Bug 17511 - REGRESSION: Reproducible crash in SegmentedSubstring::SegmentedSubstring(SegmentedSubstring const&)
Summary: REGRESSION: Reproducible crash in SegmentedSubstring::SegmentedSubstring(Segm...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Major
Assignee: mitz
URL: http://www.bankofamerica.com/
Keywords: Regression
: 17514 17518 17520 17521 17522 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-02-24 01:53 PST by mitz
Modified: 2008-02-24 13:28 PST (History)
6 users (show)

See Also:


Attachments
Fix Deque::expandCapacityIfNeeded() (1.78 KB, patch)
2008-02-24 10:12 PST, mitz
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description mitz 2008-02-24 01:53:29 PST
WebKit crashes after I log in to bankofamerica.com. Backtrace:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000451021e0
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.WebCore             	0x020790aa WebCore::SegmentedSubstring::SegmentedSubstring(WebCore::SegmentedSubstring const&) + 14 (SegmentedString.h:30)
1   com.apple.WebCore             	0x020790f8 WebCore::SegmentedSubstring::SegmentedSubstring(WebCore::SegmentedSubstring const&) + 24 (SegmentedString.h:30)
2   com.apple.WebCore             	0x0207a273 void WTF::Deque<WebCore::SegmentedSubstring>::prepend<WebCore::SegmentedSubstring>(WebCore::SegmentedSubstring const&) + 133 (Deque.h:420)
3   com.apple.WebCore             	0x02078a4f WebCore::SegmentedString::prepend(WebCore::SegmentedSubstring const&) + 147 (SegmentedString.cpp:112)
4   com.apple.WebCore             	0x02078b62 WebCore::SegmentedString::prepend(WebCore::SegmentedString const&) + 240 (SegmentedString.cpp:138)
5   com.apple.WebCore             	0x01d57aaa WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1350 (HTMLTokenizer.cpp:472)
6   com.apple.WebCore             	0x01d58075 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 991 (HTMLTokenizer.cpp:326)
7   com.apple.WebCore             	0x01d5a0ea WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6828 (HTMLTokenizer.cpp:1472)
8   com.apple.WebCore             	0x01d5a9b5 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1295 (HTMLTokenizer.cpp:1697)
9   com.apple.WebCore             	0x01d569b2 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 886 (HTMLTokenizer.cpp:1976)
10  com.apple.WebCore             	0x01bb7b02 WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:97)
11  com.apple.WebCore             	0x01bb7c63 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:89)
12  com.apple.WebCore             	0x0211851c WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 308 (loader.cpp:113)
13  com.apple.WebCore             	0x02094639 WebCore::SubresourceLoader::didFinishLoading() + 169 (SubresourceLoader.cpp:195)
14  com.apple.WebCore             	0x01f96f5a WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:373)
15  com.apple.WebCore             	0x01f94935 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 101 (ResourceHandleMac.mm:469)
16  com.apple.Foundation          	0x9239c8b7 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87
17  com.apple.Foundation          	0x9239c844 _NSURLConnectionDidFinishLoading + 68
18  com.apple.CFNetwork           	0x922c47f3 sendDidFinishLoadingCallback + 148
19  com.apple.CFNetwork           	0x922c1920 _CFURLConnectionSendCallbacks + 1994
20  com.apple.CFNetwork           	0x922c10d9 muxerSourcePerform + 283
21  com.apple.CoreFoundation      	0x92b7b62e CFRunLoopRunSpecific + 3166
22  com.apple.CoreFoundation      	0x92b7bd18 CFRunLoopRunInMode + 88
23  com.apple.HIToolbox           	0x938916a0 RunCurrentEventLoopInMode + 283
24  com.apple.HIToolbox           	0x938914b9 ReceiveNextEventCommon + 374
25  com.apple.HIToolbox           	0x9389132d BlockUntilNextEventMatchingListInMode + 106
26  com.apple.AppKit              	0x92d487d9 _DPSNextEvent + 657
27  com.apple.AppKit              	0x92d4808e -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
28  com.apple.Safari              	0x000247e1 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 171 (BrowserApplication.m:189)
29  com.apple.AppKit              	0x92d410c5 -[NSApplication run] + 795
30  com.apple.AppKit              	0x92d0e30a NSApplicationMain + 574
31  com.apple.Safari              	0x000ac6ed main + 24 (main.m:14)
32  com.apple.Safari              	0x00002ff6 start + 54
Comment 1 mitz 2008-02-24 01:57:59 PST
Prior to the crash I see this message:
Safari(25857,0xa08d5fa0) malloc: *** mmap(size=1158688768) failed (error code=12)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug

I am going to do what it says.
Comment 2 mitz 2008-02-24 02:07:49 PST
(In reply to comment #1)
> *** set a breakpoint in malloc_error_break to debug
> 
> I am going to do what it says.

It's Deque::expandCapacity that is failing to do a huge malloc() when trying to increase an already-huge capacity by one quarter and a byte. I need to find out how the capacity gets that big in the first place.
Comment 3 Matt Lilek 2008-02-24 09:30:21 PST
*** Bug 17518 has been marked as a duplicate of this bug. ***
Comment 4 Robert Blaut 2008-02-24 10:02:02 PST
*** Bug 17514 has been marked as a duplicate of this bug. ***
Comment 5 mitz 2008-02-24 10:04:20 PST
I think have a fix.
Comment 6 mitz 2008-02-24 10:12:20 PST
Created attachment 19323 [details]
Fix Deque::expandCapacityIfNeeded()
Comment 7 Darin Adler 2008-02-24 10:39:58 PST
Comment on attachment 19323 [details]
Fix Deque::expandCapacityIfNeeded()

r=me
Comment 8 mitz 2008-02-24 10:45:46 PST
Fixed in <http://trac.webkit.org/projects/webkit/changeset/30550>.
Comment 9 Matt Lilek 2008-02-24 12:02:00 PST
*** Bug 17520 has been marked as a duplicate of this bug. ***
Comment 10 Matt Lilek 2008-02-24 12:04:20 PST
*** Bug 17521 has been marked as a duplicate of this bug. ***
Comment 11 Matt Lilek 2008-02-24 13:28:34 PST
*** Bug 17522 has been marked as a duplicate of this bug. ***