Summary: | Regression(r26847): Crash when sorting an empty array from JavaScript | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | John Moe <john> | ||||
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | darin, dev+webkit, ggaren, mjs, mrowe | ||||
Priority: | P1 | Keywords: | HasReduction, Regression | ||||
Version: | 523.x (Safari 3) | ||||||
Hardware: | Mac | ||||||
OS: | OS X 10.4 | ||||||
URL: | http://slashdot.org/firehose.pl | ||||||
Attachments: |
|
Description
John Moe
2007-10-21 18:47:38 PDT
I don't see a crash, but this is printed to the console: Safari(27527,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug Safari(27527,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug Safari(27527,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug Safari(27527,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug Sounds like Matt was using a debug build. FastMalloc is a lot less forgiving on double-frees and the like than the system allocator used in release builds. I don't see a crash with a recent release build, but I do get the following errors that indicate something bad is happening in malloc-land: 22/10/07 13:48:28 Safari[62662] ERROR: free is not supported 22/10/07 13:48:28 Safari[62662] (JavaScriptCore/kjs/CollectorHeapIntrospector.h:56 static void KJS::CollectorHeapIntrospector::zoneFree(malloc_zone_t*, void*)) Reduction is simple: [].sort() This looks to have been introduced by Darin's change to arrays yesterday. simple reduction. simple fix (array_object.cpp line 66): static inline void freeStorage(JSValue** storage) { if (storage) // <-- add this check fastFree(storage - 2); } That looks like a correct fix as the null-check in freeStorage was removed in r26847. Care to attach a patch with ChangeLog entry John? And a test case, of course :) No thanks. I am happy to just complain about bugs and leave patch/test case creation to the pros. Created attachment 16783 [details]
Patch
Comment on attachment 16783 [details]
Patch
r=me
Landed in r26862. |