4474 2005-08-17 01:47:02 -0700 REGRESSION: Crash when using in-place operator on uninitialized array element 2005-08-19 08:59:47 -0700 1 1 1 Unclassified WebKit JavaScriptCore 420+ Mac OS X 10.4 RESOLVED FIXED http://forums.macnn.com P1 Normal --- 1 jon mjs oliver oldest_to_newest 16833 0 jon 2005-08-17 01:47:02 -0700 I was able to reproduce this crash every time. Just try to login into the MacNN forums using the login form on any of the forum or thread indexes. Once the button is clicked or return is hit, Safari will crash with this report (x6): Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x7eaba778 Thread 0 Crashed: 0 <<00000000>> 0x7eaba778 0 + 2125178744 1 com.apple.JavaScriptCore 0x00437be8 KJS::AssignBracketNode::evaluate(KJS::ExecState*) + 780 (icplusplus.c:28) 2 com.apple.JavaScriptCore 0x00432720 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 (icplusplus.c:28) 3 com.apple.JavaScriptCore 0x00436708 KJS::ForNode::execute(KJS::ExecState*) + 416 (icplusplus.c: 28) 4 com.apple.JavaScriptCore 0x00432174 KJS::SourceElementsNode::execute(KJS::ExecState*) + 356 (icplusplus.c:28) 5 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 6 com.apple.JavaScriptCore 0x00423fa0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 48 (icplusplus.c:28) 7 com.apple.JavaScriptCore 0x004242bc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 424 (icplusplus.c:28) 8 com.apple.JavaScriptCore 0x0043b948 KJS::ObjectImp::call(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 108 (icplusplus.c:28) 9 com.apple.JavaScriptCore 0x004370f8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 500 (icplusplus.c:28) 10 com.apple.JavaScriptCore 0x00433c40 KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 80 (icplusplus.c:28) 11 com.apple.JavaScriptCore 0x00433cec KJS::ArgumentsNode::evaluateList(KJS::ExecState*) + 44 (icplusplus.c:28) 12 com.apple.JavaScriptCore 0x00437080 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 380 (icplusplus.c:28) 13 com.apple.JavaScriptCore 0x00433c40 KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 80 (icplusplus.c:28) 14 com.apple.JavaScriptCore 0x00433cec KJS::ArgumentsNode::evaluateList(KJS::ExecState*) + 44 (icplusplus.c:28) 15 com.apple.JavaScriptCore 0x00437080 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 380 (icplusplus.c:28) 16 com.apple.JavaScriptCore 0x004358f0 KJS::ReturnNode::execute(KJS::ExecState*) + 252 (icplusplus.c:28) 17 com.apple.JavaScriptCore 0x004320cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 188 (icplusplus.c:28) 18 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 19 com.apple.JavaScriptCore 0x00423fa0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 48 (icplusplus.c:28) 20 com.apple.JavaScriptCore 0x004242bc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 424 (icplusplus.c:28) 21 com.apple.JavaScriptCore 0x0043b948 KJS::ObjectImp::call(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 108 (icplusplus.c:28) 22 com.apple.JavaScriptCore 0x004370f8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 500 (icplusplus.c:28) 23 com.apple.JavaScriptCore 0x004359f0 KJS::VarDeclNode::evaluate(KJS::ExecState*) + 84 (icplusplus.c:28) 24 com.apple.JavaScriptCore 0x0043293c KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 68 (icplusplus.c:28) 25 com.apple.JavaScriptCore 0x00432850 KJS::VarStatementNode::execute(KJS::ExecState*) + 104 (icplusplus.c:28) 26 com.apple.JavaScriptCore 0x004320cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 188 (icplusplus.c:28) 27 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 28 com.apple.JavaScriptCore 0x004326a0 KJS::IfNode::execute(KJS::ExecState*) + 332 (icplusplus.c: 28) 29 com.apple.JavaScriptCore 0x004320cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 188 (icplusplus.c:28) 30 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 31 com.apple.JavaScriptCore 0x00423fa0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 48 (icplusplus.c:28) 32 com.apple.JavaScriptCore 0x004242bc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 424 (icplusplus.c:28) 33 com.apple.JavaScriptCore 0x0043b948 KJS::ObjectImp::call(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 108 (icplusplus.c:28) 34 com.apple.JavaScriptCore 0x004370f8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 500 (icplusplus.c:28) 35 com.apple.JavaScriptCore 0x00432720 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 (icplusplus.c:28) 36 com.apple.JavaScriptCore 0x004320cc KJS::SourceElementsNode::execute(KJS::ExecState*) + 188 (icplusplus.c:28) 37 com.apple.JavaScriptCore 0x0042cc54 KJS::BlockNode::execute(KJS::ExecState*) + 128 (icplusplus.c:28) 38 com.apple.JavaScriptCore 0x00423fa0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 48 (icplusplus.c:28) 39 com.apple.JavaScriptCore 0x004242bc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 424 (icplusplus.c:28) 40 com.apple.JavaScriptCore 0x0043b948 KJS::ObjectImp::call(KJS::ExecState*, KJS::ObjectImp*, KJS::List const&) + 108 (icplusplus.c:28) 41 com.apple.WebCore 0x0108a278 KJS::JSAbstractEventListener::handleEvent (DOM::EventImpl*, bool) + 488 (icplusplus.c:28) 42 com.apple.WebCore 0x0111fd8c DOM::NodeImpl::handleLocalEvents(DOM::EventImpl*, bool) + 200 (icplusplus.c:28) 43 com.apple.WebCore 0x01122b48 DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) + 360 (icplusplus.c:28) 44 com.apple.WebCore 0x01122f70 DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) + 208 (icplusplus.c:28) 45 com.apple.WebCore 0x01123ed8 DOM::NodeImpl::dispatchHTMLEvent(int, bool, bool) + 88 (icplusplus.c:28) 46 com.apple.WebCore 0x010bf06c DOM::HTMLFormElementImpl::prepareSubmit() + 172 (icplusplus.c:28) 47 com.apple.WebCore 0x010bf3fc DOM::HTMLInputElementImpl::defaultEventHandler (DOM::EventImpl*) + 292 (icplusplus.c:28) 48 com.apple.WebCore 0x01122c4c DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) + 620 (icplusplus.c:28) 49 com.apple.WebCore 0x01122f70 DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) + 208 (icplusplus.c:28) 50 com.apple.WebCore 0x01123e6c DOM::NodeImpl::dispatchUIEvent(int, int) + 132 (icplusplus.c:28) 51 com.apple.WebCore 0x01124734 DOM::NodeImpl::dispatchMouseEvent(QMouseEvent*, int, int) + 1028 (icplusplus.c:28) 52 com.apple.WebCore 0x010f1720 khtml::RenderFormElement::slotClicked() + 64 (icplusplus.c:28) 53 com.apple.WebCore 0x01135378 KWQSignal::call() const + 116 (icplusplus.c:28) 54 com.apple.WebCore 0x0100db54 QButton::clicked() + 112 (icplusplus.c:28) 55 com.apple.AppKit 0x936fd6d4 -[NSApplication sendAction:to:from:] + 108 56 com.apple.Safari 0x0001e0f0 0x1000 + 119024 57 com.apple.AppKit 0x936fd608 -[NSControl sendAction:to:] + 96 58 com.apple.AppKit 0x936fd4e8 -[NSCell _sendActionFrom:] + 156 59 com.apple.AppKit 0x936fcfc8 -[NSButtonCell performClick:] + 472 60 com.apple.WebCore 0x0100dbc8 QButton::click(bool) + 76 (icplusplus.c:28) 61 com.apple.WebCore 0x010bf778 DOM::HTMLInputElementImpl::defaultEventHandler (DOM::EventImpl*) + 1184 (icplusplus.c:28) 62 com.apple.WebCore 0x01122c4c DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) + 620 (icplusplus.c:28) 63 com.apple.WebCore 0x01122f70 DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) + 208 (icplusplus.c:28) 64 com.apple.WebCore 0x011233b0 DOM::NodeImpl::dispatchKeyEvent(QKeyEvent*) + 100 (icplusplus.c:28) 65 com.apple.WebCore 0x0101d2f4 KWQKHTMLPart::keyEvent(NSEvent*) + 276 (icplusplus.c: 28) 66 com.apple.WebCore 0x01031840 -[KWQTextFieldController textView:shouldHandleEvent:] + 220 (icplusplus.c:28) 67 com.apple.WebCore 0x01032be0 -[KWQSecureTextField textView:shouldHandleEvent:] + 40 (icplusplus.c:28) 68 com.apple.AppKit 0x9373cf44 -[NSTextView keyDown:] + 316 69 com.apple.AppKit 0x936b8a34 -[NSWindow sendEvent:] + 6424 70 com.apple.Safari 0x0001d2c4 0x1000 + 115396 71 com.apple.AppKit 0x936614f4 -[NSApplication sendEvent:] + 4172 72 com.apple.Safari 0x0001a2a4 0x1000 + 103076 73 com.apple.AppKit 0x93658930 -[NSApplication run] + 508 74 com.apple.AppKit 0x93749284 NSApplicationMain + 452 75 com.apple.Safari 0x000021e4 0x1000 + 4580 76 com.apple.Safari 0x00056e14 0x1000 + 351764 16886 1 mitz 2005-08-17 13:57:36 -0700 This looks similar to bug 4460 16888 2 3441 mitz 2005-08-17 14:33:48 -0700 Created attachment 3441 testcase This crashes TOT by using the in-place operator |= (although += would also work) on an uninitialized array element. 16894 3 3442 mitz 2005-08-17 15:32:28 -0700 Created attachment 3442 proposed patch Check if getPropertySlot succeeded before trying to use the slot. 16896 4 3442 darin 2005-08-17 15:41:25 -0700 Comment on attachment 3442 proposed patch r=me 16897 5 3443 mitz 2005-08-17 15:43:03 -0700 Created attachment 3443 proposed patch Added this check at another place to take care of bug 4460 as well 16914 6 oliver 2005-08-17 22:37:29 -0700 *** Bug 4460 has been marked as a duplicate of this bug. *** 16915 7 3443 mjs 2005-08-17 22:59:17 -0700 Comment on attachment 3443 proposed patch r=me 3441 2005-08-17 14:33:48 -0700 2005-08-17 14:33:48 -0700 testcase 4474_testcase.html text/html 277 mitz PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25h bC5kdGQiPgo8aHRtbD4NCjxoZWFkPgo8dGl0bGU+SlMgY3Jhc2g8L3RpdGxlPgo8L2hlYWQ+DQo8 Ym9keT4NCjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KICAgIHZhciBhID0gbmV3IEFy cmF5KCk7CiAgICBhWzBdIHw9IDA7Cjwvc2NyaXB0Pg0KPC9ib2R5Pg0KPC9odG1sPg== 3442 2005-08-17 15:32:28 -0700 2005-08-17 15:43:03 -0700 proposed patch 4474_patch_r1.txt text/plain 900 mitz SW5kZXg6IG5vZGVzLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3ZzL3Jvb3QvSmF2YVNjcmlw dENvcmUva2pzL25vZGVzLmNwcCx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS43NQpkaWZmIC1wIC11 IC1yMS43NSBub2Rlcy5jcHAKLS0tIG5vZGVzLmNwcAkxNyBBdWcgMjAwNSAwMTowMDowMCAtMDAw MAkxLjc1CisrKyBub2Rlcy5jcHAJMTcgQXVnIDIwMDUgMjI6MzE6NTYgLTAwMDAKQEAgLTE3NzMs OCArMTc3MywxMSBAQCBWYWx1ZUltcCAqQXNzaWduQnJhY2tldE5vZGU6OmV2YWx1YXRlKEV4CiAg ICAgICB2ID0gbV9yaWdodC0+ZXZhbHVhdGUoZXhlYyk7CiAgICAgfSBlbHNlIHsKICAgICAgIFBy b3BlcnR5U2xvdCBzbG90OwotICAgICAgYmFzZS0+Z2V0UHJvcGVydHlTbG90KGV4ZWMsIHByb3Bl cnR5SW5kZXgsIHNsb3QpOyAgICAKLSAgICAgIFZhbHVlSW1wICp2MSA9IHNsb3QuaXNTZXQoKSA/ IHNsb3QuZ2V0VmFsdWUoZXhlYywgcHJvcGVydHlJbmRleCkgOiBVbmRlZmluZWQoKTsKKyAgICAg IFZhbHVlSW1wICp2MTsKKyAgICAgIGlmIChiYXNlLT5nZXRQcm9wZXJ0eVNsb3QoZXhlYywgcHJv cGVydHlJbmRleCwgc2xvdCkgJiYgc2xvdC5pc1NldCgpKSAgICAKKyAgICAgICAgICB2MSA9IHNs b3QuZ2V0VmFsdWUoZXhlYywgcHJvcGVydHlJbmRleCk7CisgICAgICBlbHNlCisgICAgICAgICAg djEgPSBVbmRlZmluZWQoKTsKICAgICAgIEtKU19DSEVDS0VYQ0VQVElPTlZBTFVFCiAgICAgICBW YWx1ZUltcCAqdjIgPSBtX3JpZ2h0LT5ldmFsdWF0ZShleGVjKTsKICAgICAgIHYgPSB2YWx1ZUZv clJlYWRNb2RpZnlBc3NpZ25tZW50KGV4ZWMsIHYxLCB2MiwgbV9vcGVyKTsK 3443 2005-08-17 15:43:03 -0700 2005-08-17 22:59:17 -0700 proposed patch 4474_patch_r2.txt text/plain 1494 mitz SW5kZXg6IG5vZGVzLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3ZzL3Jvb3QvSmF2YVNjcmlw dENvcmUva2pzL25vZGVzLmNwcCx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS43NQpkaWZmIC1wIC11 IC1yMS43NSBub2Rlcy5jcHAKLS0tIG5vZGVzLmNwcAkxNyBBdWcgMjAwNSAwMTowMDowMCAtMDAw MAkxLjc1CisrKyBub2Rlcy5jcHAJMTcgQXVnIDIwMDUgMjI6NDI6MzggLTAwMDAKQEAgLTE3NzMs OCArMTc3MywxMSBAQCBWYWx1ZUltcCAqQXNzaWduQnJhY2tldE5vZGU6OmV2YWx1YXRlKEV4CiAg ICAgICB2ID0gbV9yaWdodC0+ZXZhbHVhdGUoZXhlYyk7CiAgICAgfSBlbHNlIHsKICAgICAgIFBy b3BlcnR5U2xvdCBzbG90OwotICAgICAgYmFzZS0+Z2V0UHJvcGVydHlTbG90KGV4ZWMsIHByb3Bl cnR5SW5kZXgsIHNsb3QpOyAgICAKLSAgICAgIFZhbHVlSW1wICp2MSA9IHNsb3QuaXNTZXQoKSA/ IHNsb3QuZ2V0VmFsdWUoZXhlYywgcHJvcGVydHlJbmRleCkgOiBVbmRlZmluZWQoKTsKKyAgICAg IFZhbHVlSW1wICp2MTsKKyAgICAgIGlmIChiYXNlLT5nZXRQcm9wZXJ0eVNsb3QoZXhlYywgcHJv cGVydHlJbmRleCwgc2xvdCkgJiYgc2xvdC5pc1NldCgpKSAgICAKKyAgICAgICAgICB2MSA9IHNs b3QuZ2V0VmFsdWUoZXhlYywgcHJvcGVydHlJbmRleCk7CisgICAgICBlbHNlCisgICAgICAgICAg djEgPSBVbmRlZmluZWQoKTsKICAgICAgIEtKU19DSEVDS0VYQ0VQVElPTlZBTFVFCiAgICAgICBW YWx1ZUltcCAqdjIgPSBtX3JpZ2h0LT5ldmFsdWF0ZShleGVjKTsKICAgICAgIHYgPSB2YWx1ZUZv clJlYWRNb2RpZnlBc3NpZ25tZW50KGV4ZWMsIHYxLCB2MiwgbV9vcGVyKTsKQEAgLTE3OTMsOCAr MTc5NiwxMSBAQCBWYWx1ZUltcCAqQXNzaWduQnJhY2tldE5vZGU6OmV2YWx1YXRlKEV4CiAgICAg diA9IG1fcmlnaHQtPmV2YWx1YXRlKGV4ZWMpOwogICB9IGVsc2UgewogICAgIFByb3BlcnR5U2xv dCBzbG90OwotICAgIGJhc2UtPmdldFByb3BlcnR5U2xvdChleGVjLCBwcm9wZXJ0eU5hbWUsIHNs b3QpOyAgICAKLSAgICBWYWx1ZUltcCAqdjEgPSBzbG90LmlzU2V0KCkgPyBzbG90LmdldFZhbHVl KGV4ZWMsIHByb3BlcnR5TmFtZSkgOiBVbmRlZmluZWQoKTsKKyAgICBWYWx1ZUltcCAqdjE7Cisg ICAgaWYgKGJhc2UtPmdldFByb3BlcnR5U2xvdChleGVjLCBwcm9wZXJ0eU5hbWUsIHNsb3QpICYm IHNsb3QuaXNTZXQoKSkgICAgCisgICAgICAgIHYxID0gc2xvdC5nZXRWYWx1ZShleGVjLCBwcm9w ZXJ0eU5hbWUpOworICAgIGVsc2UKKyAgICAgICAgdjEgPSBVbmRlZmluZWQoKTsKICAgICBLSlNf Q0hFQ0tFWENFUFRJT05WQUxVRQogICAgIFZhbHVlSW1wICp2MiA9IG1fcmlnaHQtPmV2YWx1YXRl KGV4ZWMpOwogICAgIHYgPSB2YWx1ZUZvclJlYWRNb2RpZnlBc3NpZ25tZW50KGV4ZWMsIHYxLCB2 MiwgbV9vcGVyKTsK