Bug 22797

Summary: REGRESSION: Crash at http://news.cnet.com/8301-17939_109-10119149-2.html
Product: WebKit Reporter: Ismail Donmez <ismail>
Component: New BugsAssignee: Cameron Zwarich (cpst) <zwarich>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, webkit, zwarich
Priority: P2 Keywords: NeedsReduction, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://news.cnet.com/8301-17939_109-10119149-2.html
Attachments:
Description Flags
Backtrace
none
Patch zwarich: review+

Ismail Donmez
Reported 2008-12-10 14:31:55 PST
Reproducing this bug is kinda tricky, - Go to http://www.reddit.com/?count=50&after=t3_7im8f - Click the link which says "Firefox, Chrome builds virtually tied for JavaScript speed...." - Let the CNET page load - Press back button Safari crashes.
Attachments
Backtrace (2.44 KB, text/plain)
2008-12-11 10:29 PST, Cameron Zwarich (cpst) 		no flags
Details
Patch (3.06 KB, patch)
2008-12-11 13:21 PST, Anders Carlsson 		zwarich: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-12-10 14:34:46 PST
I'll assign this to myself, at least to find the point of regression. It seems like a memory smasher, because the point at which it crashes is random, and sometimes it even crashes after it has gone back.
Cameron Zwarich (cpst)
Comment 2 2008-12-10 14:49:02 PST
I have narrowed this down to the range of revisions between the r37300 and r37376 nightlies.
Cameron Zwarich (cpst)
Comment 3 2008-12-11 07:49:14 PST
Here is a link that makes it easier to reproduce: http://www.reddit.com/search?q=firefox%2C+chrome I have verified that this occurs in the range r37338-r37376.
Cameron Zwarich (cpst)
Comment 4 2008-12-11 09:50:43 PST
It seems that the crash I was seeing in that range was due to r37370, which was rolled out in r37381. I'll have to investigate this further.
Cameron Zwarich (cpst)
Comment 5 2008-12-11 10:29:33 PST
Created attachment 25955 [details] Backtrace If I enable MallocScribble while simply loading the cnet URL in a debug build of ToT WebKit, I get this backtrace every I time.
Anders Carlsson
Comment 6 2008-12-11 13:21:33 PST
Created attachment 25958 [details] Patch
Cameron Zwarich (cpst)
Comment 7 2008-12-11 13:22:45 PST
Comment on attachment 25958 [details] Patch r=me
Anders Carlsson
Comment 8 2008-12-11 14:01:14 PST
Committed revision 39215.
Peter Handel
Comment 9 2008-12-14 22:12:41 PST
Just saw this on r39293: Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x0044754c WTF::HashTableIterator<JSC::UString::Rep*, JSC::UString::Rep*, WTF::IdentityExtractor<JSC::UString::Rep*>, WTF::StrHash<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*> > WTF::HashTable<JSC::UString::Rep*, JSC::UString::Rep*, WTF::IdentityExtractor<JSC::UString::Rep*>, WTF::StrHash<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*> >::find<JSC::UString::Rep*, WTF::IdentityHashTranslator<JSC::UString::Rep*, JSC::UString::Rep*, WTF::StrHash<JSC::UString::Rep*> > >(JSC::UString::Rep* const&) + 252 1 com.apple.JavaScriptCore 0x003be206 JSC::Identifier::remove(JSC::UString::Rep*) + 38 2 com.apple.JavaScriptCore 0x003be28e JSC::UString::Rep::destroy() + 30 3 com.apple.JavaScriptCore 0x004ccc4b JSC::Structure::~Structure() + 299 4 com.apple.JavaScriptCore 0x00459d8c JSC::JSObject::~JSObject() + 140 5 com.apple.JavaScriptCore 0x00457178 unsigned long JSC::Heap::sweep<(JSC::HeapType)0>() + 200 6 com.apple.JavaScriptCore 0x003cd859 JSC::Heap::collect() + 169 7 com.apple.WebCore 0x0107e492 WebCore::Timer<WebCore::GCController>::fired() + 82 8 com.apple.WebCore 0x014fe9d9 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0ul> const&) + 137 9 com.apple.WebCore 0x014feaa2 WebCore::TimerBase::sharedTimerFired() + 162 10 com.apple.WebCore 0x014da904 WebCore::timerFired(__CFRunLoopTimer*, void*) + 68 11 com.apple.CoreFoundation 0x9683ab45 CFRunLoopRunSpecific + 4469 12 com.apple.CoreFoundation 0x9683acf8 CFRunLoopRunInMode + 88 13 com.apple.HIToolbox 0x90389480 RunCurrentEventLoopInMode + 283 14 com.apple.HIToolbox 0x90389299 ReceiveNextEventCommon + 374 15 com.apple.HIToolbox 0x9038910d BlockUntilNextEventMatchingListInMode + 106 16 com.apple.AppKit 0x92e983ed _DPSNextEvent + 657 17 com.apple.AppKit 0x92e97ca0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 18 com.apple.Safari 0x0000808e 0x1000 + 28814 19 com.apple.AppKit 0x92e90cdb -[NSApplication run] + 795 20 com.apple.AppKit 0x92e5df14 NSApplicationMain + 574 21 com.apple.Safari 0x000b9b16 0x1000 + 756502
Cameron Zwarich (cpst)
Comment 10 2008-12-14 22:18:53 PST
There seems to be another problem with this page that is not yet fixed. I can reproduce this after a few loads, even using the bytecode interpreter.
Cameron Zwarich (cpst)
Comment 11 2008-12-14 22:35:56 PST
This link reproduces the crash a lot better than the one in the title of this bug, although I am pretty sure it is still the same memory corruption: http://news.cnet.com/8301-13579_3-9953533-37.html I am having a lot of trouble reducing this.
Cameron Zwarich (cpst)
Comment 12 2008-12-15 14:13:03 PST
This new crash reproduces with no plugins, so I will close this bug and use bug 22869 for tracking the new crash.
Note You need to log in before you can comment on or make changes to this bug.