Bug 19214

Summary: REGRESSION (r34073) : Crash opening http://reddit.com/r/programming/
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mjs
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
partial reduction
none
further reduction
none
reduction none

Alexey Proskuryakov
Reported 2008-05-23 06:20:24 PDT
I'm often getting a crash opening http://reddit.com/r/programming/ (but not 100%)
Attachments
partial reduction (17.42 KB, text/html)
2008-05-23 09:48 PDT, Alexey Proskuryakov 		no flags
Details
further reduction (733 bytes, text/html)
2008-05-23 10:56 PDT, Alexey Proskuryakov 		no flags
Details
reduction (105 bytes, text/html)
2008-05-23 11:12 PDT, Alexey Proskuryakov 		no flags
Details
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2008-05-23 06:21:13 PDT
Stack traces are different each time.
Alexey Proskuryakov
Comment 2 2008-05-23 06:43:23 PDT
Guard Malloc crash log: #0 0x00394472 in GMmalloc_zone_free #1 0x003948ff in GMfree #2 0x0068c568 in WTF::fastFree at FastMalloc.cpp:188 #3 0x006e1676 in KJS::RegisterFile::setBuffer at RegisterFile.h:153 #4 0x00690c63 in KJS::RegisterFile::newBuffer at RegisterFile.cpp:47 #5 0x00691008 in KJS::RegisterFile::addGlobalSlots at RegisterFile.cpp:81 #6 0x007408cd in KJS::Machine::execute at Machine.cpp:657 #7 0x006d714c in KJS::Interpreter::evaluate at interpreter.cpp:81 #8 0x02ce4c80 in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:89 #9 0x0283dee3 in WebCore::FrameLoader::executeScript at FrameLoader.cpp:785 #10 0x028cc2fe in WebCore::HTMLTokenizer::scriptExecution at HTMLTokenizer.cpp:540 #11 0x028cc74c in WebCore::HTMLTokenizer::notifyFinished at HTMLTokenizer.cpp:1987 #12 0x026ead16 in WebCore::CachedScript::checkNotify at CachedScript.cpp:95 #13 0x026eae77 in WebCore::CachedScript::data at CachedScript.cpp:85 #14 0x02ce6df0 in WebCore::Loader::Host::didFinishLoading at loader.cpp:268 #15 0x02c6b4a3 in WebCore::SubresourceLoader::didFinishLoading at SubresourceLoader.cpp:193 #16 0x02b37c8e in WebCore::ResourceLoader::didFinishLoading at ResourceLoader.cpp:389 #17 0x02b353f3 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] at ResourceHandleMac.mm:521
Alexey Proskuryakov
Comment 3 2008-05-23 07:40:27 PDT
http://www.prototypejs.org/contribute crashes with the same stack trace under GuardMalloc (and randomly without it).
Alexey Proskuryakov
Comment 4 2008-05-23 09:00:37 PDT
Simply including prototype.js from an otherwise empty file is enough to trigger this under Guard Malloc.
Alexey Proskuryakov
Comment 5 2008-05-23 09:48:09 PDT
Created attachment 21313 [details] partial reduction Only crashes under Guard Malloc for me.
Darin Adler
Comment 6 2008-05-23 10:40:59 PDT
<rdar://problem/5959593>
Alexey Proskuryakov
Comment 7 2008-05-23 10:56:38 PDT
Created attachment 21314 [details] further reduction
Alexey Proskuryakov
Comment 8 2008-05-23 11:12:51 PDT
Created attachment 21315 [details] reduction
Alexey Proskuryakov
Comment 9 2008-05-23 11:49:36 PDT
(just to remind, the latest reduction also only crashes under Guard Malloc)
Geoffrey Garen
Comment 10 2008-05-23 12:37:42 PDT
I've fixed this for now by rolling out the patch for <rdar://problem/5957662>, and reopening that bug.
Note You need to log in before you can comment on or make changes to this bug.