       2011-01-29 09:15:07.119 -0500
OS Version:      Mac OS X 10.5.8 (9L30)
Report Version:  6
Anonymous UUID:  F41C1802-6457-4B49-A738-107FEBA3B7F7

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x0074ecdc JSC::JSValue::toString(JSC::ExecState*) const + 1212
1   com.apple.JavaScriptCore      	0x0079a848 JSC::createNotAnObjectError(JSC::ExecState*, JSC::JSValue) + 56
2   com.apple.JavaScriptCore      	0x008418d8 JSC::JSValue::synthesizePrototype(JSC::ExecState*) const + 136
3   com.apple.JavaScriptCore      	0x007d1f68 JSC::JSValue::get(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) const + 56
4   com.apple.JavaScriptCore      	0x007c1f74 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) + 26068
5   com.apple.JavaScriptCore      	0x007d077c JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 780
6   com.apple.JavaScriptCore      	0x0077a3e0 JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 352
7   com.apple.WebCore             	0x021f08e8 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*, WebCore::ShouldAllowXSS) + 696
8   com.apple.WebCore             	0x021f11a8 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 56
9   com.apple.WebCore             	0x021f3aac WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 396
10  com.apple.WebCore             	0x021f9d3c WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 108
11  com.apple.WebCore             	0x01a04e44 WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 468
12  com.apple.WebCore             	0x01a0571c WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 700
13  com.apple.WebCore             	0x01a05968 WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 56
14  com.apple.WebCore             	0x019b2220 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 96
15  com.apple.WebCore             	0x016d5774 WebCore::CachedScript::checkNotify() + 84
16  com.apple.WebCore             	0x016d47ac WebCore::CachedResourceRequest::didFinishLoading(WebCore::SubresourceLoader*) + 412
17  com.apple.WebCore             	0x02268734 WebCore::SubresourceLoader::didFinishLoading(double) + 84
18  com.apple.Foundation          	0x94467814 _NSURLConnectionDidFinishLoading + 120
19  com.apple.CFNetwork           	0x94b29d8c URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 236
20  com.apple.CFNetwork           	0x94b2aa08 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 172
21  com.apple.CFNetwork           	0x94b29500 URLConnectionClient::processEvents() + 132
22  com.apple.CFNetwork           	0x94ad3000 MultiplexerSource::perform() + 168
23  com.apple.CoreFoundation      	0x971080d0 CFRunLoopRunSpecific + 1104
24  com.apple.HIToolbox           	0x904d5b14 RunCurrentEventLoopInMode + 264
25  com.apple.HIToolbox           	0x904d5938 ReceiveNextEventCommon + 412
26  com.apple.HIToolbox           	0x904d5778 BlockUntilNextEventMatchingListInMode + 84
27  com.apple.AppKit              	0x925c0244 _DPSNextEvent + 596
28  com.apple.AppKit              	0x925bfbfc -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 112
29  com.apple.Safari              	0x00018d74 0x1000 + 97652
30  com.apple.AppKit              	0x925b989c -[NSApplication run] + 744
31  com.apple.AppKit              	0x9258a298 NSApplicationMain + 440
32  com.apple.Safari              	0x0000b378 0x1000 + 41848

Comment 3 Patrick R. Gansterer 2011-01-29 09:59:14 PST

I get the following crash with a debug build:

ASSERTION FAILED: m_runtimeObjects.get(object)
(/Users/paroga/WebKit/Source/WebCore/bridge/runtime_root.cpp:189 void JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*))


Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010202d3ff JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*) + 143 (runtime_root.cpp:189)
1   com.apple.WebCore             	0x00000001015c037e JSC::Bindings::Instance::willDestroyRuntimeObject(JSC::Bindings::RuntimeObject*) + 184 (BridgeJSC.cpp:111)
2   com.apple.WebCore             	0x000000010202cfb9 JSC::Bindings::RuntimeObject::~RuntimeObject() + 75 (runtime_object.cpp:59)
3   com.apple.WebKit              	0x0000000100f5fac7 WebKit::ProxyRuntimeObject::~ProxyRuntimeObject() + 35 (ProxyRuntimeObject.mm:45)
4   com.apple.JavaScriptCore      	0x000000010088f9d8 JSC::MarkedSpace::sweep() + 122 (MarkedSpace.cpp:285)
5   com.apple.JavaScriptCore      	0x00000001007d3f3c JSC::Heap::collectAllGarbage() + 138 (Heap.cpp:403)
6   com.apple.JavaScriptCore      	0x00000001007d19e3 JSC::DefaultGCActivityCallbackPlatformData::trigger(__CFRunLoopTimer*, void*) + 59 (GCActivityCallbackCF.cpp:61)
7   com.apple.CoreFoundation      	0x00007fff80571be8 __CFRunLoopRun + 6488
8   com.apple.CoreFoundation      	0x00007fff8056fdbf CFRunLoopRunSpecific + 575
9   com.apple.HIToolbox           	0x00007fff8736c93a RunCurrentEventLoopInMode + 333
10  com.apple.HIToolbox           	0x00007fff8736c73f ReceiveNextEventCommon + 310
11  com.apple.HIToolbox           	0x00007fff8736c5f8 BlockUntilNextEventMatchingListInMode + 59
12  com.apple.AppKit              	0x00007fff81691e64 _DPSNextEvent + 718
13  com.apple.AppKit              	0x00007fff816917a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
14  com.apple.Safari              	0x00000001000162f4 0x100000000 + 90868
15  com.apple.AppKit              	0x00007fff8165748b -[NSApplication run] + 395
16  com.apple.AppKit              	0x00007fff816501a8 NSApplicationMain + 364
17  com.apple.Safari              	0x000000010000a1c0 0x100000000 + 41408

Comment 4 Oliver Hunt 2011-01-29 10:01:06 PST

Based on this stack trace i blame r76969 -- Michael can you have a look?


(In reply to comment #3)
> I get the following crash with a debug build:
> 
> ASSERTION FAILED: m_runtimeObjects.get(object)
> (/Users/paroga/WebKit/Source/WebCore/bridge/runtime_root.cpp:189 void JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*))
> 
> 
> Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
> 0   com.apple.WebCore                 0x000000010202d3ff JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*) + 143 (runtime_root.cpp:189)
> 1   com.apple.WebCore                 0x00000001015c037e JSC::Bindings::Instance::willDestroyRuntimeObject(JSC::Bindings::RuntimeObject*) + 184 (BridgeJSC.cpp:111)
> 2   com.apple.WebCore                 0x000000010202cfb9 JSC::Bindings::RuntimeObject::~RuntimeObject() + 75 (runtime_object.cpp:59)
> 3   com.apple.WebKit                  0x0000000100f5fac7 WebKit::ProxyRuntimeObject::~ProxyRuntimeObject() + 35 (ProxyRuntimeObject.mm:45)
> 4   com.apple.JavaScriptCore          0x000000010088f9d8 JSC::MarkedSpace::sweep() + 122 (MarkedSpace.cpp:285)
> 5   com.apple.JavaScriptCore          0x00000001007d3f3c JSC::Heap::collectAllGarbage() + 138 (Heap.cpp:403)
> 6   com.apple.JavaScriptCore          0x00000001007d19e3 JSC::DefaultGCActivityCallbackPlatformData::trigger(__CFRunLoopTimer*, void*) + 59 (GCActivityCallbackCF.cpp:61)
> 7   com.apple.CoreFoundation          0x00007fff80571be8 __CFRunLoopRun + 6488
> 8   com.apple.CoreFoundation          0x00007fff8056fdbf CFRunLoopRunSpecific + 575
> 9   com.apple.HIToolbox               0x00007fff8736c93a RunCurrentEventLoopInMode + 333
> 10  com.apple.HIToolbox               0x00007fff8736c73f ReceiveNextEventCommon + 310
> 11  com.apple.HIToolbox               0x00007fff8736c5f8 BlockUntilNextEventMatchingListInMode + 59
> 12  com.apple.AppKit                  0x00007fff81691e64 _DPSNextEvent + 718
> 13  com.apple.AppKit                  0x00007fff816917a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
> 14  com.apple.Safari                  0x00000001000162f4 0x100000000 + 90868
> 15  com.apple.AppKit                  0x00007fff8165748b -[NSApplication run] + 395
> 16  com.apple.AppKit                  0x00007fff816501a8 NSApplicationMain + 364
> 17  com.apple.Safari                  0x000000010000a1c0 0x100000000 + 41408

Comment 5 Alexey Proskuryakov 2011-01-30 16:27:13 PST

*** Bug 53403 has been marked as a duplicate of this bug. ***

Comment 6 Alexey Proskuryakov 2011-01-30 16:27:44 PST

Per the duplicate, crashes under createNotAnObjectError() also occur on Intel Macs.

Comment 7 Alin S 2011-01-30 16:29:38 PST

(In reply to comment #5)
> *** Bug 53403 has been marked as a duplicate of this bug. ***

calendar.google.com too

Comment 8 Simon Fraser (smfr) 2011-01-30 16:29:59 PST

<rdar://problem/8935837>

Comment 9 Michael Saboff 2011-01-31 14:42:42 PST

Reproduced this crash with ToT plus the changes in r76925 (appropriately modified for other changes).
Applying the changes in r76969 and the crash went away.  The crash trace of the debug build shows the assertion failure of
    ASSERTION FAILED: m_runtimeObjects.get(object)
This is what was fixed in r76969.  With 76969, the assertion on line 189 is
    ASSERT(m_runtimeObjects.uncheckedGet(object));

*** This bug has been marked as a duplicate of bug 53271 ***