RESOLVED FIXED 17511
REGRESSION: Reproducible crash in SegmentedSubstring::SegmentedSubstring(SegmentedSubstring const&) 
https://bugs.webkit.org/show_bug.cgi?id=17511
Summary REGRESSION: Reproducible crash in SegmentedSubstring::SegmentedSubstring(Segm...
mitz
Reported 2008-02-24 01:53:29 PST
WebKit crashes after I log in to bankofamerica.com. Backtrace: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000451021e0 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x020790aa WebCore::SegmentedSubstring::SegmentedSubstring(WebCore::SegmentedSubstring const&) + 14 (SegmentedString.h:30) 1 com.apple.WebCore 0x020790f8 WebCore::SegmentedSubstring::SegmentedSubstring(WebCore::SegmentedSubstring const&) + 24 (SegmentedString.h:30) 2 com.apple.WebCore 0x0207a273 void WTF::Deque<WebCore::SegmentedSubstring>::prepend<WebCore::SegmentedSubstring>(WebCore::SegmentedSubstring const&) + 133 (Deque.h:420) 3 com.apple.WebCore 0x02078a4f WebCore::SegmentedString::prepend(WebCore::SegmentedSubstring const&) + 147 (SegmentedString.cpp:112) 4 com.apple.WebCore 0x02078b62 WebCore::SegmentedString::prepend(WebCore::SegmentedString const&) + 240 (SegmentedString.cpp:138) 5 com.apple.WebCore 0x01d57aaa WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1350 (HTMLTokenizer.cpp:472) 6 com.apple.WebCore 0x01d58075 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 991 (HTMLTokenizer.cpp:326) 7 com.apple.WebCore 0x01d5a0ea WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6828 (HTMLTokenizer.cpp:1472) 8 com.apple.WebCore 0x01d5a9b5 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1295 (HTMLTokenizer.cpp:1697) 9 com.apple.WebCore 0x01d569b2 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 886 (HTMLTokenizer.cpp:1976) 10 com.apple.WebCore 0x01bb7b02 WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:97) 11 com.apple.WebCore 0x01bb7c63 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:89) 12 com.apple.WebCore 0x0211851c WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 308 (loader.cpp:113) 13 com.apple.WebCore 0x02094639 WebCore::SubresourceLoader::didFinishLoading() + 169 (SubresourceLoader.cpp:195) 14 com.apple.WebCore 0x01f96f5a WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:373) 15 com.apple.WebCore 0x01f94935 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 101 (ResourceHandleMac.mm:469) 16 com.apple.Foundation 0x9239c8b7 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87 17 com.apple.Foundation 0x9239c844 _NSURLConnectionDidFinishLoading + 68 18 com.apple.CFNetwork 0x922c47f3 sendDidFinishLoadingCallback + 148 19 com.apple.CFNetwork 0x922c1920 _CFURLConnectionSendCallbacks + 1994 20 com.apple.CFNetwork 0x922c10d9 muxerSourcePerform + 283 21 com.apple.CoreFoundation 0x92b7b62e CFRunLoopRunSpecific + 3166 22 com.apple.CoreFoundation 0x92b7bd18 CFRunLoopRunInMode + 88 23 com.apple.HIToolbox 0x938916a0 RunCurrentEventLoopInMode + 283 24 com.apple.HIToolbox 0x938914b9 ReceiveNextEventCommon + 374 25 com.apple.HIToolbox 0x9389132d BlockUntilNextEventMatchingListInMode + 106 26 com.apple.AppKit 0x92d487d9 _DPSNextEvent + 657 27 com.apple.AppKit 0x92d4808e -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 28 com.apple.Safari 0x000247e1 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 171 (BrowserApplication.m:189) 29 com.apple.AppKit 0x92d410c5 -[NSApplication run] + 795 30 com.apple.AppKit 0x92d0e30a NSApplicationMain + 574 31 com.apple.Safari 0x000ac6ed main + 24 (main.m:14) 32 com.apple.Safari 0x00002ff6 start + 54
Attachments
Fix Deque::expandCapacityIfNeeded() (1.78 KB, patch)
2008-02-24 10:12 PST, mitz 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2008-02-24 01:57:59 PST
Prior to the crash I see this message: Safari(25857,0xa08d5fa0) malloc: *** mmap(size=1158688768) failed (error code=12) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug I am going to do what it says.
mitz
Comment 2 2008-02-24 02:07:49 PST
(In reply to comment #1) > *** set a breakpoint in malloc_error_break to debug > > I am going to do what it says. It's Deque::expandCapacity that is failing to do a huge malloc() when trying to increase an already-huge capacity by one quarter and a byte. I need to find out how the capacity gets that big in the first place.
Matt Lilek
Comment 3 2008-02-24 09:30:21 PST
*** Bug 17518 has been marked as a duplicate of this bug. ***
Robert Blaut
Comment 4 2008-02-24 10:02:02 PST
*** Bug 17514 has been marked as a duplicate of this bug. ***
mitz
Comment 5 2008-02-24 10:04:20 PST
I think have a fix.
mitz
Comment 6 2008-02-24 10:12:20 PST
Created attachment 19323 [details] Fix Deque::expandCapacityIfNeeded()
Darin Adler
Comment 7 2008-02-24 10:39:58 PST
Comment on attachment 19323 [details] Fix Deque::expandCapacityIfNeeded() r=me
mitz
Comment 8 2008-02-24 10:45:46 PST
Fixed in <http://trac.webkit.org/projects/webkit/changeset/30550>.
Matt Lilek
Comment 9 2008-02-24 12:02:00 PST
*** Bug 17520 has been marked as a duplicate of this bug. ***
Matt Lilek
Comment 10 2008-02-24 12:04:20 PST
*** Bug 17521 has been marked as a duplicate of this bug. ***
Matt Lilek
Comment 11 2008-02-24 13:28:34 PST
*** Bug 17522 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.