Bug 60854 - REGRESSION (r86482-r86499): Crash in JSC::slowValidateCell
Summary: REGRESSION (r86482-r86499): Crash in JSC::slowValidateCell
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (PowerPC) OS X 10.5
: P2 Critical
Assignee: Nobody
URL:
Keywords: Regression
Depends on:
Blocks:
 
Reported: 2011-05-15 08:38 PDT by Kevin M. Dean
Modified: 2011-05-20 12:10 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin M. Dean 2011-05-15 08:38:02 PDT 
Having trouble determing a consistent repeatable link, but I've crashed 3 times today with the current nightly. The crash is triggered when I close an existing tab with multiple tabs open.

Here's 2 crash log variations.

Process:         Safari [2373]
Path:            /Applications/WebKit.app/Contents/MacOS/WebKit
Identifier:      org.webkit.nightly.WebKit
Version:         r86499 (86499)
Code Type:       PPC (Native)
Parent Process:  launchd [118]

Date/Time:       2011-05-15 11:11:07.265 -0400
OS Version:      Mac OS X 10.5.8 (9L30)
Report Version:  6
Anonymous UUID:  F41C1802-6457-4B49-A738-107FEBA3B7F7

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000001f3443a4
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x007f4b30 JSC::slowValidateCell(JSC::JSCell*) + 64
1   com.apple.JavaScriptCore      	0x007c7dc0 JSC::Interpreter::tryCacheGetByID(JSC::ExecState*, JSC::CodeBlock*, JSC::Instruction*, JSC::JSValue, JSC::Identifier const&, JSC::PropertySlot const&) + 448
2   com.apple.JavaScriptCore      	0x007d0bd0 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) + 32128
3   com.apple.JavaScriptCore      	0x007e45f8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1816
4   com.apple.JavaScriptCore      	0x0077a8b4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 84
5   com.apple.WebCore             	0x01f77ae0 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 2768
6   com.apple.WebCore             	0x01ba42e8 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 376
7   com.apple.WebCore             	0x01ba43f4 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 116
8   com.apple.WebCore             	0x01b8c848 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 136
9   com.apple.WebCore             	0x01b8d2ec WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 956
10  com.apple.WebCore             	0x01b8c708 WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 56
11  com.apple.WebCore             	0x01b8d61c WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::EventDispatchMediator const&) + 60
12  com.apple.WebCore             	0x0247935c WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 60
13  com.apple.WebCore             	0x01ba4108 WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 152
14  com.apple.WebCore             	0x01b92a98 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 1016
15  com.apple.WebKit              	0x00a15154 -[WebHTMLView flagsChanged:] + 180
16  com.apple.AppKit              	0x96a36e3c -[NSWindow sendEvent:] + 7428
17  com.apple.Safari              	0x00045b9c 0x1000 + 281500
18  com.apple.Safari              	0x00045b28 0x1000 + 281384
19  com.apple.AppKit              	0x96a0967c -[NSApplication sendEvent:] + 3256
20  com.apple.Safari              	0x0003bc88 0x1000 + 240776
21  com.apple.AppKit              	0x969768d4 -[NSApplication run] + 800
22  com.apple.AppKit              	0x96947298 NSApplicationMain + 440
23  com.apple.Safari              	0x0000c068 0x1000 + 45160



Process:         Safari [2393]
Path:            /Applications/WebKit.app/Contents/MacOS/WebKit
Identifier:      org.webkit.nightly.WebKit
Version:         r86499 (86499)
Code Type:       PPC (Native)
Parent Process:  launchd [118]

Date/Time:       2011-05-15 11:23:15.184 -0400
OS Version:      Mac OS X 10.5.8 (9L30)
Report Version:  6
Anonymous UUID:  F41C1802-6457-4B49-A738-107FEBA3B7F7

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000005
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x007f4b34 JSC::slowValidateCell(JSC::JSCell*) + 68
1   com.apple.JavaScriptCore      	0x007c5334 JSC::Interpreter::tryCachePutByID(JSC::ExecState*, JSC::CodeBlock*, JSC::Instruction*, JSC::JSValue, JSC::PutPropertySlot const&) + 196
2   com.apple.JavaScriptCore      	0x007d285c JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) + 39436
3   com.apple.JavaScriptCore      	0x007e45f8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1816
4   com.apple.JavaScriptCore      	0x0077a8b4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 84
5   com.apple.WebCore             	0x01f77ae0 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 2768
6   com.apple.WebCore             	0x01ba42e8 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 376
7   com.apple.WebCore             	0x01ba43f4 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 116
8   com.apple.WebCore             	0x01b4af74 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 340
9   com.apple.WebCore             	0x01bec124 WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy) + 1060
10  com.apple.WebCore             	0x01bec4f4 WebCore::FrameLoader::closeURL() + 68
11  com.apple.WebCore             	0x01bec564 WebCore::FrameLoader::detachFromParent() + 68
12  com.apple.WebKit              	0x00a62bf4 -[WebView(WebPrivate) _close] + 148
13  com.apple.Safari              	0x0008bcb4 0x1000 + 568500
14  com.apple.Safari              	0x0008bc40 0x1000 + 568384
15  com.apple.Safari              	0x0008b1d4 0x1000 + 565716
16  com.apple.Safari              	0x000d44b4 0x1000 + 865460
17  com.apple.Safari              	0x000d5dcc 0x1000 + 871884
18  com.apple.AppKit              	0x96a39354 -[NSApplication sendAction:to:from:] + 104
19  com.apple.Safari              	0x0004e350 0x1000 + 316240
20  com.apple.AppKit              	0x96ad4d14 -[NSMenu performActionForItemAtIndex:] + 408
21  com.apple.AppKit              	0x96ad4a44 -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 228
22  com.apple.AppKit              	0x96ad470c -[NSMenu performKeyEquivalent:] + 744
23  com.apple.AppKit              	0x96ad31f0 -[NSApplication _handleKeyEquivalent:] + 456
24  com.apple.AppKit              	0x96a09820 -[NSApplication sendEvent:] + 3676
25  com.apple.Safari              	0x0003bc88 0x1000 + 240776
26  com.apple.AppKit              	0x969768d4 -[NSApplication run] + 800
27  com.apple.AppKit              	0x96947298 NSApplicationMain + 440
28  com.apple.Safari              	0x0000c068 0x1000 + 45160
Comment 1 Oliver Hunt 2011-05-16 08:48:09 PDT 
Interpreter gc bug possibly, or perhaps a null check that is too agressive.  Need symbols :-/
Comment 2 Kevin M. Dean 2011-05-16 13:55:52 PDT 
I've been running r86536 today and I haven't had a reoccurance of the crashes like I was the other day. So, possibly resolved by another fix?
Comment 3 Oliver Hunt 2011-05-16 14:11:49 PDT 
I suspect it's mostly luck unfortunately.  Still I expect something slightly mmore reproducible will turn up eventually.
Comment 4 Kevin M. Dean 2011-05-20 12:10:15 PDT 
When I was having crashes, it was all within minutes of using webkit. While it wasn't always consistent what triggered it, it would reliably crash.

As I mentioned previously, I'm no longer having the crashes and haven't since Monday the 16th, so I'm marking this as resolved.