Bug 22537

Summary: REGRESSION (r38745): Assertion failure in jsSubstring() at ge.com
Product: WebKit Reporter: mitz
Component: JavaScriptCoreAssignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren
Priority: P1 Keywords: HasReduction, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://www.ge.com/
Attachments:
Description Flags
Partial reduction
none
patch zwarich: review+

mitz
Reported 2008-11-27 22:28:27 PST
Visiting http://www.ge.com/ causes an assertion failure: Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x00a9e181 JSC::jsSubstring(JSC::JSGlobalData*, JSC::UString const&, unsigned int, unsigned int) + 83 (JSString.cpp:126) 1 com.apple.JavaScriptCore 0x00b182de JSC::jsSubstring(JSC::ExecState*, JSC::UString const&, unsigned int, unsigned int) + 48 (JSString.h:173) 2 com.apple.JavaScriptCore 0x00ac9ac4 __ZN3JSCL20stringProtoFuncMatchEPNS_9ExecStateEPNS_8JSObjectEPNS_7JSValueERKNS_7ArgListE + 502 (StringPrototype.cpp:432) 3 com.apple.JavaScriptCore 0x00b6078f JSC::Interpreter::cti_op_call_NotJSFunction(void*, ...) + 461 (Interpreter.cpp:4969) 4 com.apple.JavaScriptCore 0x00b5b2de jscGeneratedNativeCode + 0 (Interpreter.cpp:4244) 5 com.apple.JavaScriptCore 0x00b623de JSC::Interpreter::execute(JSC::FunctionBodyNode*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue**) + 796 (Interpreter.cpp:1003) 6 com.apple.JavaScriptCore 0x00a85b51 JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue*, JSC::ArgList const&) + 139 (JSFunction.cpp:83) 7 com.apple.JavaScriptCore 0x00a85c09 JSC::call(JSC::ExecState*, JSC::JSValue*, JSC::CallType, JSC::CallData const&, JSC::JSValue*, JSC::ArgList const&) + 177 (CallData.cpp:39) 8 com.apple.WebCore 0x03a12044 WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 786 (JSEventListener.cpp:109) 9 com.apple.WebCore 0x034db77d WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 281 (Document.cpp:2699) 10 com.apple.WebCore 0x0354250e WebCore::EventTargetNode::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event>) + 272 (EventTargetNode.cpp:409) 11 com.apple.WebCore 0x035455e3 WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 175 (EventTargetNode.cpp:416) 12 com.apple.WebCore 0x034e79e4 WebCore::Document::implicitClose() + 736 (Document.cpp:1562)
Attachments
Partial reduction (340 bytes, text/html)
2008-11-27 23:01 PST, Cameron Zwarich (cpst) 		no flags
Details
patch (4.38 KB, patch)
2008-12-02 20:38 PST, Geoffrey Garen 		zwarich: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-11-27 22:32:03 PST
I can reproduce this with a local debug build of r38826, and I am assigning this to myself.
Cameron Zwarich (cpst)
Comment 2 2008-11-27 23:01:54 PST
Created attachment 25565 [details] Partial reduction Here is a partial reduction. It still loads 2 JS files from GE's site, as well as whatever files they dynamically load. For some reason, it goes wonky but doesn't crash if I just copy the source of those files. I should be able to make a reduction by making local copies of these files and chopping them apart.
Cameron Zwarich (cpst)
Comment 3 2008-11-27 23:03:07 PST
It seems that GE does some referrer checking, so you need to download a local copy of that.
Cameron Zwarich (cpst)
Comment 4 2008-11-28 00:22:49 PST
I have a reduction: "splash_content".match(/[\s#.:>+~()@]|[^\s#.:>+~()@]+/g); I suspect that this is a recent regression due to changes in WREC.
Cameron Zwarich (cpst)
Comment 5 2008-11-28 00:50:22 PST
I didn't have to look far for this one. This regressed in r38745: http://trac.webkit.org/changeset/38745
Cameron Zwarich (cpst)
Comment 6 2008-11-28 00:54:24 PST
I am unassigning this. Geoff, you are probably a better person to fix this than me.
Geoffrey Garen
Comment 7 2008-12-02 17:06:37 PST
New reduction: "a".match(/b|[^b]/g)
Geoffrey Garen
Comment 8 2008-12-02 20:38:07 PST
Created attachment 25699 [details] patch
Cameron Zwarich (cpst)
Comment 9 2008-12-02 20:43:17 PST
Comment on attachment 25699 [details] patch The test should be in the "new style" with the .html file in fast/js and the .js file in fast/js/resources. Other than that, r=me.
Geoffrey Garen
Comment 10 2008-12-02 20:53:23 PST
Committed revision 38929.
Note You need to log in before you can comment on or make changes to this bug.