22537 2008-11-27 22:28:27 -0800 REGRESSION (r38745): Assertion failure in jsSubstring() at ge.com 2008-12-02 20:53:23 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED http://www.ge.com/ HasReduction, Regression P1 Normal --- 1 mitz ggaren ggaren oldest_to_newest 100575 0 mitz 2008-11-27 22:28:27 -0800 Visiting http://www.ge.com/ causes an assertion failure: Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x00a9e181 JSC::jsSubstring(JSC::JSGlobalData*, JSC::UString const&, unsigned int, unsigned int) + 83 (JSString.cpp:126) 1 com.apple.JavaScriptCore 0x00b182de JSC::jsSubstring(JSC::ExecState*, JSC::UString const&, unsigned int, unsigned int) + 48 (JSString.h:173) 2 com.apple.JavaScriptCore 0x00ac9ac4 __ZN3JSCL20stringProtoFuncMatchEPNS_9ExecStateEPNS_8JSObjectEPNS_7JSValueERKNS_7ArgListE + 502 (StringPrototype.cpp:432) 3 com.apple.JavaScriptCore 0x00b6078f JSC::Interpreter::cti_op_call_NotJSFunction(void*, ...) + 461 (Interpreter.cpp:4969) 4 com.apple.JavaScriptCore 0x00b5b2de jscGeneratedNativeCode + 0 (Interpreter.cpp:4244) 5 com.apple.JavaScriptCore 0x00b623de JSC::Interpreter::execute(JSC::FunctionBodyNode*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue**) + 796 (Interpreter.cpp:1003) 6 com.apple.JavaScriptCore 0x00a85b51 JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue*, JSC::ArgList const&) + 139 (JSFunction.cpp:83) 7 com.apple.JavaScriptCore 0x00a85c09 JSC::call(JSC::ExecState*, JSC::JSValue*, JSC::CallType, JSC::CallData const&, JSC::JSValue*, JSC::ArgList const&) + 177 (CallData.cpp:39) 8 com.apple.WebCore 0x03a12044 WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 786 (JSEventListener.cpp:109) 9 com.apple.WebCore 0x034db77d WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 281 (Document.cpp:2699) 10 com.apple.WebCore 0x0354250e WebCore::EventTargetNode::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event>) + 272 (EventTargetNode.cpp:409) 11 com.apple.WebCore 0x035455e3 WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 175 (EventTargetNode.cpp:416) 12 com.apple.WebCore 0x034e79e4 WebCore::Document::implicitClose() + 736 (Document.cpp:1562) 100576 1 zwarich 2008-11-27 22:32:03 -0800 I can reproduce this with a local debug build of r38826, and I am assigning this to myself. 100577 2 25565 zwarich 2008-11-27 23:01:54 -0800 Created attachment 25565 Partial reduction Here is a partial reduction. It still loads 2 JS files from GE's site, as well as whatever files they dynamically load. For some reason, it goes wonky but doesn't crash if I just copy the source of those files. I should be able to make a reduction by making local copies of these files and chopping them apart. 100578 3 zwarich 2008-11-27 23:03:07 -0800 It seems that GE does some referrer checking, so you need to download a local copy of that. 100581 4 zwarich 2008-11-28 00:22:49 -0800 I have a reduction: "splash_content".match(/[\s#.:>+~()@]|[^\s#.:>+~()@]+/g); I suspect that this is a recent regression due to changes in WREC. 100583 5 zwarich 2008-11-28 00:50:22 -0800 I didn't have to look far for this one. This regressed in r38745: http://trac.webkit.org/changeset/38745 100584 6 zwarich 2008-11-28 00:54:24 -0800 I am unassigning this. Geoff, you are probably a better person to fix this than me. 101123 7 ggaren 2008-12-02 17:06:37 -0800 New reduction: "a".match(/b|[^b]/g) 101143 8 25699 ggaren 2008-12-02 20:38:07 -0800 Created attachment 25699 patch 101144 9 25699 zwarich 2008-12-02 20:43:17 -0800 Comment on attachment 25699 patch The test should be in the "new style" with the .html file in fast/js and the .js file in fast/js/resources. Other than that, r=me. 101145 10 ggaren 2008-12-02 20:53:23 -0800 Committed revision 38929. 25565 2008-11-27 23:01:54 -0800 2008-11-27 23:01:54 -0800 Partial reduction reduction.html text/html 340 zwarich PGh0bWw+CjxoZWFkPgo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CnZhciBHRV9iYXNl bGluayA9ICcnOwp2YXIgR0VfY3VycmVudFBhdGggPSAnL2luZGV4Lmh0bWwnOwo8L3NjcmlwdD4K PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cDovL3d3dy5nZS5jb20vaHRt bF92aWV3L3NjcmlwdHNfdjIvbGliL3NpZnIuanMiPjwvc2NyaXB0Pgo8c2NyaXB0IHR5cGU9InRl eHQvamF2YXNjcmlwdCIgc3JjPSJodHRwOi8vd3d3LmdlLmNvbS9odG1sX3ZpZXcvc2NyaXB0c192 Mi9nZV9pbml0LmpzIj48L3NjcmlwdD4KPC9oZWFkPgo8Ym9keT4KPC9ib2R5Pgo8L2h0bWw+Cg== 25699 2008-12-02 20:38:07 -0800 2008-12-02 20:43:17 -0800 patch patch-regexp-crash.txt text/plain 4483 ggaren SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDM4OTI4KQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjQgQEAKKzIwMDgtMTItMDIgIEdlb2ZmcmV5 IEdhcmVuICA8Z2dhcmVuQGFwcGxlLmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg KE9PUFMhKS4KKyAgICAgICAgCisgICAgICAgIEZpeGVkIGh0dHBzOi8vYnVncy53ZWJraXQub3Jn L3Nob3dfYnVnLmNnaT9pZD0yMjUzNworICAgICAgICBSRUdSRVNTSU9OIChyMzg3NDUpOiBBc3Nl cnRpb24gZmFpbHVyZSBpbiBqc1N1YnN0cmluZygpIGF0IGdlLmNvbQorCisgICAgICAgIFRoZSBi dWcgd2FzIHRoYXQgaW5kZXggd291bGQgYmVjb21lIGdyZWF0ZXIgdGhhbiBsZW5ndGgsIHNvIG91 cgorICAgICAgICAiZW5kIG9mIGlucHV0IiBjaGVja3MsIHdoaWNoIGFsbCBjaGVjayAiaW5kZXgg PT0gbGVuZ3RoIiwgd291bGQgZmFpbC4KKyAgICAgICAgCisgICAgICAgIFRoZSBzb2x1dGlvbiBp cyB0byBjaGVjayBmb3IgZW5kIG9mIGlucHV0IGJlZm9yZSBpbmNyZW1lbnRpbmcgaW5kZXgsCisg ICAgICAgIHRvIGVuc3VyZSB0aGF0IGluZGV4IGlzIGFsd2F5cyA8PSBsZW5ndGguCisgICAgICAg IAorICAgICAgICBBcyBhIHNpZGUgYmVuZWZpdCwgZ2VuZXJhdGVKdW1wSWZFbmRPZklucHV0IGNh biBub3cgdXNlIGplIGluc3RlYWQgb2YKKyAgICAgICAgamcsIHdoaWNoIHNob3VsZCBiZSBzbGln aHRseSBmYXN0ZXIuCisKKyAgICAgICAgKiB3cmVjL1dSRUMuY3BwOgorICAgICAgICAoSlNDOjpX UkVDOjpHZW5lcmF0b3I6OmNvbXBpbGVSZWdFeHApOgorICAgICAgICAqIHdyZWMvV1JFQ0dlbmVy YXRvci5jcHA6CisgICAgICAgIChKU0M6OldSRUM6OkdlbmVyYXRvcjo6Z2VuZXJhdGVKdW1wSWZF bmRPZklucHV0KToKKwogMjAwOC0xMi0wMiAgR2F2aW4gQmFycmFjbG91Z2ggIDxiYXJyYWNsb3Vn aEBhcHBsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgR2VvZmZyZXkgR2FyZW4uCkluZGV4 OiBKYXZhU2NyaXB0Q29yZS93cmVjL1dSRUMuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEphdmFTY3JpcHRD b3JlL3dyZWMvV1JFQy5jcHAJKHJldmlzaW9uIDM4OTI3KQorKysgSmF2YVNjcmlwdENvcmUvd3Jl Yy9XUkVDLmNwcAkod29ya2luZyBjb3B5KQpAQCAtNjAsOCArNjAsOCBAQCBDb21waWxlZFJlZ0V4 cCBHZW5lcmF0b3I6OmNvbXBpbGVSZWdFeHAoCiAgICAgZ2VuZXJhdG9yLmdlbmVyYXRlUmV0dXJu U3VjY2VzcygpOwogCiAgICAgZmFpbHVyZXMubGluaygpOwotICAgIGdlbmVyYXRvci5nZW5lcmF0 ZUluY3JlbWVudEluZGV4KCk7CiAgICAgZ2VuZXJhdG9yLmdlbmVyYXRlSnVtcElmRW5kT2ZJbnB1 dChmYWlsdXJlcyk7CisgICAgZ2VuZXJhdG9yLmdlbmVyYXRlSW5jcmVtZW50SW5kZXgoKTsKICAg ICBwYXJzZXIucGFyc2VQYXR0ZXJuKGZhaWx1cmVzKTsKICAgICBnZW5lcmF0b3IuZ2VuZXJhdGVS ZXR1cm5TdWNjZXNzKCk7CiAKSW5kZXg6IEphdmFTY3JpcHRDb3JlL3dyZWMvV1JFQ0dlbmVyYXRv ci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gSmF2YVNjcmlwdENvcmUvd3JlYy9XUkVDR2VuZXJhdG9yLmNw cAkocmV2aXNpb24gMzg5MjcpCisrKyBKYXZhU2NyaXB0Q29yZS93cmVjL1dSRUNHZW5lcmF0b3Iu Y3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xMTMsNyArMTEzLDcgQEAgdm9pZCBHZW5lcmF0b3I6Omdl bmVyYXRlTG9hZENoYXJhY3RlcihKdQogLy8gd2VyZSBwYXJ0IG9mIHRoZSBpbnB1dCBzdHJpbmcu CiB2b2lkIEdlbmVyYXRvcjo6Z2VuZXJhdGVKdW1wSWZFbmRPZklucHV0KEp1bXBMaXN0JiBmYWls dXJlcykKIHsKLSAgICBmYWlsdXJlcy5hcHBlbmQoamczMihpbmRleCwgbGVuZ3RoKSk7CisgICAg ZmFpbHVyZXMuYXBwZW5kKGplMzIobGVuZ3RoLCBpbmRleCkpOwogfQogCiAvLyBGb3IgdGhlIHNh a2Ugb2YgZW5kLW9mLWxpbmUgYXNzZXJ0aW9ucywgd2UgdHJlYXQgb25lLXBhc3QtdGhlLWVuZCBh cyBpZiBpdApJbmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91 dFRlc3RzL0NoYW5nZUxvZwkocmV2aXNpb24gMzg5MjgpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VM b2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyArMSwxMyBAQAorMjAwOC0xMi0wMiAgR2VvZmZyZXkg R2FyZW4gIDxnZ2FyZW5AYXBwbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAo T09QUyEpLgorICAgICAgICAKKyAgICAgICAgVGVzdCBmb3IgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTIyNTM3CisgICAgICAgIFJFR1JFU1NJT04gKHIzODc0NSk6IEFz c2VydGlvbiBmYWlsdXJlIGluIGpzU3Vic3RyaW5nKCkgYXQgZ2UuY29tCisKKyAgICAgICAgKiBm YXN0L3JlZ2V4L2FsdGVybmF0aXZlLWxlbmd0aC1taXNjYWxjdWxhdGlvbi1leHBlY3RlZC50eHQ6 IEFkZGVkLgorICAgICAgICAqIGZhc3QvcmVnZXgvYWx0ZXJuYXRpdmUtbGVuZ3RoLW1pc2NhbGN1 bGF0aW9uLmh0bWw6IEFkZGVkLgorCiAyMDA4LTEyLTAyICBTaW1vbiBGcmFzZXIgIDxzaW1vbi5m cmFzZXJAYXBwbGUuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IERhdmUgSHlhdHQKSW5kZXg6 IExheW91dFRlc3RzL2Zhc3QvcmVnZXgvYWx0ZXJuYXRpdmUtbGVuZ3RoLW1pc2NhbGN1bGF0aW9u LWV4cGVjdGVkLnR4dAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9mYXN0L3JlZ2V4L2FsdGVy bmF0aXZlLWxlbmd0aC1taXNjYWxjdWxhdGlvbi1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCisr KyBMYXlvdXRUZXN0cy9mYXN0L3JlZ2V4L2FsdGVybmF0aXZlLWxlbmd0aC1taXNjYWxjdWxhdGlv bi1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsNCBAQAorVGhpcyBwYWdlIHRl c3RzIGZvciBhIGxlbmd0aCBtaXNjYWxjdWxhdGlvbiBpbiByZWd1bGFyIGV4cHJlc3Npb24gcHJv Y2Vzc2luZy4gSWYgdGhlIHRlc3QgcGFzc2VzLCB5b3UnbGwgc2VlIGEgUEFTUyBtZXNzYWdlIGJl bG93LgorCitQQVNTOiByZS5leGVjKCJhIikgc2hvdWxkIGJlICdudWxsJyBhbmQgaXMuCisKSW5k ZXg6IExheW91dFRlc3RzL2Zhc3QvcmVnZXgvYWx0ZXJuYXRpdmUtbGVuZ3RoLW1pc2NhbGN1bGF0 aW9uLmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9yZWdleC9hbHRlcm5hdGl2 ZS1sZW5ndGgtbWlzY2FsY3VsYXRpb24uaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3Rz L2Zhc3QvcmVnZXgvYWx0ZXJuYXRpdmUtbGVuZ3RoLW1pc2NhbGN1bGF0aW9uLmh0bWwJKHJldmlz aW9uIDApCkBAIC0wLDAgKzEsMjkgQEAKKzxwPgorVGhpcyBwYWdlIHRlc3RzIGZvciBhIGxlbmd0 aCBtaXNjYWxjdWxhdGlvbiBpbiByZWd1bGFyIGV4cHJlc3Npb24gcHJvY2Vzc2luZy4KK0lmIHRo ZSB0ZXN0IHBhc3NlcywgeW91J2xsIHNlZSBhIFBBU1MgbWVzc2FnZSBiZWxvdy4KKzwvcD4KKzxw cmUgaWQ9ImNvbnNvbGUiPjwvcHJlPgorCis8c2NyaXB0PgorZnVuY3Rpb24gbG9nKHMpCit7Cisg ICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImNvbnNvbGUiKS5hcHBlbmRDaGlsZChkb2N1bWVu dC5jcmVhdGVUZXh0Tm9kZShzICsgIlxuIikpOworfQorCitmdW5jdGlvbiBzaG91bGRCZShhLCBh RGVzY3JpcHRpb24sIGIpCit7CisgICAgaWYgKGEgPT0gYikgeworICAgICAgICBsb2coIlBBU1M6 ICIgKyBhRGVzY3JpcHRpb24gKyAiIHNob3VsZCBiZSAnIiArIFN0cmluZyhiKSArICInIGFuZCBp cy4iKTsKKyAgICAgICAgcmV0dXJuOworICAgIH0KKyAgICAKKyAgICBsb2cgKCJGQUlMOiAiICsg YURlc2NyaXB0aW9uICsgIiBzaG91bGQgYmUgJyIgKyBTdHJpbmcoYikgKyAiJyBidXQgaW5zdGVh ZCBpcyAnIiArIFN0cmluZyhhKSArICInLiIpOworfQorCitpZiAod2luZG93LmxheW91dFRlc3RD b250cm9sbGVyKQorICAgIGxheW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKwordmFy IHJlID0gL2J8W15iXS9nOworcmUubGFzdEluZGV4ID0gMTsKK3Nob3VsZEJlKHJlLmV4ZWMoImEi KSwgJ3JlLmV4ZWMoImEiKScsIG51bGwpOworPC9zY3JpcHQ+Cg==