20330 2008-08-08 07:58:57 -0700 JSCore crash loading any filehurricane media page 2008-08-08 20:57:10 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED http://www.filehurricane.com/ HasReduction, Regression P1 Normal --- 1 dev+webkit zwarich oliver zwarich oldest_to_newest 88101 0 dev+webkit 2008-08-08 07:58:57 -0700 Loading any media page on <http://www.filehurricane.com/> (load the URL and click any item on the homepage) hits an ASSERT coming from <http://trac.webkit.org/browser/trunk/JavaScriptCore/VM/Machine.cpp?rev=35640#L2781> ASSERTION FAILED: i < size() (./wtf/Vector.h:439 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = KJS::JSValue*, long unsigned int inlineCapacity = 0ul]) Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x004fe4bf WTF::Vector<KJS::JSValue*, 0ul>::at(unsigned long) + 81 (Vector.h:439) 1 com.apple.JavaScriptCore 0x004fe4fc WTF::Vector<KJS::JSValue*, 0ul>::operator[](unsigned long) + 24 (Vector.h:448) 2 com.apple.JavaScriptCore 0x004faab2 KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 34414 (Machine.cpp:2781) 3 com.apple.JavaScriptCore 0x004fbf22 KJS::Machine::execute(KJS::ProgramNode*, KJS::ExecState*, KJS::ScopeChainNode*, KJS::JSObject*, KJS::JSValue**) + 698 (Machine.cpp:785) 4 com.apple.JavaScriptCore 0x00494bd9 KJS::Interpreter::evaluate(KJS::ExecState*, KJS::ScopeChain&, KJS::UString const&, int, WTF::PassRefPtr<KJS::SourceProvider>, KJS::JSValue*) + 409 (interpreter.cpp:78) 5 com.apple.WebCore 0x037f22a7 WebCore::ScriptController::evaluate(WebCore::String const&, int, WebCore::String const&) + 249 (ScriptController.cpp:112) 6 com.apple.WebCore 0x03383903 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 153 (FrameLoader.cpp:787) 7 com.apple.WebCore 0x03415476 WebCore::HTMLTokenizer::scriptExecution(WebCore::String const&, WebCore::HTMLTokenizer::State, WebCore::String const&, int) + 300 (HTMLTokenizer.cpp:547) 8 com.apple.WebCore 0x034158c4 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 600 (HTMLTokenizer.cpp:1994) 9 com.apple.WebCore 0x031c7088 WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:92) 10 com.apple.WebCore 0x031c71e9 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:84) 88105 1 zwarich 2008-08-08 08:54:48 -0700 That's not good. I'll assign this to myself. 88136 2 dev+webkit 2008-08-08 16:01:44 -0700 1) This doesn't actually crash in a release build (r35641 nightly). 2) I've narrowed it down to the file <http://filehurricane.com/ScriptResource.axd?d=Jk6eFL2oyqXuZsKToyn_TnFngeTB5WBWbchvVHNKADewHLoypStd1H_VInlzL52wsLdiUZDyfvhggbm_oCgaqtGEuqd422VOX7p4jbTGbYo1&amp;t=633449716710937500> - though it's 7500 lines entangled fun. 88145 3 22717 zwarich 2008-08-08 19:56:32 -0700 Created attachment 22717 Reduction Here's a reduction. I'll try to make one that crashes on the console as well, but this is good for a start. 88146 4 22718 zwarich 2008-08-08 20:21:17 -0700 Created attachment 22718 Further reduction This one also works with the JS shell. 88147 5 22719 zwarich 2008-08-08 20:38:36 -0700 Created attachment 22719 Proposed patch 88148 6 22719 oliver 2008-08-08 20:40:09 -0700 Comment on attachment 22719 Proposed patch r=me, assuming you include the testcase as a layout test 88151 7 zwarich 2008-08-08 20:57:10 -0700 Landed in r35651. 22717 2008-08-08 19:56:32 -0700 2008-08-08 20:21:17 -0700 Reduction reduction.html text/html 2459 zwarich PGh0bWw+CjxoZWFkPgo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+Cm5hdmlnYXRvci51 c2VyQWdlbnQubWF0Y2goLyBTYWZhcmlcLyhcZCsoXC5cZCspPykvKTsKCnZhciBzID0gJ3sibmFt ZSI6ImVuLVVTIiwibnVtYmVyRm9ybWF0Ijp7IkN1cnJlbmN5RGVjaW1hbERpZ2l0cyI6MiwiQ3Vy cmVuY3lEZWNpbWFsU2VwYXJhdG9yIjoiLiIsIklzUmVhZE9ubHkiOmZhbHNlLCJDdXJyZW5jeUdy b3VwU2l6ZXMiOlszXSwiTnVtYmVyR3JvdXBTaXplcyI6WzNdLCJQZXJjZW50R3JvdXBTaXplcyI6 WzNdLCJDdXJyZW5jeUdyb3VwU2VwYXJhdG9yIjoiLCIsIkN1cnJlbmN5U3ltYm9sIjoiJCIsIk5h TlN5bWJvbCI6Ik5hTiIsIkN1cnJlbmN5TmVnYXRpdmVQYXR0ZXJuIjowLCJOdW1iZXJOZWdhdGl2 ZVBhdHRlcm4iOjEsIlBlcmNlbnRQb3NpdGl2ZVBhdHRlcm4iOjAsIlBlcmNlbnROZWdhdGl2ZVBh dHRlcm4iOjAsIk5lZ2F0aXZlSW5maW5pdHlTeW1ib2wiOiItSW5maW5pdHkiLCJOZWdhdGl2ZVNp Z24iOiItIiwiTnVtYmVyRGVjaW1hbERpZ2l0cyI6MiwiTnVtYmVyRGVjaW1hbFNlcGFyYXRvciI6 Ii4iLCJOdW1iZXJHcm91cFNlcGFyYXRvciI6IiwiLCJDdXJyZW5jeVBvc2l0aXZlUGF0dGVybiI6 MCwiUG9zaXRpdmVJbmZpbml0eVN5bWJvbCI6IkluZmluaXR5IiwiUG9zaXRpdmVTaWduIjoiKyIs IlBlcmNlbnREZWNpbWFsRGlnaXRzIjoyLCJQZXJjZW50RGVjaW1hbFNlcGFyYXRvciI6Ii4iLCJQ ZXJjZW50R3JvdXBTZXBhcmF0b3IiOiIsIiwiUGVyY2VudFN5bWJvbCI6IiUiLCJQZXJNaWxsZVN5 bWJvbCI6Ilx1MjAzMCIsIk5hdGl2ZURpZ2l0cyI6WyIwIiwiMSIsIjIiLCIzIiwiNCIsIjUiLCI2 IiwiNyIsIjgiLCI5Il0sIkRpZ2l0U3Vic3RpdHV0aW9uIjoxfSwiZGF0ZVRpbWVGb3JtYXQiOnsi QU1EZXNpZ25hdG9yIjoiQU0iLCJDYWxlbmRhciI6eyJNaW5TdXBwb3J0ZWREYXRlVGltZSI6IkAt NjIxMzU1NjgwMDAwMDBAIiwiTWF4U3VwcG9ydGVkRGF0ZVRpbWUiOiJAMjUzNDAyMzAwNzk5OTk5 QCIsIkFsZ29yaXRobVR5cGUiOjEsIkNhbGVuZGFyVHlwZSI6MSwiRXJhcyI6WzFdLCJUd29EaWdp dFllYXJNYXgiOjIwMjksIklzUmVhZE9ubHkiOmZhbHNlfSwiRGF0ZVNlcGFyYXRvciI6Ii8iLCJG aXJzdERheU9mV2VlayI6MCwiQ2FsZW5kYXJXZWVrUnVsZSI6MCwiRnVsbERhdGVUaW1lUGF0dGVy biI6ImRkZGQsIE1NTU0gZGQsIHl5eXkgaDptbTpzcyB0dCIsIkxvbmdEYXRlUGF0dGVybiI6ImRk ZGQsIE1NTU0gZGQsIHl5eXkiLCJMb25nVGltZVBhdHRlcm4iOiJoOm1tOnNzIHR0IiwiTW9udGhE YXlQYXR0ZXJuIjoiTU1NTSBkZCIsIlBNRGVzaWduYXRvciI6IlBNIiwiUkZDMTEyM1BhdHRlcm4i OiJkZGQsIGRkIE1NTSB5eXl5IEhIXCc6XCdtbVwnOlwnc3MgXCdHTVRcJyIsIlNob3J0RGF0ZVBh dHRlcm4iOiJNL2QveXl5eSIsIlNob3J0VGltZVBhdHRlcm4iOiJoOm1tIHR0IiwiU29ydGFibGVE YXRlVGltZVBhdHRlcm4iOiJ5eXl5XCctXCdNTVwnLVwnZGRcJ1RcJ0hIXCc6XCdtbVwnOlwnc3Mi LCJUaW1lU2VwYXJhdG9yIjoiOiIsIlVuaXZlcnNhbFNvcnRhYmxlRGF0ZVRpbWVQYXR0ZXJuIjoi eXl5eVwnLVwnTU1cJy1cJ2RkIEhIXCc6XCdtbVwnOlwnc3NcJ1pcJyIsIlllYXJNb250aFBhdHRl cm4iOiJNTU1NLCB5eXl5IiwiQWJicmV2aWF0ZWREYXlOYW1lcyI6WyJTdW4iLCJNb24iLCJUdWUi LCJXZWQiLCJUaHUiLCJGcmkiLCJTYXQiXSwiU2hvcnRlc3REYXlOYW1lcyI6WyJTdSIsIk1vIiwi VHUiLCJXZSIsIlRoIiwiRnIiLCJTYSJdLCJEYXlOYW1lcyI6WyJTdW5kYXkiLCJNb25kYXkiLCJU dWVzZGF5IiwiV2VkbmVzZGF5IiwiVGh1cnNkYXkiLCJGcmlkYXkiLCJTYXR1cmRheSJdLCJBYmJy ZXZpYXRlZE1vbnRoTmFtZXMiOlsiSmFuIiwiRmViIiwiTWFyIiwiQXByIiwiTWF5IiwiSnVuIiwi SnVsIiwiQXVnIiwiU2VwIiwiT2N0IiwiTm92IiwiRGVjIiwiIl0sIk1vbnRoTmFtZXMiOlsiSmFu dWFyeSIsIkZlYnJ1YXJ5IiwiTWFyY2giLCJBcHJpbCIsIk1heSIsIkp1bmUiLCJKdWx5IiwiQXVn dXN0IiwiU2VwdGVtYmVyIiwiT2N0b2JlciIsIk5vdmVtYmVyIiwiRGVjZW1iZXIiLCIiXSwiSXNS ZWFkT25seSI6ZmFsc2UsIk5hdGl2ZUNhbGVuZGFyTmFtZSI6IkdyZWdvcmlhbiBDYWxlbmRhciIs IkFiYnJldmlhdGVkTW9udGhHZW5pdGl2ZU5hbWVzIjpbIkphbiIsIkZlYiIsIk1hciIsIkFwciIs Ik1heSIsIkp1biIsIkp1bCIsIkF1ZyIsIlNlcCIsIk9jdCIsIk5vdiIsIkRlYyIsIiJdLCJNb250 aEdlbml0aXZlTmFtZXMiOlsiSmFudWFyeSIsIkZlYnJ1YXJ5IiwiTWFyY2giLCJBcHJpbCIsIk1h eSIsIkp1bmUiLCJKdWx5IiwiQXVndXN0IiwiU2VwdGVtYmVyIiwiT2N0b2JlciIsIk5vdmVtYmVy IiwiRGVjZW1iZXIiLCIiXX19JzsKCmRlbGV0ZSBzOwo8L3NjcmlwdD4KPGJvZHk+CjwvYm9keT4K PC9odG1sPgo= 22718 2008-08-08 20:21:17 -0700 2008-08-08 20:21:17 -0700 Further reduction reduction.html text/html 259 zwarich PGh0bWw+CjxoZWFkPgo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiJNb3ppbGxhLzUu MCAoTWFjaW50b3NoOyBVOyBJbnRlbCBNYWMgT1MgWCAxMF81XzQ7IGVuLXVzKSBBcHBsZVdlYktp dC81MjguMSsgKEtIVE1MLCBsaWtlIEdlY2tvKSBWZXJzaW9uLzQuMGRwMSBTYWZhcmkvNTI2LjEx LjIiLm1hdGNoKC8gU2FmYXJpXC8oXGQrKFwuXGQrKT8pLyk7Cgp2YXIgczsKZGVsZXRlIHM7Cjwv c2NyaXB0Pgo8Ym9keT4KPC9ib2R5Pgo8L2h0bWw+Cg== 22719 2008-08-08 20:38:36 -0700 2008-08-08 20:40:09 -0700 Proposed patch mistake.diff text/plain 2001 zwarich SW5kZXg6IENoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBDaGFuZ2VMb2cJKHJldmlzaW9uIDM1NjQ5 KQorKysgQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTggQEAKKzIwMDgtMDgt MDggIENhbWVyb24gWndhcmljaCAgPGN3endhcmljaEB1d2F0ZXJsb28uY2E+CisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQnVnIDIwMzMwOiBKU0NvcmUg Y3Jhc2ggbG9hZGluZyBhbnkgZmlsZWh1cnJpY2FuZSBtZWRpYSBwYWdlCisgICAgICAgIDxodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjAzMzA+CisKKyAgICAgICAgRml4 IGEgdHlwbyBpbiB0aGUgY29uc3RhbnQgbG9hZGluZyBwYXRjaC4gQWxzbywgYWRkIGEgY2FzZSBm b3IKKyAgICAgICAgb3BfdW5leHBlY3RlZF9sb2FkIHRvIENvZGVCbG9jazo6ZHVtcCgpLgorCisg ICAgICAgICogVk0vQ29kZUJsb2NrLmNwcDoKKyAgICAgICAgKEtKUzo6Q29kZUJsb2NrOjpkdW1w KToKKyAgICAgICAgKiBWTS9Db2RlR2VuZXJhdG9yLmNwcDoKKyAgICAgICAgKEtKUzo6Q29kZUdl bmVyYXRvcjo6YWRkVW5leHBlY3RlZENvbnN0YW50KToKKwogMjAwOC0wOC0wOCAgTWF0dCBMaWxl ayAgPHdlYmtpdEBtYXR0bGlsZWsuY29tPgogCiAgICAgICAgIE5vdCByZXZpZXdlZCwgYnVpbGQg Zml4LgpJbmRleDogVk0vQ29kZUJsb2NrLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBWTS9Db2RlQmxvY2su Y3BwCShyZXZpc2lvbiAzNTYzOSkKKysrIFZNL0NvZGVCbG9jay5jcHAJKHdvcmtpbmcgY29weSkK QEAgLTI1OSw2ICsyNTksMTIgQEAgdm9pZCBDb2RlQmxvY2s6OmR1bXAoRXhlY1N0YXRlKiBleGVj LCBjbwogewogICAgIGludCBsb2NhdGlvbiA9IGl0IC0gYmVnaW47CiAgICAgc3dpdGNoIChleGVj LT5tYWNoaW5lKCktPmdldE9wY29kZUlEKGl0LT51Lm9wY29kZSkpIHsKKyAgICAgICAgY2FzZSBv cF91bmV4cGVjdGVkX2xvYWQ6IHsKKyAgICAgICAgICAgIGludCByMCA9ICgrK2l0KS0+dS5vcGVy YW5kOworICAgICAgICAgICAgaW50IGswID0gKCsraXQpLT51Lm9wZXJhbmQ7CisgICAgICAgICAg ICBwcmludGYoIlslNGRdIHVuZXhwZWN0ZWRfbG9hZFx0ICVzLCAlc1xuIiwgbG9jYXRpb24sIHJl Z2lzdGVyTmFtZShyMCkuY19zdHIoKSwgY29uc3RhbnROYW1lKGV4ZWMsIGswLCB1bmV4cGVjdGVk Q29uc3RhbnRzW2swXSkuY19zdHIoKSk7CisgICAgICAgICAgICBicmVhazsKKyAgICAgICAgfQog ICAgICAgICBjYXNlIG9wX25ld19vYmplY3Q6IHsKICAgICAgICAgICAgIGludCByMCA9ICgrK2l0 KS0+dS5vcGVyYW5kOwogICAgICAgICAgICAgcHJpbnRmKCJbJTRkXSBuZXdfb2JqZWN0XHQgJXNc biIsIGxvY2F0aW9uLCByZWdpc3Rlck5hbWUocjApLmNfc3RyKCkpOwpJbmRleDogVk0vQ29kZUdl bmVyYXRvci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gVk0vQ29kZUdlbmVyYXRvci5jcHAJKHJldmlzaW9u IDM1NjM5KQorKysgVk0vQ29kZUdlbmVyYXRvci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTU0MCw3 ICs1NDAsNyBAQCBSZWdpc3RlcklEKiBDb2RlR2VuZXJhdG9yOjphZGRDb25zdGFudChKCiAKIHVu c2lnbmVkIENvZGVHZW5lcmF0b3I6OmFkZFVuZXhwZWN0ZWRDb25zdGFudChKU1ZhbHVlKiB2KQog ewotICAgIGludCBpbmRleCA9IG1fY29kZUJsb2NrLT5yZWdleHBzLnNpemUoKTsKKyAgICBpbnQg aW5kZXggPSBtX2NvZGVCbG9jay0+dW5leHBlY3RlZENvbnN0YW50cy5zaXplKCk7CiAgICAgbV9j b2RlQmxvY2stPnVuZXhwZWN0ZWRDb25zdGFudHMuYXBwZW5kKHYpOwogICAgIHJldHVybiBpbmRl eDsKIH0K