Bug 18392

Summary:

Crash in KJS::ArrayInstance::inlineGetOwnPropertySlot viewing enhanced Wikipedia diff

Product:

WebKit

Reporter:

Derk-Jan Hartman <hartman.wiki>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

dev+webkit, zwarich

Priority:

Keywords:

NeedsReduction

Version:

525.x (Safari 3.1)

Hardware:

Mac (Intel)

OS:

OS X 10.5

URL:

http://en.wikipedia.org/w/index.php?title=Juno_%28film%29&curid=11862690&diff=204473416&oldid=204458429

Attachments:

Description	Flags
Crash report of Safari 3.1	none
System configuration	none
Crash report for Safari NB	none

Derk-Jan Hartman

Reported 2008-04-09 11:46:27 PDT

This is an issue that I ran into with Safari 3.1 To reproduce: 1: Register on en.wikipedia.org 2: Go to preferences->Gadgets 3: select "Improved diff view" and save 4: Visit a diff link http://en.wikipedia.org/w/index.php?title=Juno_%28film%29&curid=11862690&diff=204473416&oldid=204458429 5: Below the diff should be a button with a small green triangle. 6: Clicking the bug crashes Safari with attached crashreport

Attachments
Crash report of Safari 3.1 (27.67 KB, text/plain) 2008-04-09 11:47 PDT, Derk-Jan Hartman	no flags	Details
System configuration (1.25 KB, text/plain) 2008-04-09 11:47 PDT, Derk-Jan Hartman	no flags	Details
Crash report for Safari NB (44.58 KB, text/plain) 2008-04-09 11:55 PDT, Derk-Jan Hartman	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Derk-Jan Hartman

Comment 1 2008-04-09 11:47:05 PDT

Created attachment 20435 [details] Crash report of Safari 3.1

Derk-Jan Hartman

Comment 2 2008-04-09 11:47:35 PDT

Created attachment 20436 [details] System configuration

Matt Lilek

Comment 3 2008-04-09 11:52:23 PDT

Confirmed with r31753, probably a regression but it untested right now. Top of debug stack trace: Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x0047df6c KJS::ArrayInstance::inlineGetOwnPropertySlot(KJS::ExecState*, unsigned int, KJS::PropertySlot&) + 162 (array_instance.cpp:148) 1 com.apple.JavaScriptCore 0x00427f42 KJS::ArrayInstance::getOwnPropertySlot(KJS::ExecState*, unsigned int, KJS::PropertySlot&) + 38 (array_instance.cpp:182) 2 com.apple.JavaScriptCore 0x0040982f KJS::JSObject::getPropertySlot(KJS::ExecState*, unsigned int, KJS::PropertySlot&) + 51 (object.cpp:183) 3 com.apple.JavaScriptCore 0x0042697e KJS::JSObject::get(KJS::ExecState*, unsigned int) const + 38 (object.cpp:172) 4 com.apple.JavaScriptCore 0x0047f9b5 KJS::BracketAccessorNode::inlineEvaluate(KJS::ExecState*) + 235 (nodes.cpp:912) 5 com.apple.JavaScriptCore 0x004351d4 KJS::BracketAccessorNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:919) 6 com.apple.JavaScriptCore 0x0047ed75 KJS::NotEqualNode::inlineEvaluateToBoolean(KJS::ExecState*) + 37 (nodes.cpp:3143) 7 com.apple.JavaScriptCore 0x0043308a KJS::NotEqualNode::evaluateToBoolean(KJS::ExecState*) + 30 (nodes.cpp:3158) 8 com.apple.JavaScriptCore 0x004319b5 KJS::IfNode::execute(KJS::ExecState*) + 43 (nodes.cpp:4026) 9 com.apple.JavaScriptCore 0x0041535d KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3946) 10 com.apple.JavaScriptCore 0x004153ea KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3972)

Derk-Jan Hartman

Comment 4 2008-04-09 11:55:00 PDT

Created attachment 20437 [details] Crash report for Safari NB Crash report of Safari NB 5525.13 (rev 31388 ). Confirmed in #webkit by pewtermoose and cpst

Derk-Jan Hartman

Comment 5 2008-04-10 11:23:43 PDT

Apparently the script also takes IE to 100% memory usage. So there is probably an error in the code that is at the root of this crash.

Derk-Jan Hartman

Comment 6 2008-04-12 17:40:04 PDT

I looked at the script in question today for a minute and spotted the following: // get diff table and version link cells var tdArray = document.getElementsByTagName('TD'); var tdOld; var tdNew; for (var i = 0; i < tdArray.length; i ++) { if (tdArray[i].className == 'diff-otitle') { tdOld = tdArray[i]; } else if (tdArray[i].className == 'diff-ntitle') { tdNew = tdArray[i]; break; } } if ( (tdOld == null) || (tdNew == null) ) { return; } var oldVersion = null; var newVersion = null; var oldUrl; var newUrl; probably crashes on the line: if (tdArray[i].className == 'diff-otitle') The problem being that getElementsByTagName returns a Nodelist and not an Array object.

Cameron Zwarich (cpst)

Comment 7 2008-06-29 02:23:56 PDT

This doesn't crash for me with the r34824 nightly and a local debug build of r34870. As far as I can tell, it hasn't happened since SquirrelFish. Can we close this?

Derk-Jan Hartman

Comment 8 2008-10-30 14:02:41 PDT

Confirmed, no longer crashes for me either.

Note You need to log in before you can comment on or make changes to this bug.