Bug 19214

Summary:

REGRESSION (r34073) : Crash opening http://reddit.com/r/programming/

Product:

WebKit

Reporter:

Alexey Proskuryakov <ap>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mjs

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.5

Attachments:

Description	Flags
partial reduction	none
further reduction	none
reduction	none

Description Alexey Proskuryakov 2008-05-23 06:20:24 PDT

I'm often getting a crash opening http://reddit.com/r/programming/ (but not 100%)

Comment 1 Alexey Proskuryakov 2008-05-23 06:21:13 PDT

Stack traces are different each time.

Comment 2 Alexey Proskuryakov 2008-05-23 06:43:23 PDT

Guard Malloc crash log:

#0	0x00394472 in GMmalloc_zone_free
#1	0x003948ff in GMfree
#2	0x0068c568 in WTF::fastFree at FastMalloc.cpp:188
#3	0x006e1676 in KJS::RegisterFile::setBuffer at RegisterFile.h:153
#4	0x00690c63 in KJS::RegisterFile::newBuffer at RegisterFile.cpp:47
#5	0x00691008 in KJS::RegisterFile::addGlobalSlots at RegisterFile.cpp:81
#6	0x007408cd in KJS::Machine::execute at Machine.cpp:657
#7	0x006d714c in KJS::Interpreter::evaluate at interpreter.cpp:81
#8	0x02ce4c80 in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:89
#9	0x0283dee3 in WebCore::FrameLoader::executeScript at FrameLoader.cpp:785
#10	0x028cc2fe in WebCore::HTMLTokenizer::scriptExecution at HTMLTokenizer.cpp:540
#11	0x028cc74c in WebCore::HTMLTokenizer::notifyFinished at HTMLTokenizer.cpp:1987
#12	0x026ead16 in WebCore::CachedScript::checkNotify at CachedScript.cpp:95
#13	0x026eae77 in WebCore::CachedScript::data at CachedScript.cpp:85
#14	0x02ce6df0 in WebCore::Loader::Host::didFinishLoading at loader.cpp:268
#15	0x02c6b4a3 in WebCore::SubresourceLoader::didFinishLoading at SubresourceLoader.cpp:193
#16	0x02b37c8e in WebCore::ResourceLoader::didFinishLoading at ResourceLoader.cpp:389
#17	0x02b353f3 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] at ResourceHandleMac.mm:521

Comment 3 Alexey Proskuryakov 2008-05-23 07:40:27 PDT

http://www.prototypejs.org/contribute crashes with the same stack trace under GuardMalloc (and randomly without it).

Comment 4 Alexey Proskuryakov 2008-05-23 09:00:37 PDT

Simply including prototype.js from an otherwise empty file is enough to trigger this under Guard Malloc.

Comment 5 Alexey Proskuryakov 2008-05-23 09:48:09 PDT

Created attachment 21313 [details]
partial reduction

Only crashes under Guard Malloc for me.

Comment 6 Darin Adler 2008-05-23 10:40:59 PDT

<rdar://problem/5959593>

Comment 7 Alexey Proskuryakov 2008-05-23 10:56:38 PDT

Created attachment 21314 [details]
further reduction

Comment 8 Alexey Proskuryakov 2008-05-23 11:12:51 PDT

Created attachment 21315 [details]
reduction

Comment 9 Alexey Proskuryakov 2008-05-23 11:49:36 PDT

(just to remind, the latest reduction also only crashes under Guard Malloc)

Comment 10 Geoffrey Garen 2008-05-23 12:37:42 PDT

I've fixed this for now by rolling out the patch for <rdar://problem/5957662>, and reopening that bug.