Bug 140579

Summary: Crash in JSScope::resolve() on tools.ups.com
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: https://tools.usps.com/go/POLocatorAction.action
Attachments:
Description Flags
Patch ggaren: review+

Michael Saboff
Reported 2015-01-16 17:09:17 PST
Go to https://tools.usps.com/go/POLocatorAction.action and wait a few seconds and WebKit will crash similar to: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00007fff986419c0 JSC::JSScope::resolve(JSC::ExecState*, JSC::JSScope*, JSC::Identifier const&) + 32 1 ??? 0x00002b82e56548d6 0 + 47841194363094 2 ??? 0x00002b82e565a9b2 0 + 47841194387890 3 com.apple.JavaScriptCore 0x00007fff986783fe llint_entry + 22198 4 com.apple.JavaScriptCore 0x00007fff986783fe llint_entry + 22198 5 com.apple.JavaScriptCore 0x00007fff986783fe llint_entry + 22198 6 ??? 0x00002b82e56596d6 0 + 47841194383062 7 ??? 0x00002b82e5601a20 0 + 47841194023456 8 com.apple.JavaScriptCore 0x00007fff986783fe llint_entry + 22198 9 ??? 0x00002b82e56596d6 0 + 47841194383062 10 ??? 0x00002b82e5601a20 0 + 47841194023456 11 ??? 0x00002b82e5656d68 0 + 47841194372456 12 ??? 0x00002b82e5601a20 0 + 47841194023456 13 com.apple.JavaScriptCore 0x00007fff986783fe llint_entry + 22198 14 com.apple.JavaScriptCore 0x00007fff98678633 llint_entry + 22763 15 com.apple.JavaScriptCore 0x00007fff98678506 llint_entry + 22462 16 com.apple.JavaScriptCore 0x00007fff986783fe llint_entry + 22198 17 ??? 0x00002b82e56019fa 0 + 47841194023418 18 com.apple.JavaScriptCore 0x00007fff98678633 llint_entry + 22763 19 com.apple.JavaScriptCore 0x00007fff98678571 llint_entry + 22569 20 com.apple.JavaScriptCore 0x00007fff98672b38 vmEntryToJavaScript + 326 21 com.apple.JavaScriptCore 0x00007fff985e4e29 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169 22 com.apple.JavaScriptCore 0x00007fff9821cd71 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 9105 23 com.apple.JavaScriptCore 0x00007fff9821a8e4 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 484 24 com.apple.WebCore 0x00007fff994186f9 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 313 25 com.apple.WebCore 0x00007fff98871719 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 26 com.apple.WebCore 0x00007fff9887162a WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 298 27 com.apple.WebCore 0x00007fff98870b52 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 946 28 com.apple.WebCore 0x00007fff9886fc15 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 357 29 com.apple.WebCore 0x00007fff9886fa40 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 30 com.apple.WebCore 0x00007fff9886f994 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 84 31 com.apple.WebCore 0x00007fff987da6cd WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 93 32 com.apple.WebCore 0x00007fff987d97ee WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 478 33 com.apple.WebCore 0x00007fff988f87b3 WebCore::HTMLDocumentParser::resumeParsingAfterYield() + 19 34 com.apple.WebCore 0x00007fff987b7dbd WebCore::ThreadTimers::sharedTimerFiredInternal() + 157 35 com.apple.WebCore 0x00007fff987b7ce4 WebCore::timerFired(__CFRunLoopTimer*, void*) + 20 36 com.apple.CoreFoundation 0x00007fff92ea8a34 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 37 com.apple.CoreFoundation 0x00007fff92ea86c3 __CFRunLoopDoTimer + 1059 38 com.apple.CoreFoundation 0x00007fff92f1bc8d __CFRunLoopDoTimers + 301 39 com.apple.CoreFoundation 0x00007fff92e65158 __CFRunLoopRun + 2024 40 com.apple.CoreFoundation 0x00007fff92e64728 CFRunLoopRunSpecific + 296 41 com.apple.HIToolbox 0x00007fff9b46cddf RunCurrentEventLoopInMode + 235 42 com.apple.HIToolbox 0x00007fff9b46cb5a ReceiveNextEventCommon + 431 43 com.apple.HIToolbox 0x00007fff9b46c99b _BlockUntilNextEventMatchingListInModeWithFilter + 71 44 com.apple.AppKit 0x00007fff8d4826bd _DPSNextEvent + 964 45 com.apple.AppKit 0x00007fff8d481cc0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194 46 com.apple.AppKit 0x00007fff8d4779c3 -[NSApplication run] + 594 47 com.apple.AppKit 0x00007fff8d3f24c4 NSApplicationMain + 1832 48 libxpc.dylib 0x00007fff9bd7e958 _xpc_objc_main + 793 49 libxpc.dylib 0x00007fff9bd80060 xpc_main + 490 50 com.apple.WebKit.WebContent 0x10d423b30 main + 16 (/SourceCache/WebKit2/WebKit2-7601.1.12/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:80) 51 libdyld.dylib 0x00007fff8f2065c9 start + 1
Attachments
Patch (4.54 KB, patch)
2015-01-16 22:29 PST, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2015-01-16 22:29:40 PST
Created attachment 244837 [details] Patch
Geoffrey Garen
Comment 2 2015-01-17 13:50:33 PST
Comment on attachment 244837 [details] Patch r=me
Michael Saboff
Comment 3 2015-01-17 16:20:44 PST
Committed r178629: <http://trac.webkit.org/changeset/178629>
Note You need to log in before you can comment on or make changes to this bug.