Bug 18816

Summary:	ASSERTION FAILED: !vb->isUndefined() loading unl.edu
Product:	WebKit	Reporter:	Brian Shumate <shumatejb>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED WORKSFORME
Severity:	Normal	CC:	ap, zwarich
Priority:	P1	Keywords:	NeedsReduction, Regression
Version:	528+ (Nightly build)
Hardware:	Mac
OS:	OS X 10.5
URL:	http://www.unl.edu

Brian Shumate

Reported 2008-04-30 12:49:38 PDT

When visiting the UNL website at www.unl.edu, Webkit crashes. This should be reproducible on WebKit nightly build r32698

Attachments
Add attachment proposed patch, testcase, etc.

Matt Lilek

Comment 1 2008-04-30 12:59:11 PDT

Confirmed with r32736; regression from Safari 3.1.1 (5525.18) ASSERTION FAILED: !vb->isUndefined() (/Users/matt/Code/WebKit/JavaScriptCore/kjs/array_instance.cpp:496 bool KJS::CompareWithCompareFunctionArguments::operator()(KJS::JSValue*, KJS::JSValue*)) Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x004a3b99 KJS::CompareWithCompareFunctionArguments::operator()(KJS::JSValue*, KJS::JSValue*) + 145 (array_instance.cpp:496) 1 com.apple.JavaScriptCore 0x004a429b void std::__unguarded_linear_insert<KJS::JSValue**, KJS::JSValue*, KJS::CompareWithCompareFunctionArguments>(KJS::JSValue**, KJS::JSValue*, KJS::CompareWithCompareFunctionArguments) + 69 (stl_algo.h:2108) 2 com.apple.JavaScriptCore 0x004a4383 void std::__insertion_sort<KJS::JSValue**, KJS::CompareWithCompareFunctionArguments>(KJS::JSValue**, KJS::JSValue**, KJS::CompareWithCompareFunctionArguments) + 145 (stl_algo.h:2156) 3 com.apple.JavaScriptCore 0x004a4428 void std::__final_insertion_sort<KJS::JSValue**, KJS::CompareWithCompareFunctionArguments>(KJS::JSValue**, KJS::JSValue**, KJS::CompareWithCompareFunctionArguments) + 144 (stl_algo.h:2240) 4 com.apple.JavaScriptCore 0x004a44a4 void std::sort<KJS::JSValue**, KJS::CompareWithCompareFunctionArguments>(KJS::JSValue**, KJS::JSValue**, KJS::CompareWithCompareFunctionArguments) + 122 (stl_algo.h:2608) 5 com.apple.JavaScriptCore 0x00448c14 KJS::ArrayInstance::sort(KJS::ExecState*, KJS::JSObject*) + 104 (array_instance.cpp:518) 6 com.apple.JavaScriptCore 0x004490be KJS::arrayProtoFuncSort(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 194 (array_object.cpp:371) 7 com.apple.JavaScriptCore 0x00426650 KJS::PrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 34 (function.cpp:906) 8 com.apple.JavaScriptCore 0x004484b6 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:99) 9 com.apple.JavaScriptCore 0x004a6940 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 802 (nodes.cpp:1495) 10 com.apple.JavaScriptCore 0x0045edca KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1501)

Cameron Zwarich (cpst)

Comment 2 2008-06-09 03:00:23 PDT

This no longer occurs, even with COLLECT_ON_EVERY_ALLOCATION. I don't have a debug build of r32698 to check, so maybe the page changed and it doesn't even occur with that revision anymore. Should we close this?

Alexey Proskuryakov

Comment 3 2008-06-09 14:14:56 PDT

This code has changed a lot since r32698, with many bugs fixed, so it is likely that the root cause of this was addressed.

Note You need to log in before you can comment on or make changes to this bug.