Bug 140579

Summary: Crash in JSScope::resolve() on tools.ups.com
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: https://tools.usps.com/go/POLocatorAction.action
Attachments:
Description Flags
Patch ggaren: review+

Description Michael Saboff 2015-01-16 17:09:17 PST 
Go to https://tools.usps.com/go/POLocatorAction.action and wait a few seconds and WebKit will crash similar to:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00007fff986419c0 JSC::JSScope::resolve(JSC::ExecState*, JSC::JSScope*, JSC::Identifier const&) + 32
1   ???                           	0x00002b82e56548d6 0 + 47841194363094
2   ???                           	0x00002b82e565a9b2 0 + 47841194387890
3   com.apple.JavaScriptCore      	0x00007fff986783fe llint_entry + 22198
4   com.apple.JavaScriptCore      	0x00007fff986783fe llint_entry + 22198
5   com.apple.JavaScriptCore      	0x00007fff986783fe llint_entry + 22198
6   ???                           	0x00002b82e56596d6 0 + 47841194383062
7   ???                           	0x00002b82e5601a20 0 + 47841194023456
8   com.apple.JavaScriptCore      	0x00007fff986783fe llint_entry + 22198
9   ???                           	0x00002b82e56596d6 0 + 47841194383062
10  ???                           	0x00002b82e5601a20 0 + 47841194023456
11  ???                           	0x00002b82e5656d68 0 + 47841194372456
12  ???                           	0x00002b82e5601a20 0 + 47841194023456
13  com.apple.JavaScriptCore      	0x00007fff986783fe llint_entry + 22198
14  com.apple.JavaScriptCore      	0x00007fff98678633 llint_entry + 22763
15  com.apple.JavaScriptCore      	0x00007fff98678506 llint_entry + 22462
16  com.apple.JavaScriptCore      	0x00007fff986783fe llint_entry + 22198
17  ???                           	0x00002b82e56019fa 0 + 47841194023418
18  com.apple.JavaScriptCore      	0x00007fff98678633 llint_entry + 22763
19  com.apple.JavaScriptCore      	0x00007fff98678571 llint_entry + 22569
20  com.apple.JavaScriptCore      	0x00007fff98672b38 vmEntryToJavaScript + 326
21  com.apple.JavaScriptCore      	0x00007fff985e4e29 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169
22  com.apple.JavaScriptCore      	0x00007fff9821cd71 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 9105
23  com.apple.JavaScriptCore      	0x00007fff9821a8e4 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 484
24  com.apple.WebCore             	0x00007fff994186f9 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 313
25  com.apple.WebCore             	0x00007fff98871719 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41
26  com.apple.WebCore             	0x00007fff9887162a WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 298
27  com.apple.WebCore             	0x00007fff98870b52 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 946
28  com.apple.WebCore             	0x00007fff9886fc15 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 357
29  com.apple.WebCore             	0x00007fff9886fa40 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48
30  com.apple.WebCore             	0x00007fff9886f994 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 84
31  com.apple.WebCore             	0x00007fff987da6cd WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 93
32  com.apple.WebCore             	0x00007fff987d97ee WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 478
33  com.apple.WebCore             	0x00007fff988f87b3 WebCore::HTMLDocumentParser::resumeParsingAfterYield() + 19
34  com.apple.WebCore             	0x00007fff987b7dbd WebCore::ThreadTimers::sharedTimerFiredInternal() + 157
35  com.apple.WebCore             	0x00007fff987b7ce4 WebCore::timerFired(__CFRunLoopTimer*, void*) + 20
36  com.apple.CoreFoundation      	0x00007fff92ea8a34 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
37  com.apple.CoreFoundation      	0x00007fff92ea86c3 __CFRunLoopDoTimer + 1059
38  com.apple.CoreFoundation      	0x00007fff92f1bc8d __CFRunLoopDoTimers + 301
39  com.apple.CoreFoundation      	0x00007fff92e65158 __CFRunLoopRun + 2024
40  com.apple.CoreFoundation      	0x00007fff92e64728 CFRunLoopRunSpecific + 296
41  com.apple.HIToolbox           	0x00007fff9b46cddf RunCurrentEventLoopInMode + 235
42  com.apple.HIToolbox           	0x00007fff9b46cb5a ReceiveNextEventCommon + 431
43  com.apple.HIToolbox           	0x00007fff9b46c99b _BlockUntilNextEventMatchingListInModeWithFilter + 71
44  com.apple.AppKit              	0x00007fff8d4826bd _DPSNextEvent + 964
45  com.apple.AppKit              	0x00007fff8d481cc0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194
46  com.apple.AppKit              	0x00007fff8d4779c3 -[NSApplication run] + 594
47  com.apple.AppKit              	0x00007fff8d3f24c4 NSApplicationMain + 1832
48  libxpc.dylib                  	0x00007fff9bd7e958 _xpc_objc_main + 793
49  libxpc.dylib                  	0x00007fff9bd80060 xpc_main + 490
50  com.apple.WebKit.WebContent   	0x10d423b30 main + 16 (/SourceCache/WebKit2/WebKit2-7601.1.12/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:80)
51  libdyld.dylib                 	0x00007fff8f2065c9 start + 1
Comment 1 Michael Saboff 2015-01-16 22:29:40 PST 
Created attachment 244837 [details]
Patch
Comment 2 Geoffrey Garen 2015-01-17 13:50:33 PST 
Comment on attachment 244837 [details]
Patch

r=me
Comment 3 Michael Saboff 2015-01-17 16:20:44 PST 
Committed r178629: <http://trac.webkit.org/changeset/178629>