Bug 18816

Summary:	ASSERTION FAILED: !vb->isUndefined() loading unl.edu
Product:	WebKit	Reporter:	Brian Shumate <shumatejb>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED WORKSFORME
Severity:	Normal	CC:	ap, zwarich
Priority:	P1	Keywords:	NeedsReduction, Regression
Version:	528+ (Nightly build)
Hardware:	Mac
OS:	OS X 10.5
URL:	http://www.unl.edu

Description Brian Shumate 2008-04-30 12:49:38 PDT

When visiting the UNL website at www.unl.edu, Webkit crashes.  This should be reproducible on WebKit nightly build r32698

Comment 1 Matt Lilek 2008-04-30 12:59:11 PDT

Confirmed with r32736; regression from Safari 3.1.1 (5525.18)

ASSERTION FAILED: !vb->isUndefined()
(/Users/matt/Code/WebKit/JavaScriptCore/kjs/array_instance.cpp:496 bool KJS::CompareWithCompareFunctionArguments::operator()(KJS::JSValue*, KJS::JSValue*))

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x004a3b99 KJS::CompareWithCompareFunctionArguments::operator()(KJS::JSValue*, KJS::JSValue*) + 145 (array_instance.cpp:496)
1   com.apple.JavaScriptCore      	0x004a429b void std::__unguarded_linear_insert<KJS::JSValue**, KJS::JSValue*, KJS::CompareWithCompareFunctionArguments>(KJS::JSValue**, KJS::JSValue*, KJS::CompareWithCompareFunctionArguments) + 69 (stl_algo.h:2108)
2   com.apple.JavaScriptCore      	0x004a4383 void std::__insertion_sort<KJS::JSValue**, KJS::CompareWithCompareFunctionArguments>(KJS::JSValue**, KJS::JSValue**, KJS::CompareWithCompareFunctionArguments) + 145 (stl_algo.h:2156)
3   com.apple.JavaScriptCore      	0x004a4428 void std::__final_insertion_sort<KJS::JSValue**, KJS::CompareWithCompareFunctionArguments>(KJS::JSValue**, KJS::JSValue**, KJS::CompareWithCompareFunctionArguments) + 144 (stl_algo.h:2240)
4   com.apple.JavaScriptCore      	0x004a44a4 void std::sort<KJS::JSValue**, KJS::CompareWithCompareFunctionArguments>(KJS::JSValue**, KJS::JSValue**, KJS::CompareWithCompareFunctionArguments) + 122 (stl_algo.h:2608)
5   com.apple.JavaScriptCore      	0x00448c14 KJS::ArrayInstance::sort(KJS::ExecState*, KJS::JSObject*) + 104 (array_instance.cpp:518)
6   com.apple.JavaScriptCore      	0x004490be KJS::arrayProtoFuncSort(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 194 (array_object.cpp:371)
7   com.apple.JavaScriptCore      	0x00426650 KJS::PrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 34 (function.cpp:906)
8   com.apple.JavaScriptCore      	0x004484b6 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:99)
9   com.apple.JavaScriptCore      	0x004a6940 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 802 (nodes.cpp:1495)
10  com.apple.JavaScriptCore      	0x0045edca KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1501)

Comment 2 Cameron Zwarich (cpst) 2008-06-09 03:00:23 PDT

This no longer occurs, even with COLLECT_ON_EVERY_ALLOCATION. I don't have a debug build of r32698 to check, so maybe the page changed and it doesn't even occur with that revision anymore.

Should we close this?

Comment 3 Alexey Proskuryakov 2008-06-09 14:14:56 PDT

This code has changed a lot since r32698, with many bugs fixed, so it is likely that the root cause of this was addressed.