15618 2007-10-22 07:41:57 -0700 REGRESSION: Stack overflow/crash in KJS::equal 2007-12-03 14:58:39 -0800 1 1 1 Unclassified WebKit JavaScriptCore 523.x (Safari 3) Mac OS X 10.4 RESOLVED FIXED http://a88.narod.ru/ars0003.htm HasReduction, InRadar, Regression P1 Normal --- 1 ap darin oldest_to_newest 59147 0 ap 2007-10-22 07:41:57 -0700 r26843 crashes when opening this page. 0 com.apple.JavaScriptCore 0x004923f4 KJS::Collector::allocate(unsigned long) + 20 1 com.apple.JavaScriptCore 0x00493578 KJS::jsString(KJS::UString const&) + 216 2 com.apple.JavaScriptCore 0x00494058 KJS::NativeErrorImp::construct(KJS::ExecState*, KJS::List const&) + 168 3 com.apple.JavaScriptCore 0x004958d8 KJS::Error::create(KJS::ExecState*, KJS::ErrorType, KJS::UString const&, int, int, KJS::UString const&) + 968 4 com.apple.JavaScriptCore 0x00495c80 KJS::throwError(KJS::ExecState*, KJS::ErrorType, char const*) + 80 5 com.apple.JavaScriptCore 0x004aca28 KJS::JSObject::defaultValue(KJS::ExecState*, KJS::JSType) const + 1160 6 com.apple.JavaScriptCore 0x004a5ec4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 532 7 com.apple.JavaScriptCore 0x004a5ed4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 548 8 com.apple.JavaScriptCore 0x004a5ed4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 548 9 com.apple.JavaScriptCore 0x004a5ed4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 548 10 com.apple.JavaScriptCore 0x004a5ed4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 548 59152 1 16800 ap 2007-10-22 08:31:59 -0700 Created attachment 16800 test case (will crash) Looks like the new limit for JS stack set in <http://trac.webkit.org/projects/webkit/changeset/25161> is too large indeed. The problem in the original page is caused by a script that accurately preserves window.onload while setting it to its own function. This script is included twice, which causes infinite recursion - must be a pretty common situation. function onLoad() { ... if (savedOnload) savedOnload(); } savedOnload = window.onload; window.onload = onLoad; 59153 2 ap 2007-10-22 08:48:37 -0700 Hmm, changing KJS_MAX_STACK back to 100 doesn't fix the problem for me. 59154 3 ap 2007-10-22 09:04:45 -0700 This doesn't have anything to do with JS stack - the infinite recursion is in native code. 62654 4 ddkilzer 2007-11-28 22:53:08 -0800 Crashes on the earliest known WebKit nightly (r11976) with Safari 2.0.4 (419.3) on Mac OS X 10.4.11 (8S165). Does NOT crash with Safari 2.0.4 (419.3) with original WebKit on 10.4.11. 62655 5 ddkilzer 2007-11-28 22:53:27 -0800 <rdar://problem/5619353> 63081 6 darin 2007-12-02 21:45:50 -0800 Got a fix. 63084 7 17664 darin 2007-12-02 22:09:40 -0800 Created attachment 17664 patch 63168 8 17664 ggaren 2007-12-03 11:57:48 -0800 Comment on attachment 17664 patch r=me 63183 9 darin 2007-12-03 14:58:39 -0800 Committed revision 28370. 16800 2007-10-22 08:31:59 -0700 2007-10-22 08:31:59 -0700 test case (will crash) main.html text/html 175 ap PGh0bWw+Cjxib2R5Pgo8c2NyaXB0PgpjaD0wOwoKZnVuY3Rpb24gZG9PbmxvYWQoKQp7CiBpZiAo Y2g9PTApCiAJY2g9ZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKTsKICBkb09u bG9hZCgpOwp9Cgp3aW5kb3cub25sb2FkPWRvT25sb2FkOwo8L3NjcmlwdD4KPC9ib2R5Pgo8L2h0 bWw+Cg== 17664 2007-12-02 22:09:40 -0800 2007-12-03 11:57:48 -0800 patch EqualStackOverflowPatch.txt text/plain 5187 darin SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDI4MzI3KQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIwMDctMTItMDIgIERhcmluIEFk bGVyICA8ZGFyaW5AYXBwbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09Q UyEpLgorCisgICAgICAgIC0gZml4IGh0dHA6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dp P2lkPTE1NjE4CisgICAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzU2MTkzNTM+IFJFR1JFU1NJT046 IFN0YWNrIG92ZXJmbG93L2NyYXNoIGluIEtKUzo6ZXF1YWwgKDE1NjE4KQorCisgICAgICAgIFRl c3Q6IGZhc3QvanMvcmVjdXJzaW9uLWxpbWl0LWVxdWFsLmh0bWwKKworICAgICAgICAqIGtqcy9v cGVyYXRpb25zLmNwcDogKEtKUzo6ZXF1YWwpOiBDaGVjayB0aGUgZXhjZXB0aW9uIGZyb20gdG9Q cmltaXRpdmUuCisKIDIwMDctMTItMDEgIEFscCBUb2tlciAgPGFscEBhdG9rZXIuY29tPgogCiAg ICAgICAgIFJldmlld2VkIGJ5IEFkYW0gUm9iZW4uCkluZGV4OiBKYXZhU2NyaXB0Q29yZS9ranMv b3BlcmF0aW9ucy5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gSmF2YVNjcmlwdENvcmUva2pzL29wZXJhdGlv bnMuY3BwCShyZXZpc2lvbiAyODMyNikKKysrIEphdmFTY3JpcHRDb3JlL2tqcy9vcGVyYXRpb25z LmNwcAkod29ya2luZyBjb3B5KQpAQCAtNTgsMTIgKzU4LDIwIEBAIGJvb2wgZXF1YWwoRXhlY1N0 YXRlICpleGVjLCBKU1ZhbHVlICp2MSwKICAgICAgICAgICAgIHQxID0gTnVtYmVyVHlwZTsKICAg ICAgICAgICAgIC8vIHVzZSB0b051bWJlcgogICAgICAgICBlbHNlIHsKLSAgICAgICAgICAgIGlm ICgodDEgPT0gU3RyaW5nVHlwZSB8fCB0MSA9PSBOdW1iZXJUeXBlKSAmJiB0MiA+PSBPYmplY3RU eXBlKQotICAgICAgICAgICAgICAgIHJldHVybiBlcXVhbChleGVjLCB2MSwgdjItPnRvUHJpbWl0 aXZlKGV4ZWMpKTsKKyAgICAgICAgICAgIGlmICgodDEgPT0gU3RyaW5nVHlwZSB8fCB0MSA9PSBO dW1iZXJUeXBlKSAmJiB0MiA9PSBPYmplY3RUeXBlKSB7CisgICAgICAgICAgICAgICAgdjIgPSB2 Mi0+dG9QcmltaXRpdmUoZXhlYyk7CisgICAgICAgICAgICAgICAgaWYgKGV4ZWMtPmhhZEV4Y2Vw dGlvbigpKQorICAgICAgICAgICAgICAgICAgICByZXR1cm4gZmFsc2U7CisgICAgICAgICAgICAg ICAgcmV0dXJuIGVxdWFsKGV4ZWMsIHYxLCB2Mik7CisgICAgICAgICAgICB9CiAgICAgICAgICAg ICBpZiAodDEgPT0gTnVsbFR5cGUgJiYgdDIgPT0gT2JqZWN0VHlwZSkKICAgICAgICAgICAgICAg ICByZXR1cm4gc3RhdGljX2Nhc3Q8SlNPYmplY3QgKj4odjIpLT5tYXNxdWVyYWRlQXNVbmRlZmlu ZWQoKTsKLSAgICAgICAgICAgIGlmICh0MSA+PSBPYmplY3RUeXBlICYmICh0MiA9PSBTdHJpbmdU eXBlIHx8IHQyID09IE51bWJlclR5cGUpKQotICAgICAgICAgICAgICAgIHJldHVybiBlcXVhbChl eGVjLCB2MS0+dG9QcmltaXRpdmUoZXhlYyksIHYyKTsKKyAgICAgICAgICAgIGlmICh0MSA9PSBP YmplY3RUeXBlICYmICh0MiA9PSBTdHJpbmdUeXBlIHx8IHQyID09IE51bWJlclR5cGUpKSB7Cisg ICAgICAgICAgICAgICAgdjEgPSB2MS0+dG9QcmltaXRpdmUoZXhlYyk7CisgICAgICAgICAgICAg ICAgaWYgKGV4ZWMtPmhhZEV4Y2VwdGlvbigpKQorICAgICAgICAgICAgICAgICAgICByZXR1cm4g ZmFsc2U7CisgICAgICAgICAgICAgICAgcmV0dXJuIGVxdWFsKGV4ZWMsIHYxLCB2Mik7CisgICAg ICAgICAgICB9CiAgICAgICAgICAgICBpZiAodDEgPT0gT2JqZWN0VHlwZSAmJiB0MiA9PSBOdWxs VHlwZSkKICAgICAgICAgICAgICAgICByZXR1cm4gc3RhdGljX2Nhc3Q8SlNPYmplY3QgKj4odjEp LT5tYXNxdWVyYWRlQXNVbmRlZmluZWQoKTsKICAgICAgICAgICAgIGlmICh0MSAhPSB0MikKSW5k ZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFu Z2VMb2cJKHJldmlzaW9uIDI4MzI3KQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3JraW5n IGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIwMDctMTItMDIgIERhcmluIEFkbGVyICA8ZGFyaW5A YXBwbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAg ICAgIC0gdGVzdCBmb3IgaHR0cDovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU2 MTgKKyAgICAgICAgICA8cmRhcjovL3Byb2JsZW0vNTYxOTM1Mz4gUkVHUkVTU0lPTjogU3RhY2sg b3ZlcmZsb3cvY3Jhc2ggaW4gS0pTOjplcXVhbCAoMTU2MTgpCisKKyAgICAgICAgKiBmYXN0L2pz L3JlY3Vyc2lvbi1saW1pdC1lcXVhbC1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGZh c3QvanMvcmVjdXJzaW9uLWxpbWl0LWVxdWFsLmh0bWw6IEFkZGVkLgorICAgICAgICAqIGZhc3Qv anMvcmVzb3VyY2VzL3JlY3Vyc2lvbi1saW1pdC1lcXVhbC5qczogQWRkZWQuCisKIDIwMDctMTIt MDIgIERhcmluIEFkbGVyICA8ZGFyaW5AYXBwbGUuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5 IE1pdHouCkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2pzL3JlY3Vyc2lvbi1saW1pdC1lcXVhbC1l eHBlY3RlZC50eHQKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9qcy9yZWN1cnNpb24t bGltaXQtZXF1YWwtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFz dC9qcy9yZWN1cnNpb24tbGltaXQtZXF1YWwtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAt MCwwICsxLDEyIEBACitDT05TT0xFIE1FU1NBR0U6IGxpbmUgOTogUmFuZ2VFcnJvcjogTWF4aW11 bSBjYWxsIHN0YWNrIHNpemUgZXhjZWVkZWQuCitUZXN0cyBoaXR0aW5nIHRoZSByZWN1cnNpb24g bGltaXQgd2l0aCBlcXVhbGl0eSBjb21wYXJpc29ucy4gQXQgb25lIHBvaW50IHRoaXMgY3Jhc2hl ZCBkdWUgdG8gbGFjayBvZiBleGNlcHRpb24gY2hlY2tpbmcgaW5zaWRlIHRoZSBlbmdpbmUuCisK K09uIHN1Y2Nlc3MsIHlvdSB3aWxsIHNlZSBhIHNlcmllcyBvZiAiUEFTUyIgbWVzc2FnZXMsIGZv bGxvd2VkIGJ5ICJURVNUIENPTVBMRVRFIi4KKworCitJZiB0aGUgdGVzdCBkaWQgbm90IGNyYXNo LCBpdCBoYXMgcGFzc2VkLgorCitQQVNTIHN1Y2Nlc3NmdWxseVBhcnNlZCBpcyB0cnVlCisKK1RF U1QgQ09NUExFVEUKKwoKUHJvcGVydHkgY2hhbmdlcyBvbjogTGF5b3V0VGVzdHMvZmFzdC9qcy9y ZWN1cnNpb24tbGltaXQtZXF1YWwtZXhwZWN0ZWQudHh0Cl9fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KTmFtZTogc3ZuOmVv bC1zdHlsZQogICArIG5hdGl2ZQoKSW5kZXg6IExheW91dFRlc3RzL2Zhc3QvanMvcmVjdXJzaW9u LWxpbWl0LWVxdWFsLmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9qcy9yZWN1 cnNpb24tbGltaXQtZXF1YWwuaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zhc3Qv anMvcmVjdXJzaW9uLWxpbWl0LWVxdWFsLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTMg QEAKKzwhRE9DVFlQRSBIVE1MIFBVQkxJQyAiLS8vSUVURi8vRFREIEhUTUwvL0VOIj4KKzxodG1s PgorPGhlYWQ+Cis8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9InJlc291cmNlcy9qcy10ZXN0 LXN0eWxlLmNzcyI+Cis8c2NyaXB0IHNyYz0icmVzb3VyY2VzL2pzLXRlc3QtcHJlLmpzIj48L3Nj cmlwdD4KKzwvaGVhZD4KKzxib2R5PgorPHAgaWQ9ImRlc2NyaXB0aW9uIj48L3A+Cis8ZGl2IGlk PSJjb25zb2xlIj48L2Rpdj4KKzxzY3JpcHQgc3JjPSJyZXNvdXJjZXMvcmVjdXJzaW9uLWxpbWl0 LWVxdWFsLmpzIj48L3NjcmlwdD4KKzxzY3JpcHQgc3JjPSJyZXNvdXJjZXMvanMtdGVzdC1wb3N0 LmpzIj48L3NjcmlwdD4KKzwvYm9keT4KKzwvaHRtbD4KClByb3BlcnR5IGNoYW5nZXMgb246IExh eW91dFRlc3RzL2Zhc3QvanMvcmVjdXJzaW9uLWxpbWl0LWVxdWFsLmh0bWwKX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpO YW1lOiBzdm46bWltZS10eXBlCiAgICsgdGV4dC9odG1sCk5hbWU6IHN2bjplb2wtc3R5bGUKICAg KyBuYXRpdmUKCkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2pzL3Jlc291cmNlcy9yZWN1cnNpb24t bGltaXQtZXF1YWwuanMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9qcy9yZXNvdXJj ZXMvcmVjdXJzaW9uLWxpbWl0LWVxdWFsLmpzCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMv ZmFzdC9qcy9yZXNvdXJjZXMvcmVjdXJzaW9uLWxpbWl0LWVxdWFsLmpzCShyZXZpc2lvbiAwKQpA QCAtMCwwICsxLDE3IEBACitkZXNjcmlwdGlvbignVGVzdHMgaGl0dGluZyB0aGUgcmVjdXJzaW9u IGxpbWl0IHdpdGggZXF1YWxpdHkgY29tcGFyaXNvbnMuIEF0IG9uZSBwb2ludCB0aGlzIGNyYXNo ZWQgZHVlIHRvIGxhY2sgb2YgZXhjZXB0aW9uIGNoZWNraW5nIGluc2lkZSB0aGUgZW5naW5lLicp OworCitjaCA9IDA7CisKK3ZhciBzdWNjZXNzZnVsbHlQYXJzZWQgPSB0cnVlOworCitmdW5jdGlv biB0ZXN0KCkKK3sKKyAgICBpZiAoY2ggPT0gMCkKKyAJY2ggPSBkb2N1bWVudC5nZXRFbGVtZW50 c0J5VGFnTmFtZSgnaHRtbCcpOworICAgIHRlc3QoKTsKK30KKworZGVidWcoJ0lmIHRoZSB0ZXN0 IGRpZCBub3QgY3Jhc2gsIGl0IGhhcyBwYXNzZWQuJyk7CitkZWJ1ZygnJyk7CisKK3Rlc3QoKTsK