Bug 15718 - ASSERTION FAILED: _hash in KJS::UString::Rep::computedHash()
Summary: ASSERTION FAILED: _hash in KJS::UString::Rep::computedHash()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Maciej Stachowiak
URL:
Keywords: NeedsReduction, Regression
Depends on:
Blocks:
 
Reported: 2007-10-26 18:48 PDT by Matt Lilek
Modified: 2011-01-25 19:12 PST (History)
5 users (show)

See Also:

Attachments
fix (1.12 KB, patch)
2007-10-27 03:31 PDT, Maciej Stachowiak 		mrowe: review+
Details | Formatted Diff | Diff
fix 2 (1.60 KB, patch)
2007-10-27 12:16 PDT, Geoffrey Garen 		darin: review-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Lilek 2007-10-26 18:48:05 PDT 
Hit this assert that was just added in r27127 on either <http://developer.apple.com/> or <http://apple.com/> (both were loading at the time).  Couldn't reproduce when I went back and tried though, but I figured I'd file a bug due to the newness anyway.

ASSERTION FAILED: _hash
(/Users/matt/Code/WebKit/JavaScriptCore/kjs/ustring.h:150 unsigned int KJS::UString::Rep::computedHash() const)

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x0048b4cc KJS::UString::Rep::computedHash() const + 70 (ustring.h:150)
1   com.apple.JavaScriptCore      	0x00452b7c KJS::PropertyMap::insert(KJS::UString::Rep*, KJS::JSValue*, int, int) + 88 (property_map.cpp:402)
2   com.apple.JavaScriptCore      	0x004539c8 KJS::PropertyMap::createTable() + 220 (property_map.cpp:464)
3   com.apple.JavaScriptCore      	0x00453a08 KJS::PropertyMap::expand() + 36 (property_map.cpp:430)
4   com.apple.JavaScriptCore      	0x00453b80 KJS::PropertyMap::put(KJS::Identifier const&, KJS::JSValue*, int, bool) + 346 (property_map.cpp:348)
5   com.apple.JavaScriptCore      	0x004627d8 KJS::JSObject::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 640 (object.cpp:280)
6   com.apple.JavaScriptCore      	0x004831ae KJS::AssignBracketNode::evaluate(KJS::ExecState*) + 914 (nodes.cpp:1732)
7   com.apple.JavaScriptCore      	0x0046a237 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1937)
8   com.apple.JavaScriptCore      	0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821)
9   com.apple.JavaScriptCore      	0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919)
10  com.apple.JavaScriptCore      	0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719)
11  com.apple.JavaScriptCore      	0x00447452 KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:250)
12  com.apple.JavaScriptCore      	0x0046ff00 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:91)
13  com.apple.JavaScriptCore      	0x004622a2 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95)
14  com.apple.JavaScriptCore      	0x00479257 KJS::FunctionCallBracketNode::evaluate(KJS::ExecState*) + 959 (nodes.cpp:743)
15  com.apple.JavaScriptCore      	0x0046a8fc KJS::ConditionalNode::evaluate(KJS::ExecState*) + 142 (nodes.cpp:1535)
16  com.apple.JavaScriptCore      	0x004834b7 KJS::AssignResolveNode::evaluate(KJS::ExecState*) + 303 (nodes.cpp:1637)
17  com.apple.JavaScriptCore      	0x0046a237 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1937)
18  com.apple.JavaScriptCore      	0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821)
19  com.apple.JavaScriptCore      	0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919)
20  com.apple.JavaScriptCore      	0x00469c26 KJS::WhileNode::execute(KJS::ExecState*) + 344 (nodes.cpp:2036)
21  com.apple.JavaScriptCore      	0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821)
22  com.apple.JavaScriptCore      	0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919)
23  com.apple.JavaScriptCore      	0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719)
24  com.apple.JavaScriptCore      	0x00447452 KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:250)
25  com.apple.JavaScriptCore      	0x0046ff00 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:91)
26  com.apple.JavaScriptCore      	0x004622a2 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95)
27  com.apple.JavaScriptCore      	0x00478d90 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 772 (nodes.cpp:785)
28  com.apple.JavaScriptCore      	0x0046a237 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1937)
29  com.apple.JavaScriptCore      	0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821)
30  com.apple.JavaScriptCore      	0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919)
31  com.apple.JavaScriptCore      	0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719)
32  com.apple.JavaScriptCore      	0x00447452 KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:250)
33  com.apple.JavaScriptCore      	0x0046ff00 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:91)
34  com.apple.JavaScriptCore      	0x004622a2 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95)
35  com.apple.JavaScriptCore      	0x00478d90 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 772 (nodes.cpp:785)
36  com.apple.JavaScriptCore      	0x0046a237 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1937)
37  com.apple.JavaScriptCore      	0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821)
38  com.apple.JavaScriptCore      	0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919)
39  com.apple.JavaScriptCore      	0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719)
40  com.apple.JavaScriptCore      	0x00447452 KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:250)
41  com.apple.JavaScriptCore      	0x0046ff00 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:91)
42  com.apple.JavaScriptCore      	0x004622a2 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95)
43  com.apple.JavaScriptCore      	0x00478d90 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 772 (nodes.cpp:785)
44  com.apple.JavaScriptCore      	0x00451d2b KJS::AssignExprNode::evaluate(KJS::ExecState*) + 43 (nodes.cpp:1754)
45  com.apple.JavaScriptCore      	0x0046a5af KJS::VarDeclNode::evaluate(KJS::ExecState*) + 299 (nodes.cpp:1815)
46  com.apple.JavaScriptCore      	0x0046a437 KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 51 (nodes.cpp:1855)
47  com.apple.JavaScriptCore      	0x0046a31d KJS::VarStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1882)
48  com.apple.JavaScriptCore      	0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821)
49  com.apple.JavaScriptCore      	0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919)
50  com.apple.JavaScriptCore      	0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719)
51  com.apple.JavaScriptCore      	0x004885ad KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 823 (interpreter.cpp:366)
52  com.apple.WebCore             	0x01e9338d WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&) + 235 (kjs_proxy.cpp:87)
53  com.apple.WebCore             	0x020925ba WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 92 (FrameLoader.cpp:761)
54  com.apple.WebCore             	0x01ba9770 WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 308 (HTMLTokenizer.cpp:520)
55  com.apple.WebCore             	0x01bab2bc WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1466 (HTMLTokenizer.cpp:470)
56  com.apple.WebCore             	0x01bab7c6 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 932 (HTMLTokenizer.cpp:319)
57  com.apple.WebCore             	0x01bad563 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6235 (HTMLTokenizer.cpp:1231)
58  com.apple.WebCore             	0x01badd67 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1243 (HTMLTokenizer.cpp:1449)
59  com.apple.WebCore             	0x01baa172 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 1048 (HTMLTokenizer.cpp:1762)
60  com.apple.WebCore             	0x01d0611e WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:92)
61  com.apple.WebCore             	0x01d0627f WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:84)
62  com.apple.WebCore             	0x01d08884 WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 340 (loader.cpp:116)
63  com.apple.WebCore             	0x0209e11f WebCore::SubresourceLoader::didFinishLoading() + 169 (SubresourceLoader.cpp:195)
64  com.apple.WebCore             	0x0209c62c WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:362)
65  com.apple.WebCore             	0x0206bbfe -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 116 (ResourceHandleMac.mm:456)
66  com.apple.Foundation          	0x91496357 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87
67  com.apple.Foundation          	0x914962e4 _NSURLConnectionDidFinishLoading + 68
68  com.apple.CFNetwork           	0x92c17adb sendDidFinishLoadingCallback + 148
69  com.apple.CFNetwork           	0x92c149ce _CFURLConnectionSendCallbacks + 1908
70  com.apple.CFNetwork           	0x92c141df muxerSourcePerform + 283
71  com.apple.CoreFoundation      	0x9281f64e CFRunLoopRunSpecific + 3166
72  com.apple.CoreFoundation      	0x9281fd38 CFRunLoopRunInMode + 88
73  com.apple.HIToolbox           	0x90c0e8a4 RunCurrentEventLoopInMode + 283
74  com.apple.HIToolbox           	0x90c0e6bd ReceiveNextEventCommon + 374
75  com.apple.HIToolbox           	0x90c0e531 BlockUntilNextEventMatchingListInMode + 106
76  com.apple.AppKit              	0x91fa4d5b _DPSNextEvent + 657
77  com.apple.AppKit              	0x91fa46a0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
78  com.apple.Safari              	0x00009d4e 0x1000 + 36174
79  com.apple.AppKit              	0x91f9d6d1 -[NSApplication run] + 795
80  com.apple.AppKit              	0x91f6a9ba NSApplicationMain + 574
81  com.apple.Safari              	0x00002876 0x1000 + 6262
Comment 1 Matt Lilek 2007-10-26 21:15:21 PDT 
Actually, Google ads trips this so it's reproducible on any site that uses them (ie: <http://digg.com/>).
Comment 2 Mark Rowe (bdash) 2007-10-27 01:01:17 PDT 
I can reproduce this easily at http://webkit.org/blog/wp-admin/.  I'll see if I can't cook up a reduction later this evening.
Comment 3 Maciej Stachowiak 2007-10-27 03:31:57 PDT 
Created attachment 16900 [details]
fix
Comment 4 Mark Rowe (bdash) 2007-10-27 03:33:43 PDT 
Comment on attachment 16900 [details]
fix

r=me
Comment 6 Geoffrey Garen 2007-10-27 12:16:46 PDT 
Created attachment 16902 [details]
fix 2

I'm in the middle of testing, but I'm pretty sure this is right.
Comment 7 Darin Adler 2007-10-27 12:20:08 PDT 
Comment on attachment 16902 [details]
fix 2

+    if (!strlen(c)) {

Need the O(1) check of c[0] instead of the O(string-length) check of strlen.

I think it would be even better to do this in UString -- guarantee that null and empty both have a precomputed hash. It's annoying to have extra overhead in Identifier::add for 1-time setup.
Comment 8 Geoffrey Garen 2007-10-27 12:25:51 PDT 
Darin suggested on IRC that we could write the hash value directly into Rep::null and Rep::empty, and ASSERT in the UString constructor that it's correct.

To save time, I haven't done that, but it seems like a prudent change to make later.
Comment 9 Geoffrey Garen 2007-10-27 12:31:59 PDT 
Committed revision 27153, with the O(n) -> O(1) change.