Bug 15731

Summary: REGRESSION(r27176): Reproducible crash while trying to order dinner makes bdash sad
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: New BugsAssignee: Maciej Stachowiak <mjs>
Status: RESOLVED FIXED    
Severity: Major CC: mjs
Priority: P1 Keywords: HasReduction, Regression
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Crash log
none
Reduction from Comment #7
none
let bdash have dinner mrowe: review+

Mark Rowe (bdash)
Reported 2007-10-28 02:28:15 PDT
Steps to reproduce: 1. Visit http://www.menulog.com.au/search.php?submit2=T&searchMode=takeaway&cartType=delivery&majorRegionId=28&postcode=2010 2. Click the "Order" button alongside one of the restaurants that prepares yummy food. 3. Click "Order Delivery". 4. Click on "Surry Hills - 2010" so that the food can be delivered to me. Expected results: Tasty food delivered to my door. Actual results: Crash after step 5. Notes: This worked as recently as last Wednesday.
Attachments
Crash log (29.70 KB, text/plain)
2007-10-28 02:29 PDT, Mark Rowe (bdash) 		no flags
Details
Reduction from Comment #7 (107 bytes, text/html)
2007-10-28 16:45 PDT, David Kilzer (:ddkilzer) 		no flags
Details
let bdash have dinner (5.77 KB, patch)
2007-10-28 18:31 PDT, Maciej Stachowiak 		mrowe: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2007-10-28 02:29:19 PDT
Created attachment 16911 [details] Crash log
Mark Rowe (bdash)
Comment 2 2007-10-28 02:30:21 PDT
Top of the crash log for easy reference: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x01e7838c KJS::Window::pauseTimeouts() + 248 (kjs_window.cpp:1564) 1 com.apple.WebCore 0x020a15af WebCore::CachedPage::CachedPage(WebCore::Page*) + 615 (CachedPage.cpp:101) 2 com.apple.WebCore 0x020a1668 WebCore::CachedPage::CachedPage(WebCore::Page*) + 24 (CachedPage.cpp:110) 3 com.apple.WebCore 0x020a169b WebCore::CachedPage::create(WebCore::Page*) + 49 (CachedPage.cpp:72)
Mark Rowe (bdash)
Comment 3 2007-10-28 02:32:44 PDT
> Actual results: > Crash after step 5. This should have said step 4.
Eric Seidel (no email)
Comment 4 2007-10-28 02:34:24 PDT
Doesn't crash for me in a debug build.
Mark Rowe (bdash)
Comment 5 2007-10-28 02:35:31 PDT
Hrm, in step 2 try the second restaurant in the list, "Foodgame". Some others appear to not crash.
Mark Rowe (bdash)
Comment 6 2007-10-28 05:09:18 PDT
"git bisect" has narrowed this down to Maciej's HashTable change in http://trac.webkit.org/projects/webkit/changeset/27176. Previous revisions do not crash.
John Moe
Comment 7 2007-10-28 13:11:00 PDT
Reduction: <script> setTimeout('',1000); clearTimeout(0); clearTimeout(0); window.location = 'about:blank'; </script> In pauseTimeouts, d->m_timeouts.size() is returning a negative number.
David Kilzer (:ddkilzer)
Comment 8 2007-10-28 16:45:39 PDT
Created attachment 16924 [details] Reduction from Comment #7
David Kilzer (:ddkilzer)
Comment 9 2007-10-28 16:46:17 PDT
(In reply to comment #7) > Reduction: [...[ > > In pauseTimeouts, d->m_timeouts.size() is returning a negative number. Thanks, John!
Maciej Stachowiak
Comment 10 2007-10-28 18:31:14 PDT
Created attachment 16929 [details] let bdash have dinner
Mark Rowe (bdash)
Comment 11 2007-10-28 18:35:38 PDT
Comment on attachment 16929 [details] let bdash have dinner r=me
Note You need to log in before you can comment on or make changes to this bug.