> These crashes take down the whole browser and not just causing the tabs to reload.

This is new behavior in Safari 6, not something specific to these crashes (and of consequentially off-topic for the WebKit project).

It's not clear to me if this crash itself is a Safari or a WebKit issue. CC'ing some folks who may know.

I've getting the occassional crash with JSWeakObjectMapGet near the top since at least July 2nd with Lion and Safari 5.1.7 as well. See attachement.

Created attachment 154760 [details]
Lion Safari 5.1.7 crashes

Looks like someone is passing NULL to JSWeakObjectMapGet.

Probably best to file this information at bugreporter.apple.com along with a list of Safari extensions installed. This isn't a WebKit bug.

*** Bug 92581 has been marked as a duplicate of this bug. ***

*** Bug 92809 has been marked as a duplicate of this bug. ***

<rdar://problem/11862553>

> This isn't a WebKit bug.

Isn't this a WebKit regression though? I don't see any crashes happening with shipping Safari/WebKit, they are all with newer WebKits, such as nightlies.

Created attachment 156534 [details]
another crash report

Webkit crashes regularly and often. Safari does not crash at all.

*** Bug 93183 has been marked as a duplicate of this bug. ***

*** Bug 93273 has been marked as a duplicate of this bug. ***

Created attachment 157123 [details]
crashed again and again. once per hour at least.

again, webkit is crashing and safari is not.

This is the most common bug I experience daily too.

Here is a 1-click reduction of the bug:

Using webkit version 6.0 (7536.25, 537+)

In safari->preferences->tabs set the top checkbox so that
 "command-click opens a link in a new tab"

now hold down the command key and click the following link:

   http://mashable.com/2012/08/09/mars-rover-landing-stats/

your browser should crash.

Can you please figure out which Safari extensions needs to be enabled for this to happen? This certainly doesn't happen when extensions are disabled.

Disabled Safari extensions completely. Still crashes always.

Confirmed. Crashes with:
 1. safari->preferences->extensions->off
 2. restart safari.
 3. confirm extensions are still off.
 4. click link with command-key held down

safari still crashes. every time and immediately after clicking link.


(extensions which were disabled are:
   . Ghostery 1.3.0
   . AdBlock 2.5.40
)

Command-clicking that link doesn't crash for me even with all my extension on. This crash bug is just do random at times. I would love to see something repeatable so the devs could track it down.

Here's a repeatable crash I just stumbled on. I don't think it matters which sites you have loaded, but for our purposes load amazon.com in multiple tabs. At least 3 tabs should be used, but I find the more you have (6+) the more likely for it to trigger a crash. Once you have the tabs open, press Command-W repeatedly as fast as you can to close all of the tabs until you likely hear the can't do it anymore beep. If it's like mine you'll crash with:

Process:         WebProcess [16196]
Path:            /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess
Identifier:      com.apple.WebProcess
Version:         537+ (537.4+)
Code Type:       X86-64 (Native)
Parent Process:  ??? [1]
User ID:         501

Date/Time:       2012-08-09 18:11:37.810 -0400
OS Version:      Mac OS X 10.8 (12A269)
Report Version:  10

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000001218

VM Regions Near 0x1218:
--> 
    __TEXT                 00000001046ec000-00000001046ed000 [    4K] r-x/rwx SM=COW  /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess

Application Specific Information:
Bundle controller class:
BrowserBundleController
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000104bd7de6 JSWeakObjectMapGet + 38
1   com.apple.Safari.framework    	0x00007fff82ea6055 Safari::JSWrapper::disconnectAllWrappers(Safari::JSWrappable const*) + 85
2   com.apple.Safari.framework    	0x00007fff82dd0f23 Safari::ContentExtension::invalidateContentExtensionPage(Safari::WK::BundlePage const&) + 161
3   com.apple.Safari.framework    	0x00007fff82dd95fa Safari::ContentExtensionsController::invalidateContentWebPages(Safari::WK::BundlePage const&) + 100
4   com.apple.Safari.framework    	0x00007fff82d36885 Safari::BrowserBundleController::willDestroyPage(Safari::WK::Bundle const&, Safari::WK::BundlePage const&) + 87
5   com.apple.Safari.framework    	0x00007fff82dba89d Safari::WK::willDestroyPage(OpaqueWKBundle const*, OpaqueWKBundlePage const*, void const*) + 65
6   com.apple.WebKit2             	0x00000001047d4939 WebKit::WebPage::close() + 69
7   com.apple.WebKit2             	0x000000010479bf55 WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 179
8   com.apple.WebKit2             	0x0000000104738059 CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 175
9   com.apple.WebKit2             	0x0000000104739577 CoreIPC::Connection::dispatchOneMessage() + 139
10  com.apple.WebCore             	0x0000000105880a88 WebCore::RunLoop::performWork() + 312
11  com.apple.WebCore             	0x0000000105881105 WebCore::RunLoop::performWork(void*) + 53
12  com.apple.CoreFoundation      	0x00007fff8d87e841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
13  com.apple.CoreFoundation      	0x00007fff8d87e165 __CFRunLoopDoSources0 + 245
14  com.apple.CoreFoundation      	0x00007fff8d8a14e5 __CFRunLoopRun + 789
15  com.apple.CoreFoundation      	0x00007fff8d8a0dd2 CFRunLoopRunSpecific + 290
16  com.apple.HIToolbox           	0x00007fff86447774 RunCurrentEventLoopInMode + 209
17  com.apple.HIToolbox           	0x00007fff86447512 ReceiveNextEventCommon + 356
18  com.apple.HIToolbox           	0x00007fff864473a3 BlockUntilNextEventMatchingListInMode + 62
19  com.apple.AppKit              	0x00007fff855d8fa3 _DPSNextEvent + 685
20  com.apple.AppKit              	0x00007fff855d8862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
21  com.apple.AppKit              	0x00007fff855cfc03 -[NSApplication run] + 517
22  com.apple.WebCore             	0x00000001058816e3 WebCore::RunLoop::run() + 67
23  com.apple.WebKit2             	0x000000010481ba8a WebKit::WebProcessMain(WebKit::CommandLine const&) + 2586
24  com.apple.WebKit2             	0x00000001047ca65b WebKitMain + 285
25  com.apple.WebProcess          	0x00000001046ece7b main + 214
26  libdyld.dylib                 	0x00007fff8883a7e1 start + 1

Doesn't seem to trigger the crash with extensions off or with Safari 6, so I'll see if I can narrow this down.

Bug 93659 may be a duplicate of this.

I am now seeing the backtrace reported in 93659 when I do the click-the-link crash.

In that report, the backtrace shows the segfault in:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit2             	0x000000010bd51194 WebKit::PluginProxy::destroy() + 20
1   com.apple.WebKit2             	0x000000010bd448ff WebKit::Plugin::destroyPlugin() + 15
2   com.apple.WebKit2             	0x000000010bd55511 WebKit::PluginView::~PluginView() + 229
3   com.apple.WebKit2             	0x000000010bd553aa WebKit::PluginView::~PluginView() + 14
4   com.apple.WebCore             	0x000000010cdf250b WebCore::RenderWidget::resumeWidgetHierarchyUpdates() + 699
5   com.apple.WebCore             	0x000000010c6c2f2a WebCore::Element::detach() + 458
6   com.apple.WebCore             	0x000000010c7f324b WebCore::HTMLPlugInElement::detach() + 187

Didn't crash with exenstions on but all disabled.

Did crash with Ghostery the only one enabled. Will try other individuals.

Relaunch Webkit then cause an instant crash when it tried to re-open the previous windows before the crash (I closed them real quick to get around this crash since it was now happening every time I launched Webkit.

Here's the new crash:

Process:         WebProcess [16361]
Path:            /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess
Identifier:      com.apple.WebProcess
Version:         537+ (537.4+)
Code Type:       X86-64 (Native)
Parent Process:  SafariForWebKitDevelopment [16358]
User ID:         501

Date/Time:       2012-08-09 18:23:33.118 -0400
OS Version:      Mac OS X 10.8 (12A269)
Report Version:  10

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000020

VM Regions Near 0x20:
--> 
    __TEXT                 00000001046db000-00000001046dc000 [    4K] r-x/rwx SM=COW  /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess

Application Specific Information:
Bundle controller class:
BrowserBundleController
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit2             	0x000000010476b39a WebKit::PluginProxy::destroy() + 20
1   com.apple.WebKit2             	0x000000010475e71c WebKit::Plugin::destroyPlugin() + 18
2   com.apple.WebKit2             	0x000000010476f749 WebKit::PluginView::~PluginView() + 229
3   com.apple.WebKit2             	0x000000010476f5e1 WebKit::PluginView::~PluginView() + 17
4   com.apple.WebCore             	0x0000000105847f0b WebCore::RenderWidget::resumeWidgetHierarchyUpdates() + 715
5   com.apple.WebCore             	0x000000010510aa8a WebCore::Element::detach() + 458
6   com.apple.WebCore             	0x000000010523cdf2 WebCore::HTMLPlugInElement::detach() + 194
7   com.apple.WebCore             	0x0000000104ef0d70 WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 624
8   com.apple.WebCore             	0x00000001056bf5e9 WebCore::Node::removeChild(WebCore::Node*, int&) + 25
9   com.apple.WebCore             	0x00000001054fb9ec WebCore::JSNode::removeChild(JSC::ExecState*) + 60
10  com.apple.WebCore             	0x00000001054f98a3 WebCore::jsNodePrototypeFunctionRemoveChild(JSC::ExecState*) + 83
11  ???                           	0x000000010697d265 0 + 4405580389
12  com.apple.JavaScriptCore      	0x0000000104b47731 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 913
13  com.apple.JavaScriptCore      	0x0000000104a9a034 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52
14  com.apple.WebCore             	0x0000000105870e2c WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 508
15  com.apple.WebCore             	0x0000000105870a3c WebCore::ScheduledAction::execute(WebCore::Document*) + 156
16  com.apple.WebCore             	0x00000001050cd7e6 WebCore::DOMTimer::fired() + 342
17  com.apple.WebCore             	0x0000000105a25b04 WebCore::ThreadTimers::sharedTimerFiredInternal() + 148
18  com.apple.WebCore             	0x00000001058b75c3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51
19  com.apple.CoreFoundation      	0x00007fff8d8bc4b4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
20  com.apple.CoreFoundation      	0x00007fff8d8bbfcd __CFRunLoopDoTimer + 557
21  com.apple.CoreFoundation      	0x00007fff8d8a17b9 __CFRunLoopRun + 1513
22  com.apple.CoreFoundation      	0x00007fff8d8a0dd2 CFRunLoopRunSpecific + 290
23  com.apple.HIToolbox           	0x00007fff86447774 RunCurrentEventLoopInMode + 209
24  com.apple.HIToolbox           	0x00007fff86447512 ReceiveNextEventCommon + 356
25  com.apple.HIToolbox           	0x00007fff864473a3 BlockUntilNextEventMatchingListInMode + 62
26  com.apple.AppKit              	0x00007fff855d8fa3 _DPSNextEvent + 685
27  com.apple.AppKit              	0x00007fff855d8862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
28  com.apple.AppKit              	0x00007fff855cfc03 -[NSApplication run] + 517
29  com.apple.WebCore             	0x000000010586c6e3 WebCore::RunLoop::run() + 67
30  com.apple.WebKit2             	0x0000000104806a8a WebKit::WebProcessMain(WebKit::CommandLine const&) + 2586
31  com.apple.WebKit2             	0x00000001047b565b WebKitMain + 285
32  com.apple.WebProcess          	0x00000001046dbe7b main + 214
33  libdyld.dylib                 	0x00007fff8883a7e1 start + 1

OK, it's looking like no matter what extension I enable 1 at a  time, it crashes. So it appears to me to be a general extension issue and not extension specific.

As I previously noted, my first crash for this was July 2nd, so I'd check r121678 and earlier for commits that may be the cause.

I cannot reproduce the crash by quickly closing multiple tabs with amazon.com either.

The PluginProxy::destroy crash is entirely different. While it is possible that both have a similar cause (e.g. memory corruption), please don't report crashes other than the original JSWrapper::disconnectAllWrappers/JSWeakObjectMapGet one in this bug.

Can anyone reproduce _this_ crash with extensions off?

I can reproduce the crash by closing many amazon.com tabs with Ghostery plug-in enabled, which is great. I'll let the person working on the bug know.

I reported the other crash because 1 crash led to the other and were possibly related. How are we supposed to know otherwise. It's better to have too much information than too little.

(In reply to comment #26)
> I can reproduce the crash by closing many amazon.com tabs with Ghostery plug-in enabled, which is great. I'll let the person working on the bug know.

Just don't miss my message where I found it didn't matter which extension I enabled, any one of them seem to create the environment for a crash.

(In reply to comment #25)
> Can anyone reproduce _this_ crash with extensions off?

Yes, I can.

Extensions don't seem to matter, but I turned off plugins:
safari->preferences->security->enable plugins (unchecked)

Now I cannot cause webkit to crash at all.

The disabled plugins are:

 .  DivX Web Player version 2.0.2.39 — from file “DivXBrowserPlugin.plugin”.
 .  Google Talk NPAPI Plugin Version 3.4.2.8800 — from file “googletalkbrowserplugin.plugin”.
 . The Google Earth Plugin— from file “Google Earth Web Plug-in.plugin”.
 . Google Talk Plugin Video Accelerator version:0.1.44.16 — from file “npgtpo3dautoplugin.plugin”.
 . iPhoto6 — from file “iPhotoPhotocast.plugin”.
 . Java Applet Plug-in Displays Java applet content, or a placeholder if Java is not installed. — from file “JavaAppletPlugin.plugin”.
 . The QuickTime Plugin  — from file “QuickTime Plugin.plugin”.
 . Microsoft Office for Mac SharePoint Browser Plug-in — from file “SharePointBrowserPlugin.plugin”.
 . Shockwave Flash 11.3 r300 — from file “Flash Player.plugin”.
 . WebKit built-in PDF

I will begin sorting through them to see which one might be responsible.

*** Bug 94503 has been marked as a duplicate of this bug. ***

This doesn't just happen in 10.7, I'm seeing it in 10.6

> This doesn't just happen in 10.7, I'm seeing it in 10.6

Safari 6 does not exist on Snow Leopard. We do not put any effort into maintaining compatibility with old Safari releases.

(In reply to comment #33)
> > This doesn't just happen in 10.7, I'm seeing it in 10.6
> 
> Safari 6 does not exist on Snow Leopard. We do not put any effort into maintaining compatibility with old Safari releases.

Then my bug is not a duplicate. Safari 5.1.7 is what's crashing in my bug (with the same trace apparently).

(In reply to comment #34)
>
> Then my bug is not a duplicate. Safari 5.1.7 is what's crashing in my bug (with the same trace apparently).

Yes, we already mention above that this was happening in Safari 5.1 before Mountain Lion/Safari 6 was released.

This has been found to be a bug outside WebKit that just got more prominent due to WebKit changes.

Fixed in Safari 6.0.1.