Bug 16284 - REGRESSION (r28129-r28233): "object was probably modified after being freed" error under jsRegExpCompile
Summary: REGRESSION (r28129-r28233): "object was probably modified after being freed" ...
Status: RESOLVED DUPLICATE of bug 16220
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://www.mouse.co.il/CM.articles_it...
Keywords: InRadar, NeedsReduction, Regression
Depends on:
Blocks:
 
Reported: 2007-12-03 22:23 PST by mitz
Modified: 2007-12-04 00:08 PST (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mitz 2007-12-03 22:23:13 PST
Opening the URL or reloading it several times (NOTE: due to another regression, you need to disable plug-ins before loading the URL) crashes WebKit after it prints several messages like

Safari(6659,0xa0055f60) malloc: *** error for object 0x16f4fc40: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug

Setting a breakpoint reveals that this first occurs with the following call stack:

#0  0x9027f9f1 in malloc_error_break ()
#1  0x9027a9df in szone_error ()
#2  0x901a011e in szone_free ()
#3  0x9019f9ed in free ()
#4  0x0057a2fe in WTF::fastFree (p=0x16f4fb30) at FastMalloc.cpp:171
#5  0x00615e73 in jsRegExpCompile (pattern=0x16f4fa90, patternLength=77, ignoreCase=JSRegExpDoNotIgnoreCase, multiline=JSRegExpSingleLine, numSubpatterns=0x18fcc2dc, errorptr=0x18fcc2d8) at /WebKit/OpenSource/JavaScriptCore/pcre/pcre_compile.cpp:2855
#6  0x00582cc1 in KJS::RegExp::RegExp (this=0x18fcc2c0, pattern=@0x16fe7358, flags=@0x16fe735c) at regexp.cpp:70
#7  0x00582cef in KJS::RegExp::RegExp (this=0x18fcc2c0, pattern=@0x16fe7358, flags=@0x16fe735c) at regexp.cpp:71
#8  0x005e49fb in KJS::RegExpNode::RegExpNode (this=0x18fcc2b0, pattern=@0x16fe7358, flags=@0x16fe735c) at nodes.h:281
#9  0x005e4a31 in KJS::RegExpNode::RegExpNode (this=0x18fcc2b0, pattern=@0x16fe7358, flags=@0x16fe735c) at nodes.h:283
#10 0x005b2f9b in kjsyyparse () at grammar.y:227
#11 0x005b6f1e in KJS::Parser::parse (this=0x64cc88, sourceURL=@0xbfffdf54, startingLineNumber=0, code=0x19376000, length=9147, sourceId=0xbfffde98, errLine=0xbfffde94, errMsg=0xbfffde90) at Parser.cpp:76
#12 0x005b7066 in KJS::Parser::parseProgram (this=0x64cc88, sourceURL=@0xbfffdf54, startingLineNumber=0, code=0x19376000, length=9147, sourceId=0xbfffde98, errLine=0xbfffde94, errMsg=0xbfffde90) at Parser.cpp:46
#13 0x005b7139 in KJS::Interpreter::evaluate (this=0x16fe3280, sourceURL=@0xbfffdf54, startingLineNumber=0, code=0x19376000, codeLength=9147, thisV=0x19340000) at interpreter.cpp:345
#14 0x022fcf4f in WebCore::KJSProxy::evaluate (this=0x18b8cbd0, filename=@0xbfffe058, baseLine=0, str=@0xbfffe054) at /WebKit/OpenSource/WebCore/bindings/js/kjs_proxy.cpp:90
#15 0x01f4440c in WebCore::FrameLoader::executeScript (this=0x40d5200, URL=@0xbfffe058, baseLine=0, script=@0xbfffe054) at /WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:759
#16 0x01fc06e2 in WebCore::HTMLTokenizer::scriptExecution (this=0x45fcc00, str=@0xbfffe154, state={static EntityShift = <optimized out>, m_bits = 4194304}, scriptURL=@0xbfffe124, baseLine=0) at /WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:520
#17 0x01fc0ba4 in WebCore::HTMLTokenizer::notifyFinished (this=0x45fcc00) at /WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1737
#18 0x01e2b52e in WebCore::CachedScript::checkNotify (this=0x18fca8b0) at /WebKit/OpenSource/WebCore/loader/CachedScript.cpp:98
#19 0x01e2b68f in WebCore::CachedScript::data (this=0x18fca8b0, data=@0xbfffe28c, allDataReceived=true) at /WebKit/OpenSource/WebCore/loader/CachedScript.cpp:88
#20 0x0230bae6 in WebCore::Loader::didFinishLoading (this=0x152ccf38, loader=0x45f2000) at /WebKit/OpenSource/WebCore/loader/loader.cpp:116
#21 0x022896c7 in WebCore::SubresourceLoader::didFinishLoading (this=0x45f2000) at /WebKit/OpenSource/WebCore/loader/SubresourceLoader.cpp:193
#22 0x02245cec in WebCore::ResourceLoader::didFinishLoading (this=0x45f2000) at /WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:361
#23 0x0224372c in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x195f0160, _cmd=0x9692d5c4, con=0x18f97e80) at /WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:455
Comment 1 mitz 2007-12-03 22:31:25 PST
<rdar://problem/5627448>
Comment 2 mitz 2007-12-04 00:08:39 PST

*** This bug has been marked as a duplicate of 16220 ***