Bug 45811

Summary:

REGRESSION: Feedly extension crashes Webkit

Product:

WebKit

Reporter:

rune.bjorneras

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, commit-queue, ggaren, oliver, sam

Priority:

Keywords:

Regression

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

All

Attachments:

Description	Flags
Crash report	none
Crash report, r67643	none
Patch	none

Description rune.bjorneras 2010-09-15 01:31:34 PDT

Feedly extension crashes Webkit.

Comment 1 Alexey Proskuryakov 2010-09-15 11:08:45 PDT

Could you please attach a crash log <http://webkit.org/quality/crashlogs.html>?

Comment 2 rune.bjorneras 2010-09-15 22:32:08 PDT

Created attachment 67771 [details]
Crash report

Comment 3 rune.bjorneras 2010-09-15 22:34:12 PDT

Sure - report uploaded.

This is from my work Mac. Webkit also crashes with this extension on my home Mac running 10.6.4.

Comment 4 Alexey Proskuryakov 2010-09-16 11:00:13 PDT

I could reproduce the crash with nightly r67568, although with a different stack trace (which is understandable, since I was running it in 64 bit). Steps to reproduce:

1. Install the extension from e.g. http://www.pimpmysafari.com/extensions/feedly-safari-extension
2. Click its button in Safari.

0   com.apple.JavaScriptCore      	0x00000001007d9d14 JSC::Identifier::addSlowCase(JSC::ExecState*, WTF::StringImpl*) + 84
1   com.apple.WebCore             	0x0000000101601fac WebCore::CloneDeserializer::deserialize() + 2332
2   com.apple.WebCore             	0x0000000101602995 WebCore::SerializedScriptValue::deserialize(JSC::ExecState*, JSC::JSGlobalObject*) + 677
3   com.apple.WebCore             	0x00000001016029f3 WebCore::SerializedScriptValue::deserialize(OpaqueJSContext const*, OpaqueJSValue const**) + 35
4   com.apple.JavaScriptCore      	0x0000000100835aee JSC::JSCallbackObject<JSC::JSObjectWithGlobalObject>::staticValueGetter(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&) + 766
5   com.apple.JavaScriptCore      	0x0000000100825141 JSC::JSValue::get(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) const + 401
6   com.apple.JavaScriptCore      	0x00000001008185df cti_op_get_by_id_generic + 79
7   ???                           	0x00003212bace08dd 0 + 55056024864989
8   com.apple.JavaScriptCore      	0x00000001007e06ff JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 911

Comment 5 rune.bjorneras 2010-09-19 22:22:02 PDT

Seems OK now with r67643 - that was quick! :)

Comment 6 rune.bjorneras 2010-09-19 22:27:42 PDT

Ahh, seems I was too quick. Actually got the feed headlines up without a crash, so I thought it worked. However, the browser crashed once I clicked on a link.

Comment 7 rune.bjorneras 2010-09-19 22:28:27 PDT

Created attachment 68052 [details]
Crash report, r67643

Comment 8 Oliver Hunt 2010-10-18 17:51:53 PDT

I think I know what's happening.  Whoops.

Comment 9 Oliver Hunt 2010-10-18 18:26:44 PDT

Created attachment 71110 [details]
Patch

Comment 10 Sam Weinig 2010-10-18 18:32:25 PDT

(In reply to comment #9)
> Created an attachment (id=71110) [details]
> Patch

r=me, though we may want to consider using a SegmentedVector instead.

Comment 11 WebKit Commit Bot 2010-10-18 19:34:54 PDT

Comment on attachment 71110 [details]
Patch

Clearing flags on attachment: 71110

Committed r70018: <http://trac.webkit.org/changeset/70018>

Comment 12 WebKit Commit Bot 2010-10-18 19:35:00 PDT

All reviewed patches have been landed.  Closing bug.

Comment 13 Oliver Hunt 2010-10-19 11:12:25 PDT

Sorry for the delay in fixing this