Bug 20391
| Summary: | REGRESSION (r35417-r35531): Crash in Machine.cpp:1838 when leaving GAFYD GMail | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ian 'Hixie' Hickson <ian> |
| Component: | JavaScriptCore | Assignee: | Cameron Zwarich (cpst) <zwarich> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ap, aroben, mrowe, oliver, zwarich |
| Priority: | P1 | Keywords: | InRadar, Regression |
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac (Intel) | ||
| OS: | OS X 10.5 | ||
Ian 'Hixie' Hickson
STEPS TO REPRODUCE
1. Log in to Google Apps For Your Domain GMail
2. Reload, navigate away, or otherwise cause the page to unload.
ACTUAL RESULTS
Crash.
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004
Stack trace: http://pastebin.com/f51ea9e1d
<bdash> Machine.cpp:1838 is where the crash is happening
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Geoffrey Garen
Very similar to https://bugs.webkit.org/show_bug.cgi?id=20386.
Ian 'Hixie' Hickson
Doesn't crash in r35417
Does crash in r35531
Mark Rowe (bdash)
Line 1838 is:
r[dst] = scope->registerAt(index);
The disassembly indicates that the crash is due to "scope" being 0.
Mark Rowe (bdash)
<rdar://problem/6152195>
Cameron Zwarich (cpst)
This is a reproducible crash, so it should be P1. I am also assigning it to myself.
Cameron Zwarich (cpst)
Since this seems so similar to bug 20386, it seems like the regression is caused by r35445, but I have no way of testing myself. I'll try to fix bug 20386, and see if the fix also works for this bug.
Oliver Hunt
bug 20386 is now fixed (r35812) so this may be fixed. Hixie can you check?
Cameron Zwarich (cpst)
Ian said that this was indeed fixed.