RESOLVED FIXED 4474
REGRESSION: Crash when using in-place operator on uninitialized array element 
https://bugs.webkit.org/show_bug.cgi?id=4474
Summary REGRESSION: Crash when using in-place operator on uninitialized array element
Jon
Reported 2005-08-17 01:47:02 PDT
I was able to reproduce this crash every time. Just try to login into the MacNN forums using the login form on any of the forum or thread indexes. Once the button is clicked or return is hit, Safari will crash with this report (x6): Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x7eaba778 Thread 0 Crashed: 0 <<00000000>> 0x7eaba778 0 + 2125178744 1 com.apple.JavaScriptCore 0x00437be8 KJS::AssignBracketNode::evaluate(KJS::ExecState*) + 780 (icplusplus.c:28) 2 com.apple.JavaScriptCore 0x00432720 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 (icplusplus.c:28) 3 com.apple.JavaScriptCore 0x00436708 KJS::ForNode::execute(KJS::ExecState*) + 416 (icplusplus.c: 28) 4 com.apple.JavaScriptCore 0x00432174 KJS::SourceElementsNode::execute(KJS::ExecState*) + 356 (icplusplus.c:28) 5 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 6 com.apple.JavaScriptCore 0x00423fa0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 48 (icplusplus.c:28) 7 com.apple.JavaScriptCore 0x004242bc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 424 (icplusplus.c:28) 8 com.apple.JavaScriptCore 0x0043b948 KJS::ObjectImp::call(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 108 (icplusplus.c:28) 9 com.apple.JavaScriptCore 0x004370f8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 500 (icplusplus.c:28) 10 com.apple.JavaScriptCore 0x00433c40 KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 80 (icplusplus.c:28) 11 com.apple.JavaScriptCore 0x00433cec KJS::ArgumentsNode::evaluateList(KJS::ExecState*) + 44 (icplusplus.c:28) 12 com.apple.JavaScriptCore 0x00437080 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 380 (icplusplus.c:28) 13 com.apple.JavaScriptCore 0x00433c40 KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 80 (icplusplus.c:28) 14 com.apple.JavaScriptCore 0x00433cec KJS::ArgumentsNode::evaluateList(KJS::ExecState*) + 44 (icplusplus.c:28) 15 com.apple.JavaScriptCore 0x00437080 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 380 (icplusplus.c:28) 16 com.apple.JavaScriptCore 0x004358f0 KJS::ReturnNode::execute(KJS::ExecState*) + 252 (icplusplus.c:28) 17 com.apple.JavaScriptCore 0x004320cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 188 (icplusplus.c:28) 18 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 19 com.apple.JavaScriptCore 0x00423fa0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 48 (icplusplus.c:28) 20 com.apple.JavaScriptCore 0x004242bc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 424 (icplusplus.c:28) 21 com.apple.JavaScriptCore 0x0043b948 KJS::ObjectImp::call(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 108 (icplusplus.c:28) 22 com.apple.JavaScriptCore 0x004370f8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 500 (icplusplus.c:28) 23 com.apple.JavaScriptCore 0x004359f0 KJS::VarDeclNode::evaluate(KJS::ExecState*) + 84 (icplusplus.c:28) 24 com.apple.JavaScriptCore 0x0043293c KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 68 (icplusplus.c:28) 25 com.apple.JavaScriptCore 0x00432850 KJS::VarStatementNode::execute(KJS::ExecState*) + 104 (icplusplus.c:28) 26 com.apple.JavaScriptCore 0x004320cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 188 (icplusplus.c:28) 27 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 28 com.apple.JavaScriptCore 0x004326a0 KJS::IfNode::execute(KJS::ExecState*) + 332 (icplusplus.c: 28) 29 com.apple.JavaScriptCore 0x004320cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 188 (icplusplus.c:28) 30 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 31 com.apple.JavaScriptCore 0x00423fa0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 48 (icplusplus.c:28) 32 com.apple.JavaScriptCore 0x004242bc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 424 (icplusplus.c:28) 33 com.apple.JavaScriptCore 0x0043b948 KJS::ObjectImp::call(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 108 (icplusplus.c:28) 34 com.apple.JavaScriptCore 0x004370f8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 500 (icplusplus.c:28) 35 com.apple.JavaScriptCore 0x00432720 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 (icplusplus.c:28) 36 com.apple.JavaScriptCore 0x004320cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 188 (icplusplus.c:28) 37 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 38 com.apple.JavaScriptCore 0x00423fa0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 48 (icplusplus.c:28) 39 com.apple.JavaScriptCore 0x004242bc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 424 (icplusplus.c:28) 40 com.apple.JavaScriptCore 0x0043b948 KJS::ObjectImp::call(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 108 (icplusplus.c:28) 41 com.apple.WebCore 0x0108a278 KJS::JSAbstractEventListener::handleEvent (DOM::EventImpl*, bool) + 488 (icplusplus.c:28) 42 com.apple.WebCore 0x0111fd8c DOM::NodeImpl::handleLocalEvents(DOM::EventImpl*, bool) + 200 (icplusplus.c:28) 43 com.apple.WebCore 0x01122b48 DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) + 360 (icplusplus.c:28) 44 com.apple.WebCore 0x01122f70 DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) + 208 (icplusplus.c:28) 45 com.apple.WebCore 0x01123ed8 DOM::NodeImpl::dispatchHTMLEvent(int, bool, bool) + 88 (icplusplus.c:28) 46 com.apple.WebCore 0x010bf06c DOM::HTMLFormElementImpl::prepareSubmit() + 172 (icplusplus.c:28) 47 com.apple.WebCore 0x010bf3fc DOM::HTMLInputElementImpl::defaultEventHandler (DOM::EventImpl*) + 292 (icplusplus.c:28) 48 com.apple.WebCore 0x01122c4c DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) + 620 (icplusplus.c:28) 49 com.apple.WebCore 0x01122f70 DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) + 208 (icplusplus.c:28) 50 com.apple.WebCore 0x01123e6c DOM::NodeImpl::dispatchUIEvent(int, int) + 132 (icplusplus.c:28) 51 com.apple.WebCore 0x01124734 DOM::NodeImpl::dispatchMouseEvent(QMouseEvent*, int, int) + 1028 (icplusplus.c:28) 52 com.apple.WebCore 0x010f1720 khtml::RenderFormElement::slotClicked() + 64 (icplusplus.c:28) 53 com.apple.WebCore 0x01135378 KWQSignal::call() const + 116 (icplusplus.c:28) 54 com.apple.WebCore 0x0100db54 QButton::clicked() + 112 (icplusplus.c:28) 55 com.apple.AppKit 0x936fd6d4 -[NSApplication sendAction:to:from:] + 108 56 com.apple.Safari 0x0001e0f0 0x1000 + 119024 57 com.apple.AppKit 0x936fd608 -[NSControl sendAction:to:] + 96 58 com.apple.AppKit 0x936fd4e8 -[NSCell _sendActionFrom:] + 156 59 com.apple.AppKit 0x936fcfc8 -[NSButtonCell performClick:] + 472 60 com.apple.WebCore 0x0100dbc8 QButton::click(bool) + 76 (icplusplus.c:28) 61 com.apple.WebCore 0x010bf778 DOM::HTMLInputElementImpl::defaultEventHandler (DOM::EventImpl*) + 1184 (icplusplus.c:28) 62 com.apple.WebCore 0x01122c4c DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) + 620 (icplusplus.c:28) 63 com.apple.WebCore 0x01122f70 DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) + 208 (icplusplus.c:28) 64 com.apple.WebCore 0x011233b0 DOM::NodeImpl::dispatchKeyEvent(QKeyEvent*) + 100 (icplusplus.c:28) 65 com.apple.WebCore 0x0101d2f4 KWQKHTMLPart::keyEvent(NSEvent*) + 276 (icplusplus.c: 28) 66 com.apple.WebCore 0x01031840 -[KWQTextFieldController textView:shouldHandleEvent:] + 220 (icplusplus.c:28) 67 com.apple.WebCore 0x01032be0 -[KWQSecureTextField textView:shouldHandleEvent:] + 40 (icplusplus.c:28) 68 com.apple.AppKit 0x9373cf44 -[NSTextView keyDown:] + 316 69 com.apple.AppKit 0x936b8a34 -[NSWindow sendEvent:] + 6424 70 com.apple.Safari 0x0001d2c4 0x1000 + 115396 71 com.apple.AppKit 0x936614f4 -[NSApplication sendEvent:] + 4172 72 com.apple.Safari 0x0001a2a4 0x1000 + 103076 73 com.apple.AppKit 0x93658930 -[NSApplication run] + 508 74 com.apple.AppKit 0x93749284 NSApplicationMain + 452 75 com.apple.Safari 0x000021e4 0x1000 + 4580 76 com.apple.Safari 0x00056e14 0x1000 + 351764
Attachments
testcase (277 bytes, text/html)
2005-08-17 14:33 PDT, mitz 		no flags
Details
proposed patch (900 bytes, patch)
2005-08-17 15:32 PDT, mitz 		darin: review+
DetailsFormatted DiffDiff
proposed patch (1.46 KB, patch)
2005-08-17 15:43 PDT, mitz 		mjs: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2005-08-17 13:57:36 PDT
This looks similar to bug 4460
mitz
Comment 2 2005-08-17 14:33:48 PDT
Created attachment 3441 [details] testcase This crashes TOT by using the in-place operator |= (although += would also work) on an uninitialized array element.
mitz
Comment 3 2005-08-17 15:32:28 PDT
Created attachment 3442 [details] proposed patch Check if getPropertySlot succeeded before trying to use the slot.
Darin Adler
Comment 4 2005-08-17 15:41:25 PDT
Comment on attachment 3442 [details] proposed patch r=me
mitz
Comment 5 2005-08-17 15:43:03 PDT
Created attachment 3443 [details] proposed patch Added this check at another place to take care of bug 4460 as well
Oliver Hunt
Comment 6 2005-08-17 22:37:29 PDT
*** Bug 4460 has been marked as a duplicate of this bug. ***
Maciej Stachowiak
Comment 7 2005-08-17 22:59:17 PDT
Comment on attachment 3443 [details] proposed patch r=me
Note You need to log in before you can comment on or make changes to this bug.