Bug 15603

Summary: Regression(r26847): Crash when sorting an empty array from JavaScript
Product: WebKit Reporter: John Moe <john>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, dev+webkit, ggaren, mjs, mrowe
Priority: P1 Keywords: HasReduction, Regression
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://slashdot.org/firehose.pl
Attachments:
Description Flags
Patch mitz: review+

John Moe
Reported 2007-10-21 18:47:38 PDT
revision 26855 going to the url Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x8bd8459d Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x004a6e59 WTF::fastFree(void*) + 69 (FastMalloc.cpp:2083) 1 com.apple.JavaScriptCore 0x004cc2d9 KJS::ArrayInstance::sort(KJS::ExecState*, KJS::JSObject*) + 319 (array_object.cpp:462) 2 com.apple.JavaScriptCore 0x004d85a2 KJS::ArrayProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 14572 (array_object.cpp:787) 3 com.apple.JavaScriptCore 0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95) 4 com.apple.JavaScriptCore 0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772) 5 com.apple.JavaScriptCore 0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595) 6 com.apple.JavaScriptCore 0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753) 7 com.apple.JavaScriptCore 0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266) 8 com.apple.JavaScriptCore 0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94) 9 com.apple.JavaScriptCore 0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95) 10 com.apple.JavaScriptCore 0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772) 11 com.apple.JavaScriptCore 0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595) 12 com.apple.JavaScriptCore 0x004a276e KJS::BlockNode::execute(KJS::ExecState*) + 28 (nodes.cpp:1753) 13 com.apple.JavaScriptCore 0x004eacc1 KJS::IfNode::execute(KJS::ExecState*) + 329 (nodes.cpp:1790) 14 com.apple.JavaScriptCore 0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595) 15 com.apple.JavaScriptCore 0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753) 16 com.apple.JavaScriptCore 0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266) 17 com.apple.JavaScriptCore 0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94) 18 com.apple.JavaScriptCore 0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95) 19 com.apple.JavaScriptCore 0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772) 20 com.apple.JavaScriptCore 0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595) 21 com.apple.JavaScriptCore 0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753) 22 com.apple.JavaScriptCore 0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266) 23 com.apple.JavaScriptCore 0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94) 24 com.apple.JavaScriptCore 0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95) 25 com.apple.JavaScriptCore 0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772) 26 com.apple.JavaScriptCore 0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595) 27 com.apple.JavaScriptCore 0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753) 28 com.apple.JavaScriptCore 0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266) 29 com.apple.JavaScriptCore 0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94) 30 com.apple.JavaScriptCore 0x004e01a3 KJS::FunctionImp::construct(KJS::ExecState*, KJS::List const&) + 297 (object.cpp:95) 31 com.apple.JavaScriptCore 0x004ec35c KJS::NewExprNode::evaluate(KJS::ExecState*) + 1198 (nodes.cpp:625) 32 com.apple.JavaScriptCore 0x004ebcc8 KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 146 (nodes.cpp:581) 33 com.apple.JavaScriptCore 0x004ebf9c KJS::NewExprNode::evaluate(KJS::ExecState*) + 238 (nodes.h:393) 34 com.apple.JavaScriptCore 0x004e9482 KJS::ReturnNode::execute(KJS::ExecState*) + 160 (nodes.cpp:2127) 35 com.apple.JavaScriptCore 0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595) 36 com.apple.JavaScriptCore 0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753) 37 com.apple.JavaScriptCore 0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266) 38 com.apple.JavaScriptCore 0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94) 39 com.apple.JavaScriptCore 0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95) 40 com.apple.JavaScriptCore 0x004ef4e4 KJS::AssignResolveNode::evaluate(KJS::ExecState*) + 152 (nodes.cpp:1461) 41 com.apple.JavaScriptCore 0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772) 42 com.apple.JavaScriptCore 0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595) 43 com.apple.JavaScriptCore 0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753) 44 com.apple.JavaScriptCore 0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266) 45 com.apple.JavaScriptCore 0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94) 46 com.apple.JavaScriptCore 0x004ec9b9 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 885 (object.cpp:95) 47 com.apple.JavaScriptCore 0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772) 48 com.apple.JavaScriptCore 0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595) 49 com.apple.JavaScriptCore 0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753) 50 com.apple.JavaScriptCore 0x004f9434 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 1158 (interpreter.cpp:366) 51 com.apple.WebCore 0x011ff993 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&) + 195 (kjs_proxy.cpp:87) 52 com.apple.WebCore 0x01367e06 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 68 (FrameLoader.cpp:761) 53 com.apple.WebCore 0x0101bf85 WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 349 (RefPtr.h:41) 54 com.apple.WebCore 0x0101cde3 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 2071 (HTMLTokenizer.cpp:470) 55 com.apple.WebCore 0x0101d4a9 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 1541 (HTMLTokenizer.cpp:319) 56 com.apple.WebCore 0x0101ef21 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6603 (HTMLTokenizer.cpp:1278) 57 com.apple.WebCore 0x0101fb56 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1626 (HTMLTokenizer.cpp:1449) 58 com.apple.WebCore 0x0101c439 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 743 (DeprecatedValueList.h:89) 59 com.apple.WebCore 0x010e95ff WebCore::CachedScript::checkNotify() + 59 (CachedScript.cpp:92) 60 com.apple.WebCore 0x010e9929 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 249 (CachedScript.cpp:84) 61 com.apple.WebCore 0x010ebfa6 WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 352 (PassRefPtr.h:45) 62 com.apple.WebCore 0x01375534 WebCore::SubresourceLoader::didFinishLoading() + 50 (RefPtr.h:103) 63 com.apple.WebCore 0x01347090 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 68 (ResourceHandleMac.mm:456) 64 com.apple.Foundation 0x9285ad74 -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 176 65 com.apple.Foundation 0x92858e19 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 748 66 com.apple.Foundation 0x92858ab5 _sendCallbacks + 201 67 com.apple.CoreFoundation 0x9082cf92 CFRunLoopRunSpecific + 1213 68 com.apple.CoreFoundation 0x9082cace CFRunLoopRunInMode + 61 69 com.apple.HIToolbox 0x92de28d8 RunCurrentEventLoopInMode + 285 70 com.apple.HIToolbox 0x92de1fe2 ReceiveNextEventCommon + 385 71 com.apple.HIToolbox 0x92de1e39 BlockUntilNextEventMatchingListInMode + 81 72 com.apple.AppKit 0x93288465 _DPSNextEvent + 572 73 com.apple.AppKit 0x93288056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 74 com.apple.Safari 0x00005ff4 0x1000 + 20468 75 com.apple.AppKit 0x93281ddb -[NSApplication run] + 512 76 com.apple.AppKit 0x93275d2f NSApplicationMain + 573 77 com.apple.Safari 0x00002302 0x1000 + 4866 78 com.apple.Safari 0x00048ef1 0x1000 + 294641
Attachments
Patch (2.71 KB, patch)
2007-10-21 22:39 PDT, Mark Rowe (bdash) 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Matt Lilek
Comment 1 2007-10-21 19:08:23 PDT
I don't see a crash, but this is printed to the console: Safari(27527,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug Safari(27527,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug Safari(27527,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug Safari(27527,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug
Mark Rowe (bdash)
Comment 2 2007-10-21 20:46:59 PDT
Sounds like Matt was using a debug build. FastMalloc is a lot less forgiving on double-frees and the like than the system allocator used in release builds.
Mark Rowe (bdash)
Comment 3 2007-10-21 20:51:05 PDT
I don't see a crash with a recent release build, but I do get the following errors that indicate something bad is happening in malloc-land: 22/10/07 13:48:28 Safari[62662] ERROR: free is not supported 22/10/07 13:48:28 Safari[62662] (JavaScriptCore/kjs/CollectorHeapIntrospector.h:56 static void KJS::CollectorHeapIntrospector::zoneFree(malloc_zone_t*, void*))
Mark Rowe (bdash)
Comment 4 2007-10-21 21:02:02 PDT
Reduction is simple: [].sort() This looks to have been introduced by Darin's change to arrays yesterday.
John Moe
Comment 5 2007-10-21 21:29:47 PDT
simple reduction. simple fix (array_object.cpp line 66): static inline void freeStorage(JSValue** storage) { if (storage) // <-- add this check fastFree(storage - 2); }
Mark Rowe (bdash)
Comment 6 2007-10-21 21:48:31 PDT
That looks like a correct fix as the null-check in freeStorage was removed in r26847. Care to attach a patch with ChangeLog entry John?
Mark Rowe (bdash)
Comment 7 2007-10-21 22:00:48 PDT
And a test case, of course :)
John Moe
Comment 8 2007-10-21 22:12:04 PDT
No thanks. I am happy to just complain about bugs and leave patch/test case creation to the pros.
Mark Rowe (bdash)
Comment 9 2007-10-21 22:39:25 PDT
Created attachment 16783 [details] Patch
mitz
Comment 10 2007-10-21 22:50:10 PDT
Comment on attachment 16783 [details] Patch r=me
Mark Rowe (bdash)
Comment 11 2007-10-21 22:55:41 PDT
Landed in r26862.
Note You need to log in before you can comment on or make changes to this bug.