[webkit-dev] Stability problems involving Javascript GC

Geoffrey Garen ggaren at apple.com
Mon Dec 6 11:24:33 PST 2010 

Hi Chris.

> (function () { 
> 		var app = document.getElementById(\"RemoteApplication\");
> 		var ReturnMe = Number(app.getListenPort());
> 		app = null;
> 		return ReturnMe;
> 		})()

FYI, from a GC perspective, there's no need to set "app" to null in the snippet above.

> And here is a common sort of stack trace I'm getting (this one from 10.6)
> Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
> 0   com.apple.JavaScriptCore      	0x9489f766 WTF::fastFree(void*) + 134
> 1   com.apple.WebCore             	0x929be825 WebCore::CSSSelectorList::deleteSelectors() + 389
> 2   com.apple.WebCore             	0x92a38269 WebCore::CSSStyleRule::~CSSStyleRule() + 57
> 3   com.apple.WebCore             	0x929c3a04 WTF::Vector<WTF::RefPtr<WebCore::StyleBase>, 0ul>::shrink(unsigned long) + 84
> 4   com.apple.WebCore             	0x92a38193 WebCore::StyleSheet::~StyleSheet() + 179
> 5   com.apple.WebCore             	0x92a38066 WebCore::CSSStyleSheet::~CSSStyleSheet() + 102
> 6   com.apple.WebCore             	0x92a91074 WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>, 0ul>::shrink(unsigned long) + 84
> 7   com.apple.WebCore             	0x92a29243 WebCore::StyleSheetList::~StyleSheetList() + 67
> 8   com.apple.WebCore             	0x92a28cd9 WebCore::Document::~Document() + 3529
> 9   com.apple.WebCore             	0x92a27f01 WebCore::HTMLDocument::~HTMLDocument() + 129
> 10  com.apple.WebCore             	0x92a27def WebCore::Node::~Node() + 431
> 11  com.apple.WebCore             	0x92c05a21 WebCore::HTMLIFrameElement::~HTMLIFrameElement() + 129
> 12  com.apple.WebCore             	0x92b356fe WebCore::JSNode::~JSNode() + 382
> 13  com.apple.JavaScriptCore      	0x9495a0d2 JSC::Heap::sweep() + 274
> 
> I find it odd that main isn't seen in the stack, but it never is.

> The crash nearly ALWAYS occurs in WTF::fastFree(), very occasionally occurring instead in some other memory management function.

In the backtrace you've pasted, there's no direct link to JavaScript GC. GC only appears in the backtrace because a JavaScript object held the last reference to the DOM document object. 

There's a small chance that you've run into this bug, or one of its relations: https://bugs.webkit.org/show_bug.cgi?id=50165.

The best way to diagnose this is to provide a sample application that demonstrates the crash in Bugzilla.

Thanks,
Geoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20101206/c797a13f/attachment.html>

More information about the webkit-dev mailing list