92397 – Crash in JSWeakObjectMapGet called from Safari::JSWrapper::disconnectAllWrappers

Kevin M. Dean

Reported 2012-07-26 10:39:36 PDT

First, 10.8 needs to be added to the OS list. Running 10.8/Safari 6 with the latest nightly. I've received a few crashes today, sometimes when closing a window, sometimes clicking the back button. It's unclear on exact cause and the crash report isn't always exactly the same. These crashes take down the whole browser and not just causing the tabs to reload. Here's 3 excerpts: 1: Process: WebProcess [929] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.3+) Code Type: X86-64 (Native) Parent Process: ??? [1] User ID: 501 Date/Time: 2012-07-26 10:19:33.193 -0400 OS Version: Mac OS X 10.8 (12A269) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 VM Regions Near 0: --> __TEXT 0000000104ad2000-0000000104ad3000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000104fb5046 JSWeakObjectMapGet + 86 1 com.apple.Safari.framework 0x00007fff8f18b055 Safari::JSWrapper::disconnectAllWrappers(Safari::JSWrappable const*) + 85 2 com.apple.Safari.framework 0x00007fff8f0b634f Safari::ContentExtension::willDestroyGlobalObjectForDOMWindowExtension(Safari::WK::BundlePage const&, Safari::WK::BundleDOMWindowExtension const&) + 103 3 com.apple.Safari.framework 0x00007fff8f0be586 Safari::ContentExtensionsController::willDestroyGlobalObjectForDOMWindowExtension(Safari::WK::BundlePage const&, Safari::WK::BundleDOMWindowExtension const&) + 120 4 com.apple.Safari.framework 0x00007fff8f0a2df8 Safari::WK::willDestroyGlobalObjectForDOMWindowExtension(OpaqueWKBundlePage const*, OpaqueWKBundleDOMWindowExtension const*, void const*) + 74 5 com.apple.WebKit2 0x0000000104b33b0f WebKit::InjectedBundlePageLoaderClient::willDestroyGlobalObjectForDOMWindowExtension(WebKit::WebPage*, WebCore::DOMWindowExtension*) + 111 6 com.apple.WebCore 0x00000001054c1fa5 WebCore::DOMWindowExtension::willDetachGlobalObjectFromFrame() + 37 7 com.apple.WebCore 0x00000001054bc34b WebCore::DOMWindow::willDetachDocumentFromFrame() + 267 8 com.apple.WebCore 0x00000001053b2a58 WebCore::Document::prepareForDestruction() + 56 9 com.apple.WebCore 0x0000000105550064 WebCore::Frame::setView(WTF::PassRefPtr<WebCore::FrameView>) + 68 10 com.apple.WebCore 0x0000000105551691 WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) + 97 11 com.apple.WebKit2 0x0000000104b9d17c WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() + 198 12 com.apple.WebCore 0x000000010555c96c WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>) + 668 13 com.apple.WebCore 0x000000010555c21e WebCore::FrameLoader::commitProvisionalLoad() + 350 14 com.apple.WebCore 0x00000001053c60cc WebCore::DocumentLoader::commitLoad(char const*, int) + 76 15 com.apple.WebCore 0x0000000105c23ad5 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 53 16 com.apple.WebCore 0x0000000105a4ac66 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 694 17 com.apple.WebCore 0x0000000105c24118 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 136 18 com.apple.Foundation 0x00007fff910691e8 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28 19 com.apple.Foundation 0x00007fff9106912c -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227 20 com.apple.Foundation 0x00007fff91069028 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63 21 com.apple.Foundation 0x00007fff9106bb4b _NSURLConnectionDidReceiveData_LengthReceived + 86 22 com.apple.CFNetwork 0x00007fff9658b944 ___delegate_didReceiveDataArray_block_invoke_0 + 132 23 com.apple.CFNetwork 0x00007fff9657e6fa ___withDelegateAsync_block_invoke_0 + 90 24 com.apple.CFNetwork 0x00007fff9660e5ca __block_global_1 + 28 25 com.apple.CoreFoundation 0x00007fff99b81e44 CFArrayApplyFunction + 68 26 com.apple.CFNetwork 0x00007fff9656f894 RunloopBlockContext::perform() + 124 27 com.apple.CFNetwork 0x00007fff9656f76b MultiplexerSource::perform() + 221 28 com.apple.CoreFoundation 0x00007fff99b63841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 29 com.apple.CoreFoundation 0x00007fff99b6322d __CFRunLoopDoSources0 + 445 30 com.apple.CoreFoundation 0x00007fff99b864e5 __CFRunLoopRun + 789 31 com.apple.CoreFoundation 0x00007fff99b85dd2 CFRunLoopRunSpecific + 290 32 com.apple.HIToolbox 0x00007fff9272c774 RunCurrentEventLoopInMode + 209 33 com.apple.HIToolbox 0x00007fff9272c512 ReceiveNextEventCommon + 356 34 com.apple.HIToolbox 0x00007fff9272c3a3 BlockUntilNextEventMatchingListInMode + 62 35 com.apple.AppKit 0x00007fff918bdfa3 _DPSNextEvent + 685 36 com.apple.AppKit 0x00007fff918bd862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 37 com.apple.AppKit 0x00007fff918b4c03 -[NSApplication run] + 517 38 com.apple.WebCore 0x0000000105c35c13 WebCore::RunLoop::run() + 67 39 com.apple.WebKit2 0x0000000104bfb78c WebKit::WebProcessMain(WebKit::CommandLine const&) + 2586 40 com.apple.WebKit2 0x0000000104baac7b WebKitMain + 285 41 com.apple.WebProcess 0x0000000104ad2e7b main + 214 42 libdyld.dylib 0x00007fff94b1f7e1 start + 1 2: Process: WebProcess [1888] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.3+) Code Type: X86-64 (Native) Parent Process: ??? [1] User ID: 501 Date/Time: 2012-07-26 12:21:38.638 -0400 OS Version: Mac OS X 10.8 (12A269) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000000010c8 VM Regions Near 0x10c8: --> __TEXT 000000010126b000-000000010126c000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010174e016 JSWeakObjectMapGet + 38 1 com.apple.Safari.framework 0x00007fff8f18b055 Safari::JSWrapper::disconnectAllWrappers(Safari::JSWrappable const*) + 85 2 com.apple.Safari.framework 0x00007fff8f0b634f Safari::ContentExtension::willDestroyGlobalObjectForDOMWindowExtension(Safari::WK::BundlePage const&, Safari::WK::BundleDOMWindowExtension const&) + 103 3 com.apple.Safari.framework 0x00007fff8f0be586 Safari::ContentExtensionsController::willDestroyGlobalObjectForDOMWindowExtension(Safari::WK::BundlePage const&, Safari::WK::BundleDOMWindowExtension const&) + 120 4 com.apple.Safari.framework 0x00007fff8f0a2df8 Safari::WK::willDestroyGlobalObjectForDOMWindowExtension(OpaqueWKBundlePage const*, OpaqueWKBundleDOMWindowExtension const*, void const*) + 74 5 com.apple.WebKit2 0x00000001012ccb0f WebKit::InjectedBundlePageLoaderClient::willDestroyGlobalObjectForDOMWindowExtension(WebKit::WebPage*, WebCore::DOMWindowExtension*) + 111 6 com.apple.WebCore 0x0000000101c5aea6 WebCore::DOMWindowExtension::willDestroyGlobalObjectInCachedFrame() + 38 7 com.apple.WebCore 0x0000000101c5489b WebCore::DOMWindow::willDestroyCachedFrame() + 267 8 com.apple.WebCore 0x0000000101a34aa1 WebCore::CachedFrame::destroy() + 33 9 com.apple.WebCore 0x0000000101a36312 WebCore::CachedPage::destroy() + 34 10 com.apple.WebCore 0x0000000102242d88 WebCore::PageCache::releaseAutoreleasedPagesNow() + 168 11 com.apple.WebCore 0x0000000102586064 WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 12 com.apple.WebCore 0x0000000102418183 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 13 com.apple.CoreFoundation 0x00007fff99ba14b4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 14 com.apple.CoreFoundation 0x00007fff99ba0fcd __CFRunLoopDoTimer + 557 15 com.apple.CoreFoundation 0x00007fff99b867b9 __CFRunLoopRun + 1513 16 com.apple.CoreFoundation 0x00007fff99b85dd2 CFRunLoopRunSpecific + 290 17 com.apple.HIToolbox 0x00007fff9272c774 RunCurrentEventLoopInMode + 209 18 com.apple.HIToolbox 0x00007fff9272c512 ReceiveNextEventCommon + 356 19 com.apple.HIToolbox 0x00007fff9272c3a3 BlockUntilNextEventMatchingListInMode + 62 20 com.apple.AppKit 0x00007fff918bdfa3 _DPSNextEvent + 685 21 com.apple.AppKit 0x00007fff918bd862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 22 com.apple.AppKit 0x00007fff918b4c03 -[NSApplication run] + 517 23 com.apple.WebCore 0x00000001023cec13 WebCore::RunLoop::run() + 67 24 com.apple.WebKit2 0x000000010139478c WebKit::WebProcessMain(WebKit::CommandLine const&) + 2586 25 com.apple.WebKit2 0x0000000101343c7b WebKitMain + 285 26 com.apple.WebProcess 0x000000010126be7b main + 214 27 libdyld.dylib 0x00007fff94b1f7e1 start + 1 3: rocess: WebProcess [2306] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.3+) Code Type: X86-64 (Native) Parent Process: ??? [1] User ID: 501 Date/Time: 2012-07-26 13:32:44.755 -0400 OS Version: Mac OS X 10.8 (12A269) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000000010c8 VM Regions Near 0x10c8: --> __TEXT 000000010df40000-000000010df41000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010e423016 JSWeakObjectMapGet + 38 1 com.apple.Safari.framework 0x00007fff8f18b055 Safari::JSWrapper::disconnectAllWrappers(Safari::JSWrappable const*) + 85 2 com.apple.Safari.framework 0x00007fff8f0b5f23 Safari::ContentExtension::invalidateContentExtensionPage(Safari::WK::BundlePage const&) + 161 3 com.apple.Safari.framework 0x00007fff8f0be5fa Safari::ContentExtensionsController::invalidateContentWebPages(Safari::WK::BundlePage const&) + 100 4 com.apple.Safari.framework 0x00007fff8f01b885 Safari::BrowserBundleController::willDestroyPage(Safari::WK::Bundle const&, Safari::WK::BundlePage const&) + 87 5 com.apple.Safari.framework 0x00007fff8f09f89d Safari::WK::willDestroyPage(OpaqueWKBundle const*, OpaqueWKBundlePage const*, void const*) + 65 6 com.apple.WebKit2 0x000000010e022e9b WebKit::WebPage::close() + 69 7 com.apple.WebKit2 0x000000010dfea0b1 WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 179 8 com.apple.WebKit2 0x000000010df877bb CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 175 9 com.apple.WebKit2 0x000000010df88cd9 CoreIPC::Connection::dispatchOneMessage() + 139 10 com.apple.WebCore 0x000000010f0a2fb8 WebCore::RunLoop::performWork() + 312 11 com.apple.WebCore 0x000000010f0a3635 WebCore::RunLoop::performWork(void*) + 53 12 com.apple.CoreFoundation 0x00007fff99b63841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 13 com.apple.CoreFoundation 0x00007fff99b63165 __CFRunLoopDoSources0 + 245 14 com.apple.CoreFoundation 0x00007fff99b864e5 __CFRunLoopRun + 789 15 com.apple.CoreFoundation 0x00007fff99b85dd2 CFRunLoopRunSpecific + 290 16 com.apple.HIToolbox 0x00007fff9272c774 RunCurrentEventLoopInMode + 209 17 com.apple.HIToolbox 0x00007fff9272c512 ReceiveNextEventCommon + 356 18 com.apple.HIToolbox 0x00007fff9272c3a3 BlockUntilNextEventMatchingListInMode + 62 19 com.apple.AppKit 0x00007fff918bdfa3 _DPSNextEvent + 685 20 com.apple.AppKit 0x00007fff918bd862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 21 com.apple.AppKit 0x00007fff918b4c03 -[NSApplication run] + 517 22 com.apple.WebCore 0x000000010f0a3c13 WebCore::RunLoop::run() + 67 23 com.apple.WebKit2 0x000000010e06978c WebKit::WebProcessMain(WebKit::CommandLine const&) + 2586 24 com.apple.WebKit2 0x000000010e018c7b WebKitMain + 285 25 com.apple.WebProcess 0x000000010df40e7b main + 214 26 libdyld.dylib 0x00007fff94b1f7e1 start + 1

Alexey Proskuryakov

Comment 1 2012-07-26 14:43:31 PDT

> These crashes take down the whole browser and not just causing the tabs to reload. This is new behavior in Safari 6, not something specific to these crashes (and of consequentially off-topic for the WebKit project). It's not clear to me if this crash itself is a Safari or a WebKit issue. CC'ing some folks who may know.

Kevin M. Dean

Comment 2 2012-07-26 15:07:13 PDT

I've getting the occassional crash with JSWeakObjectMapGet near the top since at least July 2nd with Lion and Safari 5.1.7 as well. See attachement.

Kevin M. Dean

Comment 3 2012-07-26 15:07:45 PDT

Created attachment 154760 [details] Lion Safari 5.1.7 crashes

Geoffrey Garen

Comment 4 2012-07-26 15:32:43 PDT

Looks like someone is passing NULL to JSWeakObjectMapGet. Probably best to file this information at bugreporter.apple.com along with a list of Safari extensions installed. This isn't a WebKit bug.

Alexey Proskuryakov

Comment 5 2012-07-30 10:24:54 PDT

*** Bug 92581 has been marked as a duplicate of this bug. ***

Alexey Proskuryakov

Comment 6 2012-08-01 12:31:04 PDT

*** Bug 92809 has been marked as a duplicate of this bug. ***

Alexey Proskuryakov

Comment 7 2012-08-01 12:33:33 PDT

<rdar://problem/11862553>

Alexey Proskuryakov

Comment 8 2012-08-01 12:35:56 PDT

> This isn't a WebKit bug. Isn't this a WebKit regression though? I don't see any crashes happening with shipping Safari/WebKit, they are all with newer WebKits, such as nightlies.

Fabian Mailinator

Comment 9 2012-08-04 10:41:22 PDT

Created attachment 156534 [details] another crash report Webkit crashes regularly and often. Safari does not crash at all.

Alexey Proskuryakov

Comment 10 2012-08-06 10:40:09 PDT

*** Bug 93183 has been marked as a duplicate of this bug. ***

Alexey Proskuryakov

Comment 11 2012-08-06 11:40:38 PDT

*** Bug 93273 has been marked as a duplicate of this bug. ***

Fabian Mailinator

Comment 12 2012-08-07 22:56:06 PDT

Created attachment 157123 [details] crashed again and again. once per hour at least. again, webkit is crashing and safari is not.

Dimitris Apostolou

Comment 13 2012-08-08 05:55:12 PDT

This is the most common bug I experience daily too.

Fabian Mailinator

Comment 14 2012-08-09 13:55:46 PDT

Here is a 1-click reduction of the bug: Using webkit version 6.0 (7536.25, 537+) In safari->preferences->tabs set the top checkbox so that "command-click opens a link in a new tab" now hold down the command key and click the following link: http://mashable.com/2012/08/09/mars-rover-landing-stats/ your browser should crash.

Alexey Proskuryakov

Comment 15 2012-08-09 14:01:51 PDT

Can you please figure out which Safari extensions needs to be enabled for this to happen? This certainly doesn't happen when extensions are disabled.

Dimitris Apostolou

Comment 16 2012-08-09 14:11:14 PDT

Disabled Safari extensions completely. Still crashes always.

Fabian Mailinator

Comment 17 2012-08-09 14:48:35 PDT

Confirmed. Crashes with: 1. safari->preferences->extensions->off 2. restart safari. 3. confirm extensions are still off. 4. click link with command-key held down safari still crashes. every time and immediately after clicking link. (extensions which were disabled are: . Ghostery 1.3.0 . AdBlock 2.5.40 )

Kevin M. Dean

Comment 18 2012-08-09 15:04:55 PDT

Command-clicking that link doesn't crash for me even with all my extension on. This crash bug is just do random at times. I would love to see something repeatable so the devs could track it down.

Kevin M. Dean

Comment 19 2012-08-09 15:15:38 PDT

Here's a repeatable crash I just stumbled on. I don't think it matters which sites you have loaded, but for our purposes load amazon.com in multiple tabs. At least 3 tabs should be used, but I find the more you have (6+) the more likely for it to trigger a crash. Once you have the tabs open, press Command-W repeatedly as fast as you can to close all of the tabs until you likely hear the can't do it anymore beep. If it's like mine you'll crash with: Process: WebProcess [16196] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.4+) Code Type: X86-64 (Native) Parent Process: ??? [1] User ID: 501 Date/Time: 2012-08-09 18:11:37.810 -0400 OS Version: Mac OS X 10.8 (12A269) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000001218 VM Regions Near 0x1218: --> __TEXT 00000001046ec000-00000001046ed000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000104bd7de6 JSWeakObjectMapGet + 38 1 com.apple.Safari.framework 0x00007fff82ea6055 Safari::JSWrapper::disconnectAllWrappers(Safari::JSWrappable const*) + 85 2 com.apple.Safari.framework 0x00007fff82dd0f23 Safari::ContentExtension::invalidateContentExtensionPage(Safari::WK::BundlePage const&) + 161 3 com.apple.Safari.framework 0x00007fff82dd95fa Safari::ContentExtensionsController::invalidateContentWebPages(Safari::WK::BundlePage const&) + 100 4 com.apple.Safari.framework 0x00007fff82d36885 Safari::BrowserBundleController::willDestroyPage(Safari::WK::Bundle const&, Safari::WK::BundlePage const&) + 87 5 com.apple.Safari.framework 0x00007fff82dba89d Safari::WK::willDestroyPage(OpaqueWKBundle const*, OpaqueWKBundlePage const*, void const*) + 65 6 com.apple.WebKit2 0x00000001047d4939 WebKit::WebPage::close() + 69 7 com.apple.WebKit2 0x000000010479bf55 WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 179 8 com.apple.WebKit2 0x0000000104738059 CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 175 9 com.apple.WebKit2 0x0000000104739577 CoreIPC::Connection::dispatchOneMessage() + 139 10 com.apple.WebCore 0x0000000105880a88 WebCore::RunLoop::performWork() + 312 11 com.apple.WebCore 0x0000000105881105 WebCore::RunLoop::performWork(void*) + 53 12 com.apple.CoreFoundation 0x00007fff8d87e841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 13 com.apple.CoreFoundation 0x00007fff8d87e165 __CFRunLoopDoSources0 + 245 14 com.apple.CoreFoundation 0x00007fff8d8a14e5 __CFRunLoopRun + 789 15 com.apple.CoreFoundation 0x00007fff8d8a0dd2 CFRunLoopRunSpecific + 290 16 com.apple.HIToolbox 0x00007fff86447774 RunCurrentEventLoopInMode + 209 17 com.apple.HIToolbox 0x00007fff86447512 ReceiveNextEventCommon + 356 18 com.apple.HIToolbox 0x00007fff864473a3 BlockUntilNextEventMatchingListInMode + 62 19 com.apple.AppKit 0x00007fff855d8fa3 _DPSNextEvent + 685 20 com.apple.AppKit 0x00007fff855d8862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 21 com.apple.AppKit 0x00007fff855cfc03 -[NSApplication run] + 517 22 com.apple.WebCore 0x00000001058816e3 WebCore::RunLoop::run() + 67 23 com.apple.WebKit2 0x000000010481ba8a WebKit::WebProcessMain(WebKit::CommandLine const&) + 2586 24 com.apple.WebKit2 0x00000001047ca65b WebKitMain + 285 25 com.apple.WebProcess 0x00000001046ece7b main + 214 26 libdyld.dylib 0x00007fff8883a7e1 start + 1

Kevin M. Dean

Comment 20 2012-08-09 15:18:56 PDT

Doesn't seem to trigger the crash with extensions off or with Safari 6, so I'll see if I can narrow this down.

Fabian Mailinator

Comment 21 2012-08-09 15:25:58 PDT

Bug 93659 may be a duplicate of this. I am now seeing the backtrace reported in 93659 when I do the click-the-link crash. In that report, the backtrace shows the segfault in: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit2 0x000000010bd51194 WebKit::PluginProxy::destroy() + 20 1 com.apple.WebKit2 0x000000010bd448ff WebKit::Plugin::destroyPlugin() + 15 2 com.apple.WebKit2 0x000000010bd55511 WebKit::PluginView::~PluginView() + 229 3 com.apple.WebKit2 0x000000010bd553aa WebKit::PluginView::~PluginView() + 14 4 com.apple.WebCore 0x000000010cdf250b WebCore::RenderWidget::resumeWidgetHierarchyUpdates() + 699 5 com.apple.WebCore 0x000000010c6c2f2a WebCore::Element::detach() + 458 6 com.apple.WebCore 0x000000010c7f324b WebCore::HTMLPlugInElement::detach() + 187

Kevin M. Dean

Comment 22 2012-08-09 15:27:51 PDT

Didn't crash with exenstions on but all disabled. Did crash with Ghostery the only one enabled. Will try other individuals. Relaunch Webkit then cause an instant crash when it tried to re-open the previous windows before the crash (I closed them real quick to get around this crash since it was now happening every time I launched Webkit. Here's the new crash: Process: WebProcess [16361] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.4+) Code Type: X86-64 (Native) Parent Process: SafariForWebKitDevelopment [16358] User ID: 501 Date/Time: 2012-08-09 18:23:33.118 -0400 OS Version: Mac OS X 10.8 (12A269) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000020 VM Regions Near 0x20: --> __TEXT 00000001046db000-00000001046dc000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit2 0x000000010476b39a WebKit::PluginProxy::destroy() + 20 1 com.apple.WebKit2 0x000000010475e71c WebKit::Plugin::destroyPlugin() + 18 2 com.apple.WebKit2 0x000000010476f749 WebKit::PluginView::~PluginView() + 229 3 com.apple.WebKit2 0x000000010476f5e1 WebKit::PluginView::~PluginView() + 17 4 com.apple.WebCore 0x0000000105847f0b WebCore::RenderWidget::resumeWidgetHierarchyUpdates() + 715 5 com.apple.WebCore 0x000000010510aa8a WebCore::Element::detach() + 458 6 com.apple.WebCore 0x000000010523cdf2 WebCore::HTMLPlugInElement::detach() + 194 7 com.apple.WebCore 0x0000000104ef0d70 WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 624 8 com.apple.WebCore 0x00000001056bf5e9 WebCore::Node::removeChild(WebCore::Node*, int&) + 25 9 com.apple.WebCore 0x00000001054fb9ec WebCore::JSNode::removeChild(JSC::ExecState*) + 60 10 com.apple.WebCore 0x00000001054f98a3 WebCore::jsNodePrototypeFunctionRemoveChild(JSC::ExecState*) + 83 11 ??? 0x000000010697d265 0 + 4405580389 12 com.apple.JavaScriptCore 0x0000000104b47731 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 913 13 com.apple.JavaScriptCore 0x0000000104a9a034 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52 14 com.apple.WebCore 0x0000000105870e2c WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 508 15 com.apple.WebCore 0x0000000105870a3c WebCore::ScheduledAction::execute(WebCore::Document*) + 156 16 com.apple.WebCore 0x00000001050cd7e6 WebCore::DOMTimer::fired() + 342 17 com.apple.WebCore 0x0000000105a25b04 WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 18 com.apple.WebCore 0x00000001058b75c3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 19 com.apple.CoreFoundation 0x00007fff8d8bc4b4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 20 com.apple.CoreFoundation 0x00007fff8d8bbfcd __CFRunLoopDoTimer + 557 21 com.apple.CoreFoundation 0x00007fff8d8a17b9 __CFRunLoopRun + 1513 22 com.apple.CoreFoundation 0x00007fff8d8a0dd2 CFRunLoopRunSpecific + 290 23 com.apple.HIToolbox 0x00007fff86447774 RunCurrentEventLoopInMode + 209 24 com.apple.HIToolbox 0x00007fff86447512 ReceiveNextEventCommon + 356 25 com.apple.HIToolbox 0x00007fff864473a3 BlockUntilNextEventMatchingListInMode + 62 26 com.apple.AppKit 0x00007fff855d8fa3 _DPSNextEvent + 685 27 com.apple.AppKit 0x00007fff855d8862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 28 com.apple.AppKit 0x00007fff855cfc03 -[NSApplication run] + 517 29 com.apple.WebCore 0x000000010586c6e3 WebCore::RunLoop::run() + 67 30 com.apple.WebKit2 0x0000000104806a8a WebKit::WebProcessMain(WebKit::CommandLine const&) + 2586 31 com.apple.WebKit2 0x00000001047b565b WebKitMain + 285 32 com.apple.WebProcess 0x00000001046dbe7b main + 214 33 libdyld.dylib 0x00007fff8883a7e1 start + 1

Kevin M. Dean

Comment 23 2012-08-09 15:34:52 PDT

OK, it's looking like no matter what extension I enable 1 at a time, it crashes. So it appears to me to be a general extension issue and not extension specific.

Kevin M. Dean

Comment 24 2012-08-09 15:46:21 PDT

As I previously noted, my first crash for this was July 2nd, so I'd check r121678 and earlier for commits that may be the cause.

Alexey Proskuryakov

Comment 25 2012-08-09 15:49:58 PDT

I cannot reproduce the crash by quickly closing multiple tabs with amazon.com either. The PluginProxy::destroy crash is entirely different. While it is possible that both have a similar cause (e.g. memory corruption), please don't report crashes other than the original JSWrapper::disconnectAllWrappers/JSWeakObjectMapGet one in this bug. Can anyone reproduce _this_ crash with extensions off?

Alexey Proskuryakov

Comment 26 2012-08-09 15:53:34 PDT

I can reproduce the crash by closing many amazon.com tabs with Ghostery plug-in enabled, which is great. I'll let the person working on the bug know.

Kevin M. Dean

Comment 27 2012-08-09 15:54:04 PDT

I reported the other crash because 1 crash led to the other and were possibly related. How are we supposed to know otherwise. It's better to have too much information than too little.

Kevin M. Dean

Comment 28 2012-08-09 15:55:28 PDT

(In reply to comment #26) > I can reproduce the crash by closing many amazon.com tabs with Ghostery plug-in enabled, which is great. I'll let the person working on the bug know. Just don't miss my message where I found it didn't matter which extension I enabled, any one of them seem to create the environment for a crash.

Dimitris Apostolou

Comment 29 2012-08-09 22:29:04 PDT

(In reply to comment #25) > Can anyone reproduce _this_ crash with extensions off? Yes, I can.

Fabian Mailinator

Comment 30 2012-08-09 22:36:24 PDT

Extensions don't seem to matter, but I turned off plugins: safari->preferences->security->enable plugins (unchecked) Now I cannot cause webkit to crash at all. The disabled plugins are: . DivX Web Player version 2.0.2.39 — from file “DivXBrowserPlugin.plugin”. . Google Talk NPAPI Plugin Version 3.4.2.8800 — from file “googletalkbrowserplugin.plugin”. . The Google Earth Plugin— from file “Google Earth Web Plug-in.plugin”. . Google Talk Plugin Video Accelerator version:0.1.44.16 — from file “npgtpo3dautoplugin.plugin”. . iPhoto6 — from file “iPhotoPhotocast.plugin”. . Java Applet Plug-in Displays Java applet content, or a placeholder if Java is not installed. — from file “JavaAppletPlugin.plugin”. . The QuickTime Plugin — from file “QuickTime Plugin.plugin”. . Microsoft Office for Mac SharePoint Browser Plug-in — from file “SharePointBrowserPlugin.plugin”. . Shockwave Flash 11.3 r300 — from file “Flash Player.plugin”. . WebKit built-in PDF I will begin sorting through them to see which one might be responsible.

Alexey Proskuryakov

Comment 31 2012-08-21 12:03:58 PDT

*** Bug 94503 has been marked as a duplicate of this bug. ***

Elliott Sprehn

Comment 32 2012-08-21 13:28:04 PDT

This doesn't just happen in 10.7, I'm seeing it in 10.6

Alexey Proskuryakov

Comment 33 2012-08-21 13:36:39 PDT

> This doesn't just happen in 10.7, I'm seeing it in 10.6 Safari 6 does not exist on Snow Leopard. We do not put any effort into maintaining compatibility with old Safari releases.

Elliott Sprehn

Comment 34 2012-08-21 13:38:55 PDT

(In reply to comment #33) > > This doesn't just happen in 10.7, I'm seeing it in 10.6 > > Safari 6 does not exist on Snow Leopard. We do not put any effort into maintaining compatibility with old Safari releases. Then my bug is not a duplicate. Safari 5.1.7 is what's crashing in my bug (with the same trace apparently).

Kevin M. Dean

Comment 35 2012-08-21 14:13:10 PDT

(In reply to comment #34) > > Then my bug is not a duplicate. Safari 5.1.7 is what's crashing in my bug (with the same trace apparently). Yes, we already mention above that this was happening in Safari 5.1 before Mountain Lion/Safari 6 was released.

Alexey Proskuryakov

Comment 36 2012-09-21 10:54:59 PDT

This has been found to be a bug outside WebKit that just got more prominent due to WebKit changes. Fixed in Safari 6.0.1.

Attachments
Lion Safari 5.1.7 crashes (28.16 KB, text/plain) 2012-07-26 15:07 PDT, Kevin M. Dean	no flags	Details
another crash report (53.94 KB, text/plain) 2012-08-04 10:41 PDT, Fabian Mailinator	no flags	Details
crashed again and again. once per hour at least. (58.78 KB, text/plain) 2012-08-07 22:56 PDT, Fabian Mailinator	no flags	Details
View All Add attachment proposed patch, testcase, etc.