Bug 45074
| Summary: | Adding a new issue template in code.google.com crashes in HTMLElementStack::popUntil() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ridley Combs <rcombs> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Blocker | CC: | abarth, eric, simon.fraser |
| Priority: | P1 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac (Intel) | ||
| OS: | OS X 10.6 | ||
| URL: | http://pastebin.com/2ediMXbQ | ||
Ridley Combs
If you administer a project at code.google.com, trying to add a new issue template causes the EXACT same EXC_BAD_ACCESS EVERY time. I've tried this multiple times, and the only difference is in like 13 of Thread 0 of the report (just variations in the numbers). I'd say this is a blocker, as I can't perform that administrative action.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Eric Seidel (no email)
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000008
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 com.apple.WebCore 0x0000000100f8262c WebCore::HTMLElementStack::popUntil(WTF::AtomicString const&) + 28
1 com.apple.WebCore 0x0000000100f82661 WebCore::HTMLElementStack::popUntilPopped(WTF::AtomicString const&) + 17
2 com.apple.WebCore 0x0000000100fdd82e WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken&) + 2270
3 com.apple.WebCore 0x0000000100fe1385 WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) + 37
4 com.apple.WebCore 0x0000000100f70a83 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 131
5 com.apple.WebCore 0x0000000100f71a89 WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString const&) + 121
6 com.apple.WebCore 0x0000000100f70803 WebCore::HTMLDocumentParser::parseDocumentFragment(WTF::String const&, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission) + 227
7 com.apple.WebCore 0x0000000100f7b839 WebCore::createFragmentFromSource(WTF::String const&, WebCore::Element*, int&) + 185
8 com.apple.WebCore 0x0000000100f7c122 WebCore::HTMLElement::setInnerHTML(WTF::String const&, int&) + 210
9 com.apple.WebCore 0x00000001011d2890 WebCore::setJSHTMLElementInnerHTML(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) + 64
10 com.apple.WebCore 0x00000001011d513a WebCore::JSHTMLElement::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 186
11 com.apple.WebCore 0x0000000101230565 WebCore::JSHTMLSelectElement::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 149
12 com.apple.JavaScriptCore 0x0000000100825de4 cti_op_put_by_id + 100
13 ??? 0x00003e2b8218f040 0 + 68356587188288
14 com.apple.JavaScriptCore 0x00000001007e5b88 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 888
We just need a reduction. :) I suspect this is a parser bug.
Eric Seidel (no email)
Sadly the line numbers don't match up to tip of tree, so I don't know which popUntilPopped call this might be.
Ridley Combs
When mentioning the variation at line 13, I meant:
13 ??? 0x00003e2b8218f040 0 + 68356587188288
Eric Seidel (no email)
That's just the stack crawller not being able to dump anything sensible for JIT code.
Eric Seidel (no email)
bug 41115 is the compatibility master bug. I don't suspect this is a compat issue though, just a crash which as soon as we catch it in the debugger will get fixed.
Adam Barth
We've already fixed this crash in http://trac.webkit.org/changeset/66443
Thanks for the report.