13250 – REGRESSION: Browser crash on clicking back button while at link specified above (inspector: ObjC wrapper outlives JS wrapper)

Bug 13250 - REGRESSION: Browser crash on clicking back button while at link specified above (inspector: ObjC wrapper outlives JS wrapper)

Summary: REGRESSION: Browser crash on clicking back button while at link specified abo...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore JavaScript (show other bugs)
Version:	523.x (Safari 3)
Hardware:	Mac OS X 10.4

Importance:	P1 Major
Assignee:	Darin Adler

URL:	http://www.csszengarden.com/zengarden...
Keywords:	HasReduction, InRadar, Regression

Depends on:
Blocks:

Reported:	2007-04-01 02:22 PDT by Ross McDonald
Modified:	2007-07-22 22:08 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Demo app (source) (17.31 KB, application/x-gzip) 2007-04-02 02:04 PDT, mitz	no flags	Details
Proposed patch (2.45 KB, patch) 2007-04-02 03:06 PDT, mitz	darin: review-	Details \| Formatted Diff \| Diff
Check JS wrapper validity and recreate if needed (3.65 KB, patch) 2007-04-02 14:18 PDT, mitz	ggaren: review-	Details \| Formatted Diff \| Diff
patch to fix, not this bug, but other problems seen testing inspector with back/forward (10.58 KB, patch) 2007-07-04 22:10 PDT, Darin Adler	no flags	Details \| Formatted Diff \| Diff
check root object for validity whenever using the ObjC wrapper (12.73 KB, patch) 2007-07-22 15:33 PDT, Darin Adler	darin: review+	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ross McDonald 2007-04-01 02:22:53 PDT

apple report info pasted below:

Date/Time:      2007-04-01 09:57:23.419 +0100
OS Version:     10.4.9 (Build 8P135)
Report Version: 4

Command: Safari
Path:    /Applications/browsers/Safari.app/Contents/MacOS/Safari
Parent:  WindowServer [22026]

Version: ??? (20648)

PID:    23566
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000020

Thread 0 Crashed:
0   com.apple.JavaScriptCore 	0x00131ea0 KJS::ForInNode::execute(KJS::ExecState*) + 336
1   com.apple.JavaScriptCore 	0x00134020 KJS::SourceElementsNode::execute(KJS::ExecState*) + 432
2   com.apple.JavaScriptCore 	0x00130a3c KJS::BlockNode::execute(KJS::ExecState*) + 156
3   com.apple.JavaScriptCore 	0x0011df08 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56
4   com.apple.JavaScriptCore 	0x0011d870 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 464
5   com.apple.JavaScriptCore 	0x00139514 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116
6   com.apple.JavaScriptCore 	0x0012c968 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 600
7   com.apple.JavaScriptCore 	0x00130b28 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104
8   com.apple.JavaScriptCore 	0x00133f4c KJS::SourceElementsNode::execute(KJS::ExecState*) + 220
9   com.apple.JavaScriptCore 	0x00130a3c KJS::BlockNode::execute(KJS::ExecState*) + 156
10  com.apple.JavaScriptCore 	0x0011e90c KJS::GlobalFuncImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 828
11  com.apple.JavaScriptCore 	0x00139514 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116
12  com.apple.JavaScriptCore 	0x0012c968 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 600
13  com.apple.JavaScriptCore 	0x00130b28 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104
14  com.apple.JavaScriptCore 	0x00134020 KJS::SourceElementsNode::execute(KJS::ExecState*) + 432
15  com.apple.JavaScriptCore 	0x00130a3c KJS::BlockNode::execute(KJS::ExecState*) + 156
16  com.apple.JavaScriptCore 	0x0011df08 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56
17  com.apple.JavaScriptCore 	0x0011d870 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 464
18  com.apple.JavaScriptCore 	0x00139514 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116
19  com.apple.WebCore        	0x013151a0 -[WebScriptObject callWebScriptMethod:withArguments:] + 528
20  com.apple.WebKit         	0x0036b594 -[WebInspector setFocusedDOMNode:] + 324
21  com.apple.WebKit         	0x0036e114 -[WebInspector(WebInspectorPrivate) inspectedWebViewProgressFinished:] + 132
22  com.apple.Foundation     	0x92be2ae4 _nsnote_callback + 180
23  com.apple.CoreFoundation 	0x90806078 __CFXNotificationPost + 368
24  com.apple.CoreFoundation 	0x907fe114 _CFXNotificationPostNotification + 684
25  com.apple.Foundation     	0x92bcceec -[NSNotificationCenter postNotificationName:object:userInfo:] + 92
26  com.apple.WebCore        	0x01439a6c WebCore::ProgressTracker::finalProgressComplete() + 172
27  com.apple.WebCore        	0x01439b58 WebCore::ProgressTracker::progressCompleted(WebCore::Frame*) + 120
28  com.apple.WebCore        	0x013e0400 WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 896
29  com.apple.WebCore        	0x013e07bc WebCore::FrameLoader::opened() + 876
30  com.apple.WebCore        	0x013e912c WebCore::FrameLoader::commitProvisionalLoad(WTF::PassRefPtr<WebCore::PageCache>) + 796
31  com.apple.WebCore        	0x013eef44 WebCore::DocumentLoader::loadFromPageCache(WTF::PassRefPtr<WebCore::PageCache>) + 84
32  com.apple.WebCore        	0x013d63ac WebCore::FrameLoader::loadProvisionalItemFromPageCache() + 140
33  com.apple.WebCore        	0x013dfcec WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 220
34  com.apple.WebCore        	0x013dff1c WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 44
35  com.apple.WebCore        	0x013db63c WebCore::FrameLoader::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) + 620
36  com.apple.WebCore        	0x013e0d5c WebCore::FrameLoader::load(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 220
37  com.apple.WebCore        	0x013e66dc WebCore::FrameLoader::loadItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 668
38  com.apple.WebCore        	0x013e7280 WebCore::FrameLoader::recursiveGoToItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 336
39  com.apple.WebCore        	0x011872bc WebCore::Page::goBack() + 60
40  com.apple.AppKit         	0x93869c4c -[NSApplication sendAction:to:from:] + 108
41  com.apple.Safari         	0x0002956c 0x1000 + 165228
42  com.apple.AppKit         	0x93869b80 -[NSControl sendAction:to:] + 96
43  com.apple.AppKit         	0x93869a60 -[NSCell _sendActionFrom:] + 156
44  com.apple.AppKit         	0x93883a88 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 1020
45  com.apple.AppKit         	0x93883670 -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 564
46  com.apple.AppKit         	0x93883094 -[NSControl mouseDown:] + 536
47  com.apple.Safari         	0x00054614 0x1000 + 341524
48  com.apple.AppKit         	0x93824890 -[NSWindow sendEvent:] + 4616
49  com.apple.Safari         	0x00021734 0x1000 + 132916
50  com.apple.AppKit         	0x937cd8d4 -[NSApplication sendEvent:] + 4172
51  com.apple.Safari         	0x00021238 0x1000 + 131640
52  com.apple.AppKit         	0x937c4d10 -[NSApplication run] + 508
53  com.apple.AppKit         	0x938b587c NSApplicationMain + 452
54  com.apple.Safari         	0x0005c77c 0x1000 + 374652
55  com.apple.Safari         	0x0005c624 0x1000 + 374308

Thread 1:
0   libSystem.B.dylib        	0x9000b4c8 mach_msg_trap + 8
1   libSystem.B.dylib        	0x9000b41c mach_msg + 60
2   com.apple.CoreFoundation 	0x907deba8 __CFRunLoopRun + 832
3   com.apple.CoreFoundation 	0x907de4ac CFRunLoopRunSpecific + 268
4   com.apple.Foundation     	0x92c0a6a8 +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 264
5   com.apple.Foundation     	0x92be31a0 forkThreadForFunction + 108
6   libSystem.B.dylib        	0x9002be88 _pthread_body + 96

Thread 2:
0   libSystem.B.dylib        	0x9000b4c8 mach_msg_trap + 8
1   libSystem.B.dylib        	0x9000b41c mach_msg + 60
2   com.apple.CoreFoundation 	0x907deba8 __CFRunLoopRun + 832
3   com.apple.CoreFoundation 	0x907de4ac CFRunLoopRunSpecific + 268
4   com.apple.Foundation     	0x92c0b7e8 +[NSURLCache _diskCacheSyncLoop:] + 152
5   com.apple.Foundation     	0x92be31a0 forkThreadForFunction + 108
6   libSystem.B.dylib        	0x9002be88 _pthread_body + 96

Thread 3:
0   libSystem.B.dylib        	0x9001fa0c select + 12
1   com.apple.CoreFoundation 	0x907f1434 __CFSocketManager + 472
2   libSystem.B.dylib        	0x9002be88 _pthread_body + 96

Thread 4:
0   libSystem.B.dylib        	0x9002c548 semaphore_wait_signal_trap + 8
1   libSystem.B.dylib        	0x9003102c pthread_cond_wait + 480
2   com.apple.Foundation     	0x92bea30c -[NSConditionLock lockWhenCondition:] + 68
3   com.apple.Syndication    	0x9b29442c -[AsyncDB _run:] + 192
4   com.apple.Foundation     	0x92be31a0 forkThreadForFunction + 108
5   libSystem.B.dylib        	0x9002be88 _pthread_body + 96

Thread 5:
0   libSystem.B.dylib        	0x9002c548 semaphore_wait_signal_trap + 8
1   libSystem.B.dylib        	0x9003102c pthread_cond_wait + 480
2   com.apple.Foundation     	0x92bea30c -[NSConditionLock lockWhenCondition:] + 68
3   com.apple.AppKit         	0x93865708 -[NSUIHeartBeat _heartBeatThread:] + 324
4   com.apple.Foundation     	0x92be31a0 forkThreadForFunction + 108
5   libSystem.B.dylib        	0x9002be88 _pthread_body + 96

Thread 0 crashed with PPC Thread State 64:
  srr0: 0x0000000000131ea0 srr1: 0x000000000200f030                        vrsave: 0x0000000000000000
    cr: 0x44444222          xer: 0x0000000000000004   lr: 0x0000000000131e2c  ctr: 0x000000000011c910
    r0: 0x0000000000000000   r1: 0x00000000bfffc1b0   r2: 0x0000000000000000   r3: 0x00000000063f8c10
    r4: 0x00000000bfffc444   r5: 0x0000000006331b98   r6: 0x00000000bfffc178   r7: 0x00000000bf254c4a
    r8: 0x000000000000000f   r9: 0x0000000000000000  r10: 0x000000000637ba34  r11: 0x0000000000000001
   r12: 0x000000000011c910  r13: 0x0000000001540460  r14: 0x00000000bfffd62c  r15: 0x00000000014e0460
   r16: 0x00000000001b1d64  r17: 0x0000000000000000  r18: 0x00000000006188c0  r19: 0x0000000000616350
   r20: 0x00000000bfffcc5c  r21: 0x00000000018526c0  r22: 0x00000000bfffc454  r23: 0x00000000bfffc2f4
   r24: 0x000000000635bc58  r25: 0x00000000bfffc794  r26: 0x000000000019f048  r27: 0x0000000000000000
   r28: 0x00000000bfffc444  r29: 0x0000000006958030  r30: 0x0000000000000000  r31: 0x0000000000131d64

Binary Images Description:
    0x1000 -    0xdcfff com.apple.Safari 2.0.4 (419.3)	/Applications/browsers/Safari.app/Contents/MacOS/Safari
  0x109000 -   0x10afff WebKitNightlyEnabler.dylib 	/Applications/browsers/WebKit.app/Contents/Resources/WebKitNightlyEnabler.dylib
  0x10e000 -   0x19efff com.apple.JavaScriptCore 522+	/Applications/browsers/WebKit.app/Contents/Resources/JavaScriptCore.framework/Versions/A/JavaScriptCore
  0x305000 -   0x3b7fff com.apple.WebKit 522+	/Applications/browsers/WebKit.app/Contents/Resources/WebKit.framework/Versions/A/WebKit
 0x1008000 -  0x154cfff com.apple.WebCore 522+	/Applications/browsers/WebKit.app/Contents/Resources/WebCore.framework/Versions/A/WebCore
 0x1a6d000 -  0x1a6dfff com.apple.SpotLightCM 1.0 (121.20.2)	/System/Library/Contextual Menu Items/SpotlightCM.plugin/Contents/MacOS/SpotlightCM
 0x1af6000 -  0x1af8fff com.apple.AutomatorCMM 1.0.1 (54)	/System/Library/Contextual Menu Items/AutomatorCMM.plugin/Contents/MacOS/AutomatorCMM
 0x1b0d000 -  0x1b11fff com.apple.FolderActionsMenu 1.3	/System/Library/Contextual Menu Items/FolderActionsMenu.plugin/Contents/MacOS/FolderActionsMenu
0x8fe00000 - 0x8fe52fff dyld 46.12	/usr/lib/dyld
0x90000000 - 0x901bdfff libSystem.B.dylib 	/usr/lib/libSystem.B.dylib
0x90215000 - 0x9021afff libmathCommon.A.dylib 	/usr/lib/system/libmathCommon.A.dylib
0x9021c000 - 0x90269fff com.apple.CoreText 1.0.3 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x90294000 - 0x90345fff ATS 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x90374000 - 0x9072ffff com.apple.CoreGraphics 1.258.61 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
0x907bc000 - 0x90895fff com.apple.CoreFoundation 6.4.7 (368.28)	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x908de000 - 0x908defff com.apple.CoreServices 10.4 (???)	/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x908e0000 - 0x909e2fff libicucore.A.dylib 	/usr/lib/libicucore.A.dylib
0x90a3c000 - 0x90ac0fff libobjc.A.dylib 	/usr/lib/libobjc.A.dylib
0x90aea000 - 0x90b5afff com.apple.framework.IOKit 1.4.1 (???)	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x90b70000 - 0x90b82fff libauto.dylib 	/usr/lib/libauto.dylib
0x90b89000 - 0x90e60fff com.apple.CoreServices.CarbonCore 681.9	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
0x90ec6000 - 0x90f46fff com.apple.CoreServices.OSServices 4.1	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
0x90f90000 - 0x90fd1fff com.apple.CFNetwork 129.20	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x90fe6000 - 0x90ffefff com.apple.WebServices 1.1.2 (1.1.0)	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore
0x9100e000 - 0x9108ffff com.apple.SearchKit 1.0.5	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x910d5000 - 0x910fffff com.apple.Metadata 10.4.4 (121.36)	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x91110000 - 0x9111efff libz.1.dylib 	/usr/lib/libz.1.dylib
0x91121000 - 0x912dcfff com.apple.security 4.6 (29770)	/System/Library/Frameworks/Security.framework/Versions/A/Security
0x913db000 - 0x913e4fff com.apple.DiskArbitration 2.1	/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x913eb000 - 0x91413fff com.apple.SystemConfiguration 1.8.3	/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x91426000 - 0x91431fff libgcc_s.1.dylib 	/usr/lib/libgcc_s.1.dylib
0x91436000 - 0x9143efff libbsm.dylib 	/usr/lib/libbsm.dylib
0x91442000 - 0x914bdfff com.apple.audio.CoreAudio 3.0.4	/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x914fa000 - 0x914fafff com.apple.ApplicationServices 10.4 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x914fc000 - 0x91534fff com.apple.AE 1.5 (297)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x9154f000 - 0x91621fff com.apple.ColorSync 4.4.9	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x91674000 - 0x91705fff com.apple.print.framework.PrintCore 4.6 (177.13)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore
0x9174c000 - 0x91803fff com.apple.QD 3.10.24 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x91840000 - 0x9189efff com.apple.HIServices 1.5.3 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x918cd000 - 0x918f1fff com.apple.LangAnalysis 1.6.1	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis
0x91905000 - 0x9192afff com.apple.FindByContent 1.5	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent
0x9193d000 - 0x9197ffff com.apple.LaunchServices 182	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
0x9199b000 - 0x919affff com.apple.speech.synthesis.framework 3.3	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x919bd000 - 0x91a03fff com.apple.ImageIO.framework 1.5.4	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x91a1a000 - 0x91ae1fff libcrypto.0.9.7.dylib 	/usr/lib/libcrypto.0.9.7.dylib
0x91b2f000 - 0x91b44fff libcups.2.dylib 	/usr/lib/libcups.2.dylib
0x91b49000 - 0x91b67fff libJPEG.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x91b6d000 - 0x91c24fff libJP2.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
0x91c73000 - 0x91c77fff libGIF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91c79000 - 0x91ce1fff libRaw.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib
0x91ce6000 - 0x91d23fff libTIFF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x91d2a000 - 0x91d43fff libPng.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x91d48000 - 0x91d4bfff libRadiance.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib
0x91d4d000 - 0x91e2bfff libxml2.2.dylib 	/usr/lib/libxml2.2.dylib
0x91e4b000 - 0x91e4bfff com.apple.Accelerate 1.2.2 (Accelerate 1.2.2)	/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x91e4d000 - 0x91f32fff com.apple.vImage 2.4	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x91f3a000 - 0x91f59fff com.apple.Accelerate.vecLib 3.2.2 (vecLib 3.2.2)	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib
0x91fc5000 - 0x92033fff libvMisc.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x9203e000 - 0x920d3fff libvDSP.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x920ed000 - 0x92675fff libBLAS.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x926a8000 - 0x929d3fff libLAPACK.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x92a03000 - 0x92af1fff libiconv.2.dylib 	/usr/lib/libiconv.2.dylib
0x92af4000 - 0x92b7cfff com.apple.DesktopServices 1.3.6	/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x92bbd000 - 0x92de8fff com.apple.Foundation 6.4.8 (567.29)	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x92f15000 - 0x92f33fff libGL.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib
0x92f3e000 - 0x92f98fff libGLU.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib
0x92fb6000 - 0x92fb6fff com.apple.Carbon 10.4 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
0x92fb8000 - 0x92fccfff com.apple.ImageCapture 3.0	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x92fe4000 - 0x92ff4fff com.apple.speech.recognition.framework 3.4	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition
0x93000000 - 0x93015fff com.apple.securityhi 2.0 (203)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x93027000 - 0x930aefff com.apple.ink.framework 101.2 (69)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink
0x930c2000 - 0x930cdfff com.apple.help 1.0.3 (32)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help
0x930d7000 - 0x93104fff com.apple.openscripting 1.2.5 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x9311e000 - 0x9312efff com.apple.print.framework.Print 5.0 (190.1)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print
0x9313a000 - 0x931a0fff com.apple.htmlrendering 1.1.2	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x931d1000 - 0x93220fff com.apple.NavigationServices 3.4.4 (3.4.3)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices
0x9324e000 - 0x9326bfff com.apple.audio.SoundManager 3.9	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x9327d000 - 0x9328afff com.apple.CommonPanels 1.2.2 (73)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels
0x93293000 - 0x935a1fff com.apple.HIToolbox 1.4.9 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x936f1000 - 0x936fdfff com.apple.opengl 1.4.7	/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
0x93702000 - 0x93722fff com.apple.DirectoryService.Framework 3.1	/System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService
0x937be000 - 0x937befff com.apple.Cocoa 6.4 (???)	/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0x937c0000 - 0x93df3fff com.apple.AppKit 6.4.7 (824.41)	/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x94180000 - 0x941f2fff com.apple.CoreData 91 (92.1)	/System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
0x9422b000 - 0x942effff com.apple.audio.toolbox.AudioToolbox 1.4.5	/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x94341000 - 0x94341fff com.apple.audio.units.AudioUnit 1.4	/System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x94343000 - 0x94503fff com.apple.QuartzCore 1.4.12	/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
0x9454d000 - 0x9458afff libsqlite3.0.dylib 	/usr/lib/libsqlite3.0.dylib
0x94592000 - 0x945e2fff libGLImage.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib
0x945eb000 - 0x945fffff com.apple.CoreVideo 1.4	/System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo
0x94695000 - 0x946cdfff com.apple.vmutils 4.0.0 (85)	/System/Library/PrivateFrameworks/vmutils.framework/Versions/A/vmutils
0x94710000 - 0x9472cfff com.apple.securityfoundation 2.2 (27710)	/System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
0x94740000 - 0x94784fff com.apple.securityinterface 2.2 (27692)	/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
0x947a8000 - 0x947b7fff libCGATS.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
0x947bf000 - 0x947cbfff libCSync.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
0x94811000 - 0x94829fff libRIP.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x94bc9000 - 0x94c3afff libstdc++.6.dylib 	/usr/lib/libstdc++.6.dylib
0x94daf000 - 0x94edffff com.apple.AddressBook.framework 4.0.4 (485.1)	/System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook
0x94f71000 - 0x94f80fff com.apple.DSObjCWrappers.Framework 1.1	/System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers
0x94f88000 - 0x94fb5fff com.apple.LDAPFramework 1.4.1 (69.0.1)	/System/Library/Frameworks/LDAP.framework/Versions/A/LDAP
0x94fbc000 - 0x94fccfff libsasl2.2.dylib 	/usr/lib/libsasl2.2.dylib
0x94fd0000 - 0x94ffffff libssl.0.9.7.dylib 	/usr/lib/libssl.0.9.7.dylib
0x9500f000 - 0x9502cfff libresolv.9.dylib 	/usr/lib/libresolv.9.dylib
0x9620e000 - 0x96237fff libxslt.1.dylib 	/usr/lib/libxslt.1.dylib
0x97aa7000 - 0x97ab4fff com.apple.agl 2.5.6 (AGL-2.5.6)	/System/Library/Frameworks/AGL.framework/Versions/A/AGL
0x9b291000 - 0x9b2c7fff com.apple.Syndication 1.0.6 (54)	/System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Syndication
0x9b2e4000 - 0x9b2f6fff com.apple.SyndicationUI 1.0.6 (54)	/System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI

Model: PowerBook5,8, BootROM 4.9.6f0, 1 processors, PowerPC G4 (1.5), 1.67 GHz, 1.5 GB
Graphics: ATI Mobility Radeon 9700, ATY,RV360M11, AGP, 128 MB
Memory Module: SODIMM0/J20STANDARD, 512 MB, DDR2 SDRAM, PC2-4200S-444
Memory Module: SODIMM1/J23REVERSED, 1 GB, DDR2 SDRAM, PC2-4200S-444
AirPort: AirPort Extreme, 405.1 (3.90.34.0.p18)
Modem: Jump, V.92, Version 1.0
Bluetooth: Version 1.7.14f14, 2 service, 0 devices, 1 incoming serial ports
Network Service: Built-in Ethernet, Ethernet, en0
Network Service: AirPort, AirPort, en1
PCI Card: pci106b,4318, sppci_othernetwork, SLOT-A
PCI Card: TXN,PCIXXXX-00, cardbus, PC Card
PCI Card: usb, usb, USB20
PCI Card: usb, usb, USB20
PCI Card: usb, ehci, USB20
Parallel ATA Device: ST9808211A, 74.53 GB
Parallel ATA Device: MATSHITADVD-R   UJ-846
USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mA
USB Device: Apple Internal Keyboard / Trackpad, Apple Computer, Up to 12 Mb/sec, 500 mA

Comment 1 Ross McDonald 2007-04-01 02:28:46 PDT

I had the Web Inspector window open at the time, and can recreate this successfully....

Comment 2 mitz 2007-04-01 08:14:29 PDT

Reproducible by doing some b/f navigation while the inspector is open.

Comment 3 mitz 2007-04-01 10:21:25 PDT

Using gdb I found out that the crash happens in inspector.js:469. At the time of the crash, focusedNode, which was a JSHTMLDocument has already been deleted (during earlier GC), despite the fact that the Obj-C wrapper (_private->focusedNode) is still alive.

Comment 4 mitz 2007-04-01 12:22:49 PDT

The Document's JS wrapper gets unprotected when the bindings root is invalidated when the Frame is cleared. However, the ObjC wrapper sticks around and therefore also the entry in the ObjC wrapper cache mapping the Document to it. Thus the inspector is able to retrieve the ObjC wrapper which now points to a destroyed JS wrapper.

Comment 5 mitz 2007-04-02 02:04:03 PDT

Created attachment 13915 [details]
Demo app (source)

To reproduce the bug with this application, build it an run it linked to TOT WebKit. Do the following:

1) Press Return to load the "a" document.
2) Click the Store button to make and retain an Obj-C wrapper for the document.
3) Choose the "about:blank" document from the combo box, to load that into the view. This destroys the JS wrapper for the document.
4) Click the Back button to go back to the "a" document.
5) Click the Use button to pass the document to JavaScript and try to use it. This will trigger the crash.

Comment 6 mitz 2007-04-02 03:06:47 PDT

Created attachment 13916 [details]
Proposed patch

Comment 7 Darin Adler 2007-04-02 08:01:39 PDT

Comment on attachment 13916 [details]
Proposed patch

I don't see any reason to use the rootObject protect/unprotect if we're also going to directly protect/unprotect.

Comment 8 Darin Adler 2007-04-02 08:42:32 PDT

I'm not sure this qualifies as a regression -- it requires use of the inspector so won't affect most users.

I'm a little worried about storage leaks. It might be better to guard use of the JS implementation pointer in the WebScriptObject implementation so the object "goes dead" if the root object is gone. I'd like to hear Geoff's comment on that.

Comment 9 Geoffrey Garen 2007-04-02 08:48:46 PDT

I agree with Darin. The alternative would enable careless plug-ins to leak the whole window. (Ultimately, I'm on the fence about whether the browser should try to guard against plug-in leaks -- what about direct malloc leaks? or mmap leaks? -- but WebKit has always guarded against this kind of leak, so I think it needs to keep doing so.)

Comment 10 mitz 2007-04-02 08:52:57 PDT

(In reply to comment #8)
> I'm not sure this qualifies as a regression -- it requires use of the inspector
> so won't affect most users.

It is a regression since linked against shipping WebKit, the demo app doesn't crash, while linked against TOT it does.

> I'm a little worried about storage leaks. It might be better to guard use of
> the JS implementation pointer in the WebScriptObject implementation so the
> object "goes dead" if the root object is gone. I'd like to hear Geoff's comment
> on that.

I also realized that the proposed patch didn't solve the problem of calling -callWebScriptMethod... on an object with invalidated root and hitting the ASSERT in RootObject::interpreter() (or crashing).

Comment 11 mitz 2007-04-02 08:59:12 PDT

(In reply to comment #10)
> calling
> -callWebScriptMethod... on an object with invalidated root and hitting the
> ASSERT in RootObject::interpreter() (or crashing).

Wrong again (this cannot happen because -[WebScriptObject _root] is nil when the root is invalid).

Comment 12 mitz 2007-04-02 14:18:02 PDT

Created attachment 13926 [details]
Check JS wrapper validity and recreate if needed

I don't think it's possible or desirable to "kill" the object as suggested in comment #8 (the way I understood it). This patch just fetches a new JS wrapper for the DOM node if the old one is gone (it is also possible that the root is invalid but the old wrapper is still alive thanks to some other JS object pointing to it or any part of the DOM, in which case I believe the same old wrapper will be refetched and subsequently reprotected by a different, valid root object).

Comment 13 Darin Adler 2007-04-03 09:17:13 PDT

Comment on attachment 13926 [details]
Check JS wrapper validity and recreate if needed

This looks like a safer approach to me, but I'd like Geoff and perhaps Maciej to evaluate it too.

Comment 14 Geoffrey Garen 2007-04-03 15:45:52 PDT

In the WebScriptObject API, once a RootObject becomes invalid, any WebScriptObject created with it goes "inert" with respect to JavaScript. This means, for example, that if you call -valueForKey: on such an object, you'll unconditionally get back nil. I don't think that's a great API, but we probably shouldn't change it now.

This patch would poke a small hole in that API, allowing you to pass an inert WebScriptObject as an argument to a JavaScript function, even though you couldn't use the WebScriptObject in any other JavaScript context. I see three problems with that:

1. It's inconsistent, and therefore confusing.

2. It doesn't fix the crash in all cases. A WebScriptObject will fail to regenerate its JS counterpart if its document is not in a frame, in which case, it will still vend a stale pointer.

3. Because it resets the WebScriptObject's RootObject, it breaks the (admittedly not very strong) cross-frame scripting security model.

I think it's possible to make the object's inert-ness apply when its used as an argument to a function, too. The -_imp method can just return nil if rootObject->isValid() returns false. The tricky part will be finding all the callers of _imp and getting them to respect a nil return value, but I think that's definitely do-able.

Comment 15 Geoffrey Garen 2007-04-03 15:47:38 PDT

Comment on attachment 13926 [details]
Check JS wrapper validity and recreate if needed

r- for the issues I mentioned above (sorry, mitz!)

Comment 16 Darin Adler 2007-04-11 02:11:10 PDT

<rdar://problem/5126394>

Comment 17 Darin Adler 2007-07-04 22:08:20 PDT

Given Geoff's comments, I know how to fix this, but I can't seem to reproduce the bug. I have a patch sitting on one of my machines that I can attach.

I tried using the inspector and then doing back/forward. I immediately hit another crash, so I fixed those first. Once I fixed the crashes I saw, I couldn't reproduce this using the inspector and back/forward.

Comment 18 Darin Adler 2007-07-04 22:10:24 PDT

Created attachment 15392 [details]
patch to fix, not this bug, but other problems seen testing inspector with back/forward

I wanted to put this patch up here. I probably should file a new bug report about these other problems I saw and attach the patch to that for review, but for the moment, I'll just do this.

Comment 19 mitz 2007-07-04 23:43:41 PDT

(In reply to comment #17)
> Given Geoff's comments, I know how to fix this, but I can't seem to reproduce
> the bug. I have a patch sitting on one of my machines that I can attach.

Does this bug no longer reproduce with the demo app?

(In reply to comment #18)
> patch to fix, not this bug, but other problems seen testing inspector with
> back/forward

Perhaps your patch belongs in bug 14337.

Comment 20 Darin Adler 2007-07-05 00:49:22 PDT

(In reply to comment #19)
> Does this bug no longer reproduce with the demo app?

Oh, I never tried the demo app!

Comment 21 mitz 2007-07-22 14:18:02 PDT

<http://trac.webkit.org/projects/webkit/changeset/24493> has made the crash a little harder to reproduce with the demo app (by coalescing two garbage collections).

To reproduce the bug with r24493 or later, build the demo app an run it linked to TOT
WebKit. Do the following:

1) Press Return to load the "a" document.
2) Click the Store button to make and retain an Obj-C wrapper for the document.
3) Choose the "about:blank" document from the combo box, to load that into the
view. This destroys the JS wrapper for the document.
4) Enter "data:text/html,b" in the combo box and press Return to load a "b" document.
5) Click the Back button to go back to about:blank.
6) Click the Back button to go back to the "a" document.
7) Click the Use button to pass the document to JavaScript and try to use it.
This will trigger the crash.

Comment 22 Darin Adler 2007-07-22 15:33:55 PDT

Created attachment 15630 [details]
check root object for validity whenever using the ObjC wrapper

Comment 23 Darin Adler 2007-07-22 15:49:00 PDT

Comment on attachment 15630 [details]
check root object for validity whenever using the ObjC wrapper

Kevin Decker reviewed this.

Comment 24 Darin Adler 2007-07-22 22:08:41 PDT

Committed revision 24524.