STR: 1. load http://www.japantimes.co.jp 2. click on any link to an article results: crash. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010f0389e3 WebCore::Node::insertedInto(WebCore::ContainerNode*) + 51 1 com.apple.WebCore 0x000000010ea4b2c4 WebCore::Element::insertedInto(WebCore::ContainerNode*) + 36 2 com.apple.WebCore 0x000000010ea4b375 WebCore::Element::insertedInto(WebCore::ContainerNode*) + 213 3 com.apple.WebCore 0x000000010e8587a7 WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument(WebCore::Node*) + 39 4 com.apple.WebCore 0x000000010e858a36 WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument(WebCore::ContainerNode*) + 166 5 com.apple.WebCore 0x000000010e858820 WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument(WebCore::Node*) + 160 6 com.apple.WebCore 0x000000010e858a36 WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument(WebCore::ContainerNode*) + 166 7 com.apple.WebCore 0x000000010e858820 WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument(WebCore::Node*) + 160 8 com.apple.WebCore 0x000000010e857f26 WebCore::ChildNodeInsertionNotifier::notify(WebCore::Node*) + 118 9 com.apple.WebCore 0x000000010e855889 WebCore::updateTreeAfterInsertion(WebCore::ContainerNode*, WebCore::Node*, WebCore::AttachBehavior) + 233 10 com.apple.WebCore 0x000000010e855516 WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, WebCore::AttachBehavior) + 310 11 com.apple.WebCore 0x000000010f03727d WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, WebCore::AttachBehavior) + 45 12 com.apple.WebCore 0x000000010ee59dce WebCore::JSNode::appendChild(JSC::ExecState*) + 78 13 ??? 0x00004ce168c01045 0 + 84531008770117 14 com.apple.JavaScriptCore 0x000000010e432421 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 15 com.apple.JavaScriptCore 0x000000010e4183c5 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4005 16 com.apple.JavaScriptCore 0x000000010e319329 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 569 17 com.apple.WebCore 0x000000010f21f6f1 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 385 18 com.apple.WebCore 0x000000010f21f859 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 19 com.apple.WebCore 0x000000010f2286e7 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 455 20 com.apple.WebCore 0x000000010f22881d WebCore::ScriptElement::execute(WebCore::CachedScript*) + 93 21 com.apple.WebCore 0x000000010f22db78 WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner>*) + 536 22 com.apple.WebCore 0x000000010f3b554f WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 23 com.apple.WebCore 0x000000010f26aa33 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 24 com.apple.CoreFoundation 0x00007fff8f58c804 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 25 com.apple.CoreFoundation 0x00007fff8f58c31d __CFRunLoopDoTimer + 557 26 com.apple.CoreFoundation 0x00007fff8f571ad9 __CFRunLoopRun + 1529 27 com.apple.CoreFoundation 0x00007fff8f5710e2 CFRunLoopRunSpecific + 290 28 com.apple.HIToolbox 0x00007fff8ed2aeb4 RunCurrentEventLoopInMode + 209 29 com.apple.HIToolbox 0x00007fff8ed2ac52 ReceiveNextEventCommon + 356 30 com.apple.HIToolbox 0x00007fff8ed2aae3 BlockUntilNextEventMatchingListInMode + 62 31 com.apple.AppKit 0x00007fff8ca6c533 _DPSNextEvent + 685 32 com.apple.AppKit 0x00007fff8ca6bdf2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 33 com.apple.AppKit 0x00007fff8ca631a3 -[NSApplication run] + 517 34 com.apple.WebCore 0x000000010f215a92 WebCore::RunLoop::run() + 82 35 com.apple.WebKit2 0x000000010df20cda int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 614 36 com.apple.WebProcess 0x000000010de38e23 main + 337 37 libdyld.dylib 0x00007fff854b57e1 start + 1 Thread 1:: Dispatch queue: com.apple.libdispatch-manager 0 libsystem_kernel.dylib 0x00007fff89d9ad16 kevent + 10 1 libdispatch.dylib 0x00007fff8f000dea _dispatch_mgr_invoke + 883 2 libdispatch.dylib 0x00007fff8f0009ee _dispatch_mgr_thread + 54 Thread 2:: JavaScriptCore::BlockFree 0 libsystem_kernel.dylib 0x00007fff89d9a0fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff87605fe9 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x000000010e5f12a6 WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 118 3 com.apple.JavaScriptCore 0x000000010e2dd06b JSC::BlockAllocator::blockFreeingThreadMain() + 123 4 com.apple.JavaScriptCore 0x000000010e5f05bf WTF::wtfThreadEntryPoint(void*) + 15 5 libsystem_c.dylib 0x00007fff876017a2 _pthread_start + 327 6 libsystem_c.dylib 0x00007fff875ee1e1 thread_start + 13 Thread 3:: JavaScriptCore::Marking 0 libsystem_kernel.dylib 0x00007fff89d9a0fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff87605fe9 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x000000010e40981b JSC::GCThread::waitForNextPhase() + 123 3 com.apple.JavaScriptCore 0x000000010e4098df JSC::GCThread::gcThreadMain() + 143 4 com.apple.JavaScriptCore 0x000000010e5f05bf WTF::wtfThreadEntryPoint(void*) + 15 5 libsystem_c.dylib 0x00007fff876017a2 _pthread_start + 327 6 libsystem_c.dylib 0x00007fff875ee1e1 thread_start + 13 Thread 4:: WebCore: Scrolling 0 libsystem_kernel.dylib 0x00007fff89d98686 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff89d97c42 mach_msg + 70 2 com.apple.CoreFoundation 0x00007fff8f56c233 __CFRunLoopServiceMachPort + 195 3 com.apple.CoreFoundation 0x00007fff8f571916 __CFRunLoopRun + 1078 4 com.apple.CoreFoundation 0x00007fff8f5710e2 CFRunLoopRunSpecific + 290 5 com.apple.CoreFoundation 0x00007fff8f57fdd1 CFRunLoopRun + 97 6 com.apple.WebCore 0x000000010f240dce WebCore::ScrollingThread::initializeRunLoop() + 254 7 com.apple.JavaScriptCore 0x000000010e5f05bf WTF::wtfThreadEntryPoint(void*) + 15 8 libsystem_c.dylib 0x00007fff876017a2 _pthread_start + 327 9 libsystem_c.dylib 0x00007fff875ee1e1 thread_start + 13 Thread 5:: com.apple.NSURLConnectionLoader 0 libsystem_kernel.dylib 0x00007fff89d98686 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff89d97c42 mach_msg + 70 2 com.apple.CoreFoundation 0x00007fff8f56c233 __CFRunLoopServiceMachPort + 195 3 com.apple.CoreFoundation 0x00007fff8f571916 __CFRunLoopRun + 1078 4 com.apple.CoreFoundation 0x00007fff8f5710e2 CFRunLoopRunSpecific + 290 5 com.apple.Foundation 0x00007fff87b16546 +[NSURLConnection(Loader) _resourceLoadLoop:] + 356 6 com.apple.Foundation 0x00007fff87b74562 __NSThread__main__ + 1345 7 libsystem_c.dylib 0x00007fff876017a2 _pthread_start + 327 8 libsystem_c.dylib 0x00007fff875ee1e1 thread_start + 13 Thread 6:: com.apple.CFSocket.private 0 libsystem_kernel.dylib 0x00007fff89d9a322 __select + 10 1 com.apple.CoreFoundation 0x00007fff8f5b0f46 __CFSocketManager + 1302 2 libsystem_c.dylib 0x00007fff876017a2 _pthread_start + 327 3 libsystem_c.dylib 0x00007fff875ee1e1 thread_start + 13 Thread 7:: JSC Compilation Thread 0 libsystem_kernel.dylib 0x00007fff89d9a0fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff87605fe9 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x000000010e3fbd8b JSC::DFG::Worklist::runThread() + 747 3 com.apple.JavaScriptCore 0x000000010e5f05bf WTF::wtfThreadEntryPoint(void*) + 15 4 libsystem_c.dylib 0x00007fff876017a2 _pthread_start + 327 5 libsystem_c.dylib 0x00007fff875ee1e1 thread_start + 13 Thread 8: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 9: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 10: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 11: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 12: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 13: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 14: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 15: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 16: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 17: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 18: 0 libsystem_kernel.dylib 0x00007fff89d9a6d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff87603f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff87603d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff875ee1d1 start_wqthread + 13 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000002202146 rbx: 0x00000001176b94e0 rcx: 0x0000000000000000 rdx: 0x000000010f9cfe48 rdi: 0x00000001175de540 rsi: 0x00000001156b9e40 rbp: 0x00007fff51dc47c0 rsp: 0x00007fff51dc47c0 r8: 0x0000000000000002 r9: 0x0000000000000001 r10: 0x000000005acc6715 r11: 0x000000005acc62b9 r12: 0x00000001175de540 r13: 0x0000000002202146 r14: 0x00000001156b9e40 r15: 0x00007fff51dc4880 rip: 0x000000010f0389e3 rfl: 0x0000000000010246 cr2: 0x0000000000000017 Logical CPU: 1
Reproducible on the GTK port with the following backtrace on the crashing thread: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff42d969b in WebCore::Node::getFlag (this=0x0, mask=WebCore::Node::IsInShadowTreeFlag) at ../Source/WebCore/dom/Node.h:649 649 bool getFlag(NodeFlags mask) const { return m_nodeFlags & mask; } #0 0x00007ffff42d969b in WebCore::Node::getFlag (this=0x0, mask=WebCore::Node::IsInShadowTreeFlag) at ../Source/WebCore/dom/Node.h:649 #1 0x00007ffff45ba469 in WebCore::Node::isInShadowTree (this=0x0) at ../Source/WebCore/dom/Node.h:423 #2 0x00007ffff47e9e8f in WebCore::Node::insertedInto (this=0xb70040, insertionPoint=0x168c730) at ../Source/WebCore/dom/Node.cpp:1050 #3 0x00007ffff47a6210 in WebCore::Element::insertedInto (this=0xb70040, insertionPoint=0x168c730) at ../Source/WebCore/dom/Element.cpp:1279 #4 0x00007ffff47a62e6 in WebCore::Element::insertedInto (this=0x1ace620, insertionPoint=0x168c730) at ../Source/WebCore/dom/Element.cpp:1288 #5 0x00007ffff47399d0 in WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument (this=0x7fffffffbbf0, node=0x1ace620) at ../Source/WebCore/dom/ContainerNodeAlgorithms.h:199 #6 0x00007ffff47390b8 in WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument (this=0x7fffffffbbf0, node=0x2321b40) at ../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:42 #7 0x00007ffff4739a1f in WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument (this=0x7fffffffbbf0, node=0x2321b40) at ../Source/WebCore/dom/ContainerNodeAlgorithms.h:202 #8 0x00007ffff47390b8 in WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument (this=0x7fffffffbbf0, node=0x110c260) at ../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:42 #9 0x00007ffff4739a1f in WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument (this=0x7fffffffbbf0, node=0x110c260) at ../Source/WebCore/dom/ContainerNodeAlgorithms.h:202 #10 0x00007ffff473ee2b in WebCore::ChildNodeInsertionNotifier::notify (this=0x7fffffffbbf0, node=0x110c260) at ../Source/WebCore/dom/ContainerNodeAlgorithms.h:227 #11 0x00007ffff473e41a in WebCore::updateTreeAfterInsertion (parent=0x168c730, child=0x110c260, attachBehavior=WebCore::AttachLazily) at ../Source/WebCore/dom/ContainerNode.cpp:1049 #12 0x00007ffff473c7f2 in WebCore::ContainerNode::appendChild (this=0x168c730, newChild=..., ec=@0x7fffffffbd7c: 0, attachBehavior=WebCore::AttachLazily) at ../Source/WebCore/dom/ContainerNode.cpp:699 #13 0x00007ffff47e84cc in WebCore::Node::appendChild (this=0x168c730, newChild=..., ec=@0x7fffffffbd7c: 0, attachBehavior=WebCore::AttachLazily) at ../Source/WebCore/dom/Node.cpp:506 #14 0x00007ffff451da31 in WebCore::JSNode::appendChild (this=0x7fffa007edb0, exec=0x7fff833ff2c0) at ../Source/WebCore/bindings/js/JSNodeCustom.cpp:179 #15 0x00007ffff5205a71 in WebCore::jsNodePrototypeFunctionAppendChild (exec=0x7fff833ff2c0) at DerivedSources/WebCore/JSNode.cpp:492 #16 0x00007ffff367d636 in JSC::LLInt::CLoop::execute (callFrame=0x7fff833ff260, bootstrapOpcodeId=JSC::llint_program_prologue, isInitializationPass=false) at ./DerivedSources/JavaScriptCore/LLIntAssembly.h:5599 #17 0x00007ffff364da6b in JSC::Interpreter::execute (this=0x783a10, program=0x7fff829efc70, callFrame=0x7fffa015cce0, thisObj=0x7fffa019ffd8) at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:850 #18 0x00007ffff3712700 in JSC::evaluate (exec=0x7fffa015cce0, source=..., thisValue=..., returnedException=0x7fffffffd830) at ../Source/JavaScriptCore/runtime/Completion.cpp:83 #19 0x00007ffff4515a20 in WebCore::JSMainThreadExecState::evaluate (exec=0x7fffa015cce0, source=..., thisValue=..., exception=0x7fffffffd830) at ../Source/WebCore/bindings/js/JSMainThreadExecState.h:74 #20 0x00007ffff4540eaf in WebCore::ScriptController::evaluateInWorld (this=0x6b5220, sourceCode=..., world=0x787810) at ../Source/WebCore/bindings/js/ScriptController.cpp:142 #21 0x00007ffff4540fb8 in WebCore::ScriptController::evaluate (this=0x6b5220, sourceCode=...) at ../Source/WebCore/bindings/js/ScriptController.cpp:158 #22 0x00007ffff4815f92 in WebCore::ScriptElement::executeScript (this=0x1ca5d18, sourceCode=...) at ../Source/WebCore/dom/ScriptElement.cpp:317 #23 0x00007ffff481611a in WebCore::ScriptElement::execute (this=0x1ca5d18, cachedScript=0x1a2dad0) at ../Source/WebCore/dom/ScriptElement.cpp:338 #24 0x00007ffff48202d4 in WebCore::ScriptRunner::timerFired (this=0x267d880, timer=0x267d8d0) at ../Source/WebCore/dom/ScriptRunner.cpp:121 #25 0x00007ffff48233b5 in WebCore::Timer<WebCore::ScriptRunner>::fired (this=0x267d8d0) at ../Source/WebCore/platform/Timer.h:114 #26 0x00007ffff444cc7b in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x6c4750) at ../Source/WebCore/platform/ThreadTimers.cpp:129 #27 0x00007ffff444cb6b in WebCore::ThreadTimers::sharedTimerFired () at ../Source/WebCore/platform/ThreadTimers.cpp:105 #28 0x00007ffff44696d5 in WebCore::timeout_cb () at ../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49 #29 0x00007fffeef30a03 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #30 0x00007fffeef2fea6 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #31 0x00007fffeef301f8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #32 0x00007fffeef305fa in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #33 0x00007ffff27e5257 in gtk_main () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0 #34 0x0000000000405b02 in main (argc=1, argv=0x7fffffffde98) at ../Tools/GtkLauncher/main.c:557
<rdar://problem/14773678>
*** Bug 119985 has been marked as a duplicate of this bug. ***
Created attachment 209177 [details] patch
Comment on attachment 209177 [details] patch r=me Sent from my iPhone
https://trac.webkit.org/r154320