Bug 25730

Summary: The linked page at Metroauto site crashes Webkit nightly 100% of the time
Product: WebKit Reporter: Sulka Haro <sulka>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: barraclough, jeromeg, sam
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://www.metroauto.fi/vlist.asp?osio=esittelyautot&vper_page=10&vcompany=&vmake=SKODA&vmodel=&vvehicle_type=&vbody_type=&vfuel=&vtransmission=A&vvetotapa=&vprice_min=&vprice_max=&x=13&y=7&vsort=price+ASC

Sulka Haro
Reported 2009-05-12 10:25:31 PDT
The linked page at Metroauto site crashes Webkit nightly 100% of the time. The release version of Safari does not crash. Tried and repeated the crash 5 times out of 5. Made the issue critical, as per guidelines (crash = critical).
Attachments
Add attachment proposed patch, testcase, etc.
Sulka Haro
Comment 1 2009-05-12 10:32:43 PDT
Stack trace: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000400 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x004ea0eb JSC::JITStubs::cti_op_loop_if_less(void*, ...) + 459 1 ??? 0x18bdbf84 0 + 415088516 2 com.apple.JavaScriptCore 0x0049e78a JSC::Interpreter::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) + 634 3 com.apple.JavaScriptCore 0x0045f0c6 JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 358 4 com.apple.WebCore 0x0143ef94 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 260 5 com.apple.WebCore 0x00fc2b61 WebCore::FrameLoader::executeScript(WebCore::ScriptSourceCode const&) + 161 6 com.apple.WebCore 0x0104fccd WebCore::HTMLTokenizer::scriptExecution(WebCore::ScriptSourceCode const&, WebCore::HTMLTokenizer::State) + 205 7 com.apple.WebCore 0x0105103b WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 4235 8 com.apple.WebCore 0x01051b4b WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 2267 9 com.apple.WebCore 0x01054d1f WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 2015 10 com.apple.WebCore 0x00fc6ff9 WebCore::FrameLoader::write(char const*, int, bool) + 457 11 com.apple.WebCore 0x00fc75f7 WebCore::FrameLoader::addData(char const*, int) + 39 12 com.apple.WebKit 0x0025103c -[WebFrame(WebInternal) _receivedData:textEncodingName:] + 140 13 com.apple.WebKit 0x0025d983 -[WebHTMLRepresentation receivedData:withDataSource:] + 499 14 com.apple.WebKit 0x002424eb -[WebDataSource(WebInternal) _receivedData:] + 91 15 com.apple.WebKit 0x00254409 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 137 16 com.apple.WebCore 0x00f69177 WebCore::DocumentLoader::commitLoad(char const*, int) + 71 17 com.apple.WebCore 0x0139f179 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 73 18 com.apple.WebCore 0x0129d2af WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 111 19 com.apple.WebCore 0x0139ed08 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 56 20 com.apple.Foundation 0x92d40707 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveData:originalLength:] + 119 21 com.apple.Foundation 0x92d40651 _NSURLConnectionDidReceiveData + 177 22 com.apple.CFNetwork 0x944d092a URLConnectionClient::sendOrBufferData(__CFData const*) + 172 23 com.apple.CFNetwork 0x944cfd05 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 237 24 com.apple.CFNetwork 0x944d0d70 URLConnectionClient::processEvents() + 114 25 com.apple.CFNetwork 0x94480b6b MultiplexerSource::perform() + 189 26 com.apple.CoreFoundation 0x957fd5f5 CFRunLoopRunSpecific + 3141 27 com.apple.CoreFoundation 0x957fdcd8 CFRunLoopRunInMode + 88 28 com.apple.HIToolbox 0x904fe2c0 RunCurrentEventLoopInMode + 283 29 com.apple.HIToolbox 0x904fe0d9 ReceiveNextEventCommon + 374 30 com.apple.HIToolbox 0x904fdf4d BlockUntilNextEventMatchingListInMode + 106 31 com.apple.AppKit 0x94d3ed7d _DPSNextEvent + 657 32 com.apple.AppKit 0x94d3e630 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 33 com.apple.Safari 0x0000808e 0x1000 + 28814 34 com.apple.AppKit 0x94d3766b -[NSApplication run] + 795 35 com.apple.AppKit 0x94d048a4 NSApplicationMain + 574 36 com.apple.Safari 0x000b9b16 0x1000 + 756502
Alexey Proskuryakov
Comment 2 2009-05-13 04:34:33 PDT
Confirmed with r43608. Looks like breakage from number representation changes.
Alexey Proskuryakov
Comment 3 2009-05-13 04:35:18 PDT
<rdar://problem/6882919>
Alexey Proskuryakov
Comment 4 2009-05-13 22:17:02 PDT
Fixed by Gavin Barraclough in <http://trac.webkit.org/changeset/43667>.
Mark Rowe (bdash)
Comment 5 2009-05-15 06:29:59 PDT
*** Bug 25820 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.