RESOLVED FIXED 13401
Reproducible crash calling myArray.sort(compareFn) from within a sort comparison function 
https://bugs.webkit.org/show_bug.cgi?id=13401
Summary Reproducible crash calling myArray.sort(compareFn) from within a sort compari...
Mark Rowe (bdash)
Reported 2007-04-19 04:37:40 PDT
The following code leads to a crash: function compareFn1(a, b) { return b - a; } function compareFn2(a, b) { numbers1.sort(compareFn1); return b - a; } numbers2.sort(compareFn2); The crash log is below. The root cause of this crash is the use of a static variable compareWithCompareFunctionArguments to keep track of the comparison function to be used by the sort operation. The nested sort operations result in the static variable being overwritten and both attempt to clean up the same data structure upon completion of the comparisons. Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000008 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x002fc296 KJS::List::clear() + 6 1 com.apple.JavaScriptCore 0x002c25ce compareWithCompareFunctionForQSort(void const*, void const*) + 110 2 libSystem.B.dylib 0x90c4347e qsort + 1123 3 com.apple.JavaScriptCore 0x002c28eb KJS::ArrayInstance::sort(KJS::ExecState*, KJS::JSObject*) + 155 4 com.apple.JavaScriptCore 0x002c5d6c KJS::ArrayProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 8684 5 com.apple.JavaScriptCore 0x002e9b27 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 135 6 com.apple.JavaScriptCore 0x002dd209 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 745 7 com.apple.JavaScriptCore 0x002e172d KJS::ExprStatementNode::execute(KJS::ExecState*) + 77 8 com.apple.JavaScriptCore 0x002e487d KJS::SourceElementsNode::execute(KJS::ExecState*) + 461 9 com.apple.JavaScriptCore 0x002e1661 KJS::BlockNode::execute(KJS::ExecState*) + 65 10 com.apple.JavaScriptCore 0x002cf687 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 39 11 com.apple.JavaScriptCore 0x002cf157 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 359 12 com.apple.JavaScriptCore 0x002e9b27 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 135 13 com.apple.JavaScriptCore 0x002dd8dc KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 620 14 com.apple.JavaScriptCore 0x002e172d KJS::ExprStatementNode::execute(KJS::ExecState*) + 77 15 com.apple.JavaScriptCore 0x002e4761 KJS::SourceElementsNode::execute(KJS::ExecState*) + 177 16 com.apple.JavaScriptCore 0x002e1661 KJS::BlockNode::execute(KJS::ExecState*) + 65 17 com.apple.JavaScriptCore 0x002d2ee6 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 1110 18 com.apple.WebCore 0x00a0cf11 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 193 19 com.apple.WebCore 0x00b70572 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::Node*, WebCore::String const&) + 82 20 com.apple.WebCore 0x00b705f1 WebCore::FrameLoader::executeScript(WebCore::Node*, WebCore::String const&, bool) + 65 21 com.apple.WebCore 0x00b70c25 WebCore::FrameLoader::urlSelected(WebCore::ResourceRequest const&, WebCore::String const&, WebCore::Event*, bool) + 1093 22 com.apple.WebCore 0x00a4816d WebCore::HTMLAnchorElement::defaultEventHandler(WebCore::Event*) + 1757 23 com.apple.WebCore 0x009ca0c3 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 739 24 com.apple.WebCore 0x009ca530 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool, WebCore::EventTarget*) + 160 25 com.apple.WebCore 0x009ca5fd WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 61 26 com.apple.WebCore 0x009cabdc WebCore::EventTargetNode::dispatchMouseEvent(WebCore::AtomicString const&, int, int, int, int, int, int, bool, bool, bool, bool, bool, WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 508 27 com.apple.WebCore 0x009cb271 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WebCore::AtomicString const&, int, WebCore::Node*) + 193 28 com.apple.WebCore 0x00b99459 WebCore::EventHandler::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 425 29 com.apple.WebCore 0x00b9e08d WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 685 30 com.apple.WebCore 0x00b96b19 WebCore::EventHandler::mouseUp(NSEvent*) + 233 31 com.apple.WebKit 0x0019a77c -[WebHTMLView mouseUp:] + 220 32 com.apple.AppKit 0x9237df7d -[NSWindow sendEvent:] + 5523 33 com.apple.Safari 0x000a71d3 0x1000 + 680403 34 com.apple.AppKit 0x9236f6fc -[NSApplication sendEvent:] + 2759 35 com.apple.Safari 0x00016d98 0x1000 + 89496 36 com.apple.AppKit 0x922a1b4e -[NSApplication run] + 847 37 com.apple.AppKit 0x92294f16 NSApplicationMain + 663 38 com.apple.Safari 0x00002daf 0x1000 + 7599 39 com.apple.Safari 0x0004e329 0x1000 + 316201 40 ??? 0x00000002 0 + 2
Attachments
Test. Click "Do it!" to crash. (396 bytes, text/html)
2007-04-19 04:44 PDT, Mark Rowe (bdash) 		no flags
Details
Patch (5.68 KB, patch)
2007-04-19 06:40 PDT, Mark Rowe (bdash) 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2007-04-19 04:44:35 PDT
Created attachment 14087 [details] Test. Click "Do it!" to crash.
Mark Rowe (bdash)
Comment 2 2007-04-19 04:45:59 PDT
One solution may be to use qsort_r rather than a static variable with qsort.
Mark Rowe (bdash)
Comment 3 2007-04-19 04:46:41 PDT
<rdar://problem/5145350>
Mark Rowe (bdash)
Comment 4 2007-04-19 06:06:33 PDT
I have a patch ready, and just need to package up a test case.
Mark Rowe (bdash)
Comment 5 2007-04-19 06:40:51 PDT
Created attachment 14088 [details] Patch
Darin Adler
Comment 6 2007-04-19 07:14:33 PDT
Comment on attachment 14088 [details] Patch r=me
Mark Rowe (bdash)
Comment 7 2007-04-19 07:21:36 PDT
Landed in r20949.
Note You need to log in before you can comment on or make changes to this bug.