17511 2008-02-24 01:53:29 -0800 REGRESSION: Reproducible crash in SegmentedSubstring::SegmentedSubstring(SegmentedSubstring const&) 2008-02-24 13:28:34 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED http://www.bankofamerica.com/ Regression P1 Major --- 1 mitz mitz blueangelstudio darin etn1234 gzieman jimoase nvdtech oldest_to_newest 71710 0 mitz 2008-02-24 01:53:29 -0800 WebKit crashes after I log in to bankofamerica.com. Backtrace: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000451021e0 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x020790aa WebCore::SegmentedSubstring::SegmentedSubstring(WebCore::SegmentedSubstring const&) + 14 (SegmentedString.h:30) 1 com.apple.WebCore 0x020790f8 WebCore::SegmentedSubstring::SegmentedSubstring(WebCore::SegmentedSubstring const&) + 24 (SegmentedString.h:30) 2 com.apple.WebCore 0x0207a273 void WTF::Deque<WebCore::SegmentedSubstring>::prepend<WebCore::SegmentedSubstring>(WebCore::SegmentedSubstring const&) + 133 (Deque.h:420) 3 com.apple.WebCore 0x02078a4f WebCore::SegmentedString::prepend(WebCore::SegmentedSubstring const&) + 147 (SegmentedString.cpp:112) 4 com.apple.WebCore 0x02078b62 WebCore::SegmentedString::prepend(WebCore::SegmentedString const&) + 240 (SegmentedString.cpp:138) 5 com.apple.WebCore 0x01d57aaa WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1350 (HTMLTokenizer.cpp:472) 6 com.apple.WebCore 0x01d58075 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 991 (HTMLTokenizer.cpp:326) 7 com.apple.WebCore 0x01d5a0ea WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6828 (HTMLTokenizer.cpp:1472) 8 com.apple.WebCore 0x01d5a9b5 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1295 (HTMLTokenizer.cpp:1697) 9 com.apple.WebCore 0x01d569b2 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 886 (HTMLTokenizer.cpp:1976) 10 com.apple.WebCore 0x01bb7b02 WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:97) 11 com.apple.WebCore 0x01bb7c63 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:89) 12 com.apple.WebCore 0x0211851c WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 308 (loader.cpp:113) 13 com.apple.WebCore 0x02094639 WebCore::SubresourceLoader::didFinishLoading() + 169 (SubresourceLoader.cpp:195) 14 com.apple.WebCore 0x01f96f5a WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:373) 15 com.apple.WebCore 0x01f94935 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 101 (ResourceHandleMac.mm:469) 16 com.apple.Foundation 0x9239c8b7 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87 17 com.apple.Foundation 0x9239c844 _NSURLConnectionDidFinishLoading + 68 18 com.apple.CFNetwork 0x922c47f3 sendDidFinishLoadingCallback + 148 19 com.apple.CFNetwork 0x922c1920 _CFURLConnectionSendCallbacks + 1994 20 com.apple.CFNetwork 0x922c10d9 muxerSourcePerform + 283 21 com.apple.CoreFoundation 0x92b7b62e CFRunLoopRunSpecific + 3166 22 com.apple.CoreFoundation 0x92b7bd18 CFRunLoopRunInMode + 88 23 com.apple.HIToolbox 0x938916a0 RunCurrentEventLoopInMode + 283 24 com.apple.HIToolbox 0x938914b9 ReceiveNextEventCommon + 374 25 com.apple.HIToolbox 0x9389132d BlockUntilNextEventMatchingListInMode + 106 26 com.apple.AppKit 0x92d487d9 _DPSNextEvent + 657 27 com.apple.AppKit 0x92d4808e -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 28 com.apple.Safari 0x000247e1 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 171 (BrowserApplication.m:189) 29 com.apple.AppKit 0x92d410c5 -[NSApplication run] + 795 30 com.apple.AppKit 0x92d0e30a NSApplicationMain + 574 31 com.apple.Safari 0x000ac6ed main + 24 (main.m:14) 32 com.apple.Safari 0x00002ff6 start + 54 71711 1 mitz 2008-02-24 01:57:59 -0800 Prior to the crash I see this message: Safari(25857,0xa08d5fa0) malloc: *** mmap(size=1158688768) failed (error code=12) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug I am going to do what it says. 71712 2 mitz 2008-02-24 02:07:49 -0800 (In reply to comment #1) > *** set a breakpoint in malloc_error_break to debug > > I am going to do what it says. It's Deque::expandCapacity that is failing to do a huge malloc() when trying to increase an already-huge capacity by one quarter and a byte. I need to find out how the capacity gets that big in the first place. 71741 3 dev+webkit 2008-02-24 09:30:21 -0800 *** Bug 17518 has been marked as a duplicate of this bug. *** 71747 4 webkit 2008-02-24 10:02:02 -0800 *** Bug 17514 has been marked as a duplicate of this bug. *** 71748 5 mitz 2008-02-24 10:04:20 -0800 I think have a fix. 71749 6 19323 mitz 2008-02-24 10:12:20 -0800 Created attachment 19323 Fix Deque::expandCapacityIfNeeded() 71755 7 19323 darin 2008-02-24 10:39:58 -0800 Comment on attachment 19323 Fix Deque::expandCapacityIfNeeded() r=me 71757 8 mitz 2008-02-24 10:45:46 -0800 Fixed in <http://trac.webkit.org/projects/webkit/changeset/30550>. 71762 9 dev+webkit 2008-02-24 12:02:00 -0800 *** Bug 17520 has been marked as a duplicate of this bug. *** 71764 10 dev+webkit 2008-02-24 12:04:20 -0800 *** Bug 17521 has been marked as a duplicate of this bug. *** 71777 11 dev+webkit 2008-02-24 13:28:34 -0800 *** Bug 17522 has been marked as a duplicate of this bug. *** 19323 2008-02-24 10:12:20 -0800 2008-02-24 10:39:58 -0800 Fix Deque::expandCapacityIfNeeded() 17511_r1.diff text/plain 1822 mitz SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDMwNTQ5KQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAKKzIwMDgtMDItMjQgIERhbiBCZXJu c3RlaW4gIDxtaXR6QGFwcGxlLmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICAtIGZpeCBodHRwOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD0xNzUxMQorICAgICAgICAgIFJFR1JFU1NJT046IFJlcHJvZHVjaWJsZSBjcmFzaCBpbiBT ZWdtZW50ZWRTdWJzdHJpbmc6OlNlZ21lbnRlZFN1YnN0cmluZyhTZWdtZW50ZWRTdWJzdHJpbmcg Y29uc3QmKQorCisgICAgICAgICogd3RmL0RlcXVlLmg6CisgICAgICAgIChXVEY6Ojo6ZXhwYW5k Q2FwYWNpdHlJZk5lZWRlZCk6IEZpeGVkIHRoZSBjYXNlIHdoZXJlIG1fc3RhcnQgYW5kIG1fZW5k CisgICAgICAgIGFyZSBib3RoIHplcm8gYnV0IHRoZSBidWZmZXIgY2FwYWNpdHkgaXMgbm9uLXpl cm8uCisgICAgICAgIChXVEY6Ojo6cHJlcGVuZCk6IEFkZGVkIHZhbGlkaXR5IGNoZWNrcy4KKwog MjAwOC0wMi0yMyAgSmFuIE1pY2hhZWwgQWxvbnpvICA8am1hbG9uem9AdW5wbHVnZ2FibGUuY29t PgogCiAgICAgICAgIFJ1YmJlciBzdGFtcGVkIGJ5IERhcmluLgpJbmRleDogSmF2YVNjcmlwdENv cmUvd3RmL0RlcXVlLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gSmF2YVNjcmlwdENvcmUvd3RmL0RlcXVlLmgJ KHJldmlzaW9uIDMwNTQ3KQorKysgSmF2YVNjcmlwdENvcmUvd3RmL0RlcXVlLmgJKHdvcmtpbmcg Y29weSkKQEAgLTM2OSwxMCArMzY5LDEyIEBAIG5hbWVzcGFjZSBXVEYgewogICAgICAgICBpZiAo bV9zdGFydCkgewogICAgICAgICAgICAgaWYgKG1fZW5kICsgMSAhPSBtX3N0YXJ0KQogICAgICAg ICAgICAgICAgIHJldHVybjsKLSAgICAgICAgfSBlbHNlIHsKLSAgICAgICAgICAgIGlmIChtX2Vu ZCAmJiBtX2VuZCAhPSBtX2J1ZmZlci5jYXBhY2l0eSgpIC0gMSkKKyAgICAgICAgfSBlbHNlIGlm IChtX2VuZCkgeworICAgICAgICAgICAgaWYgKG1fZW5kICE9IG1fYnVmZmVyLmNhcGFjaXR5KCkg LSAxKQogICAgICAgICAgICAgICAgIHJldHVybjsKLSAgICAgICAgfQorICAgICAgICB9IGVsc2Ug aWYgKG1fYnVmZmVyLmNhcGFjaXR5KCkpCisgICAgICAgICAgICByZXR1cm47CisKICAgICAgICAg ZXhwYW5kQ2FwYWNpdHkoKTsKICAgICB9CiAKQEAgLTQxMiwxMiArNDE0LDE0IEBAIG5hbWVzcGFj ZSBXVEYgewogICAgIHRlbXBsYXRlPHR5cGVuYW1lIFQ+IHRlbXBsYXRlPHR5cGVuYW1lIFU+CiAg ICAgaW5saW5lIHZvaWQgRGVxdWU8VD46OnByZXBlbmQoY29uc3QgVSYgdmFsdWUpCiAgICAgewor ICAgICAgICBjaGVja1ZhbGlkaXR5KCk7CiAgICAgICAgIGV4cGFuZENhcGFjaXR5SWZOZWVkZWQo KTsKICAgICAgICAgaWYgKCFtX3N0YXJ0KQogICAgICAgICAgICAgbV9zdGFydCA9IG1fYnVmZmVy LmNhcGFjaXR5KCkgLSAxOwogICAgICAgICBlbHNlCiAgICAgICAgICAgICAtLW1fc3RhcnQ7CiAg ICAgICAgIG5ldyAoJm1fYnVmZmVyLmJ1ZmZlcigpW21fc3RhcnRdKSBUKHZhbHVlKTsKKyAgICAg ICAgY2hlY2tWYWxpZGl0eSgpOwogICAgIH0KIAogICAgIHRlbXBsYXRlPHR5cGVuYW1lIFQ+Cg==