Bug 22797

Summary: REGRESSION: Crash at http://news.cnet.com/8301-17939_109-10119149-2.html
Product: WebKit Reporter: Ismail Donmez <ismail>
Component: New BugsAssignee: Cameron Zwarich (cpst) <zwarich>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, webkit, zwarich
Priority: P2 Keywords: NeedsReduction, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://news.cnet.com/8301-17939_109-10119149-2.html
Attachments:
Description Flags
Backtrace
none
Patch zwarich: review+

Description Ismail Donmez 2008-12-10 14:31:55 PST
Reproducing this bug is kinda tricky,

- Go to http://www.reddit.com/?count=50&after=t3_7im8f
- Click the link which says "Firefox, Chrome builds virtually tied for JavaScript speed...."
- Let the CNET page load
- Press back button

Safari crashes.
Comment 1 Cameron Zwarich (cpst) 2008-12-10 14:34:46 PST
I'll assign this to myself, at least to find the point of regression. It seems like a memory smasher, because the point at which it crashes is random, and sometimes it even crashes after it has gone back.
Comment 2 Cameron Zwarich (cpst) 2008-12-10 14:49:02 PST
I have narrowed this down to the range of revisions between the r37300 and r37376 nightlies.
Comment 3 Cameron Zwarich (cpst) 2008-12-11 07:49:14 PST
Here is a link that makes it easier to reproduce:

http://www.reddit.com/search?q=firefox%2C+chrome

I have verified that this occurs in the range r37338-r37376.
Comment 4 Cameron Zwarich (cpst) 2008-12-11 09:50:43 PST
It seems that the crash I was seeing in that range was due to r37370, which was rolled out in r37381. I'll have to investigate this further.
Comment 5 Cameron Zwarich (cpst) 2008-12-11 10:29:33 PST
Created attachment 25955 [details]
Backtrace

If I enable MallocScribble while simply loading the cnet URL in a debug build of ToT WebKit, I get this backtrace every I time.
Comment 6 Anders Carlsson 2008-12-11 13:21:33 PST
Created attachment 25958 [details]
Patch
Comment 7 Cameron Zwarich (cpst) 2008-12-11 13:22:45 PST
Comment on attachment 25958 [details]
Patch

r=me
Comment 8 Anders Carlsson 2008-12-11 14:01:14 PST
Committed revision 39215.
Comment 9 Peter Handel 2008-12-14 22:12:41 PST
Just saw this on r39293:

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x0044754c WTF::HashTableIterator<JSC::UString::Rep*, JSC::UString::Rep*, WTF::IdentityExtractor<JSC::UString::Rep*>, WTF::StrHash<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*> > WTF::HashTable<JSC::UString::Rep*, JSC::UString::Rep*, WTF::IdentityExtractor<JSC::UString::Rep*>, WTF::StrHash<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*> >::find<JSC::UString::Rep*, WTF::IdentityHashTranslator<JSC::UString::Rep*, JSC::UString::Rep*, WTF::StrHash<JSC::UString::Rep*> > >(JSC::UString::Rep* const&) + 252
1   com.apple.JavaScriptCore      	0x003be206 JSC::Identifier::remove(JSC::UString::Rep*) + 38
2   com.apple.JavaScriptCore      	0x003be28e JSC::UString::Rep::destroy() + 30
3   com.apple.JavaScriptCore      	0x004ccc4b JSC::Structure::~Structure() + 299
4   com.apple.JavaScriptCore      	0x00459d8c JSC::JSObject::~JSObject() + 140
5   com.apple.JavaScriptCore      	0x00457178 unsigned long JSC::Heap::sweep<(JSC::HeapType)0>() + 200
6   com.apple.JavaScriptCore      	0x003cd859 JSC::Heap::collect() + 169
7   com.apple.WebCore             	0x0107e492 WebCore::Timer<WebCore::GCController>::fired() + 82
8   com.apple.WebCore             	0x014fe9d9 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0ul> const&) + 137
9   com.apple.WebCore             	0x014feaa2 WebCore::TimerBase::sharedTimerFired() + 162
10  com.apple.WebCore             	0x014da904 WebCore::timerFired(__CFRunLoopTimer*, void*) + 68
11  com.apple.CoreFoundation      	0x9683ab45 CFRunLoopRunSpecific + 4469
12  com.apple.CoreFoundation      	0x9683acf8 CFRunLoopRunInMode + 88
13  com.apple.HIToolbox           	0x90389480 RunCurrentEventLoopInMode + 283
14  com.apple.HIToolbox           	0x90389299 ReceiveNextEventCommon + 374
15  com.apple.HIToolbox           	0x9038910d BlockUntilNextEventMatchingListInMode + 106
16  com.apple.AppKit              	0x92e983ed _DPSNextEvent + 657
17  com.apple.AppKit              	0x92e97ca0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
18  com.apple.Safari              	0x0000808e 0x1000 + 28814
19  com.apple.AppKit              	0x92e90cdb -[NSApplication run] + 795
20  com.apple.AppKit              	0x92e5df14 NSApplicationMain + 574
21  com.apple.Safari              	0x000b9b16 0x1000 + 756502
Comment 10 Cameron Zwarich (cpst) 2008-12-14 22:18:53 PST
There seems to be another problem with this page that is not yet fixed. I can reproduce this after a few loads, even using the bytecode interpreter.
Comment 11 Cameron Zwarich (cpst) 2008-12-14 22:35:56 PST
This link reproduces the crash a lot better than the one in the title of this bug, although I am pretty sure it is still the same memory corruption:

http://news.cnet.com/8301-13579_3-9953533-37.html

I am having a lot of trouble reducing this.
Comment 12 Cameron Zwarich (cpst) 2008-12-15 14:13:03 PST
This new crash reproduces with no plugins, so I will close this bug and use bug 22869 for tracking the new crash.