[Webkit-unassigned] [Bug 59793] New: ASSERT/crash when dispatching an event

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 29 06:02:04 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=59793

           Summary: ASSERT/crash when dispatching an event
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Event Handling
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dino at apple.com


I'm triggering an ASSERT, and sometimes a crash when dispatching an event (eg in LayoutTests/animations/animation-drt-api-multiple-keyframes.html but really anything that attaches an event listener)

In JSEventListener::jsFunction I'm hitting this
ASSERT(!m_jsFunction || static_cast<JSC::JSCell*>(m_jsFunction.get())->isObject());

or crashing here.

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x00000001010ab209 JSC::asObject(JSC::JSCell*) + 69 (JSObject.h:396)
1   com.apple.WebCore                 0x000000010164878f JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) + 65 (JSObject.h:511)
2   com.apple.WebCore                 0x000000010164880d JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) + 53 (JSObject.h:521)
3   com.apple.WebCore                 0x0000000101648897 JSC::JSObject::get(JSC::ExecState*, JSC::Identifier const&) const + 67 (JSObject.h:546)
4   com.apple.WebCore                 0x0000000101702289 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 517 (JSEventListener.cpp:97)
5   com.apple.WebCore                 0x00000001013bc55e WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 296 (EventTarget.cpp:345)
6   com.apple.WebCore                 0x00000001013bcb8d WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 333 (EventTarget.cpp:330)
7   com.apple.WebCore                 0x000000010198de47 WebCore::Node::handleLocalEvents(WebCore::Event*) + 159 (Node.cpp:2729)
8   com.apple.WebCore                 0x00000001013a1cbd WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 1103 (EventDispatcher.cpp:315)
9   com.apple.WebCore                 0x00000001013a054d WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 55 (Event.cpp:313)
10  com.apple.WebCore                 0x00000001013a138b WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::EventDispatchMediator const&) + 117 (EventDispatcher.cpp:59)
11  com.apple.WebCore                 0x000000010198dd54 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 56 (Node.cpp:2738)
12  com.apple.WebCore                 0x0000000101034369 WebCore::AnimationControllerPrivate::fireEventsAndUpdateStyle() + 415 (AnimationController.cpp:155)
13  com.apple.WebCore                 0x000000010103448c WebCore::AnimationControllerPrivate::animationTimerFired(WebCore::Timer<WebCore::AnimationControllerPrivate>*) + 56 (AnimationController.cpp:210)
14  com.apple.WebCore                 0x0000000101035401 WebCore::Timer<WebCore::AnimationControllerPrivate>::fired() + 113 (Timer.h:100)
15  com.apple.WebCore                 0x0000000101d707d2 WebCore::ThreadTimers::sharedTimerFiredInternal() + 204 (ThreadTimers.cpp:115)
16  com.apple.WebCore                 0x0000000101d709e5 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:91)

When I debug it seems the Node is fine. I'm not sure what caused the function to disappear.

Here's another one from fast/events/before-unload-adopt-subframe-to-outside.html

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x00000001010ab209 JSC::asObject(JSC::JSCell*) + 69 (JSObject.h:396)
1   com.apple.WebCore                 0x000000010164878f JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) + 65 (JSObject.h:511)
2   com.apple.WebCore                 0x000000010164880d JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) + 53 (JSObject.h:521)
3   com.apple.WebCore                 0x0000000101648897 JSC::JSObject::get(JSC::ExecState*, JSC::Identifier const&) const + 67 (JSObject.h:546)
4   com.apple.WebCore                 0x0000000101702289 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 517 (JSEventListener.cpp:97)
5   com.apple.WebCore                 0x00000001013bc55e WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 296 (EventTarget.cpp:345)
6   com.apple.WebCore                 0x00000001013bcb8d WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 333 (EventTarget.cpp:330)
7   com.apple.WebCore                 0x0000000101358b6b WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 245 (DOMWindow.cpp:1592)
8   com.apple.WebCore                 0x000000010141e720 WebCore::FrameLoader::fireBeforeUnloadEvent(WebCore::Chrome*) + 242 (FrameLoader.cpp:2964)
9   com.apple.WebCore                 0x000000010141e99f WebCore::FrameLoader::shouldClose() + 339 (FrameLoader.cpp:2941)
10  com.apple.WebCore                 0x0000000101427f5a WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 240 (FrameLoader.cpp:2989)
11  com.apple.WebCore                 0x000000010142825e WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 68 (FrameLoader.cpp:2917)
12  com.apple.WebCore                 0x00000001019f4d89 WebCore::PolicyCallback::call(bool) + 107 (PolicyCallback.cpp:103)
13  com.apple.WebCore                 0x00000001019f5967 WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) + 445 (PolicyChecker.cpp:160)
14  com.apple.WebKit                  0x0000000100a64193 WebFrameLoaderClient::receivedPolicyDecison(WebCore::PolicyAction) + 323 (WebFrameLoaderClient.mm:1340)
15  com.apple.WebKit                  0x0000000100a64228 -[WebFramePolicyListener receivedPolicyDecision:] + 147 (WebFrameLoaderClient.mm:2077)
16  com.apple.WebKit                  0x0000000100a60590 -[WebFramePolicyListener use] + 37 (WebFrameLoaderClient.mm:2093)
17  com.apple.WebKit                  0x0000000100a41db2 -[WebDefaultPolicyDelegate webView:decidePolicyForNavigationAction:request:frame:decisionListener:] + 162 (WebDefaultPolicyDelegate.m:87)
18  com.apple.CoreFoundation          0x00007fff835d196c __invoking___ + 140
19  com.apple.CoreFoundation          0x00007fff835d183d -[NSInvocation invoke] + 141

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list