Bug 48057

Summary: ASSERT while loading reddit.com
Product: WebKit Reporter: Xan Lopez <xan.lopez>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ap, ggaren, mrobinson, opendarwin, xan.lopez
Priority: P2 Keywords: NeedsReduction
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
gdb backtrace none

Xan Lopez
Reported 2010-10-21 03:20:50 PDT
Can't seem to be able to repro now, but got this with a debug build, r70214: ASSERTION FAILED: node->wrapper() == (document ? document->getWrapperCache(currentWorld(exec))->get(node) : domObjectWrapperMapFor(exec).get(node)) (../../WebCore/bindings/js/JSNodeCustom.h:37 WebCore::JSNode* WebCore::getCachedDOMNodeWrapper(JSC::ExecState*, WebCore::Document*, WebCore::Node*)) Program received signal SIGSEGV, Segmentation fault. 0x00d1f720 in WebCore::getCachedDOMNodeWrapper (exec=0xb2b94540, document=0xa173948, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:37 37 ASSERT(node->wrapper() == (document ? document->getWrapperCache(currentWorld(exec))->get(node) : domObjectWrapperMapFor(exec).get(node))); (gdb) bt #0 0x00d1f720 in WebCore::getCachedDOMNodeWrapper (exec=0xb2b94540, document=0xa173948, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:37 #1 0x00d1f7df in WebCore::toJS (exec=0xb2b94540, globalObject=0xb2b40b40, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:53 #2 0x017a0778 in WebCore::JSNodeList::indexGetter (exec=0xb2b94540, slotBase=..., index=4) at DerivedSources/WebCore/JSNodeList.cpp:260 #3 0x00d6bc7c in JSC::PropertySlot::getValue (this=0xbfffab2c, exec=0xb2b94540, propertyName=4) at ../../JavaScriptCore/runtime/PropertySlot.h:88 #4 0x01a454df in JSC::JSValue::get (this=0xbfffabf4, exec=0xb2b94540, propertyName=4, slot=...) at ../../JavaScriptCore/runtime/JSObject.h:686 #5 0x01a453dc in JSC::JSValue::get (this=0xbfffabf4, exec=0xb2b94540, propertyName=4) at ../../JavaScriptCore/runtime/JSObject.h:672 #6 0x01a3c4ee in JSC::cti_op_get_by_val (args=0xbfffac50) at ../../JavaScriptCore/jit/JITStubs.cpp:2396 #7 0x01a3668a in JSC::JITThunks::tryCacheGetByID (callFrame=0xb2678980, codeBlock=0xfffffffe, returnAddress=..., baseValue=..., propertyName=, slot=..., stubInfo=0xbfffaca8) at ../../JavaScriptCore/jit/JITStubs.cpp:999 #8 0xbfffad8c in ?? () #9 0x01a06b1f in JSC::JITCode::execute (this=0x8e6b8ec, registerFile=0x899b5fc, callFrame=0xb2b94048, globalData=0x8996110, exception=0x8996ee4) at ../../JavaScriptCore/jit/JITCode.h:77 #10 0x01a03d04 in JSC::Interpreter::executeCall (this=0x899b5f0, callFrame=0xa18141c, function=0xb26ffd40, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=..., exception=0x8996ee4) at ../../JavaScriptCore/interpreter/Interpreter.cpp:825 #11 0x01a90563 in JSC::call (exec=0xa18141c, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../JavaScriptCore/runtime/CallData.cpp:38 #12 0x00d21dbe in WebCore::JSMainThreadExecState::call (exec=0xa18141c, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../WebCore/bindings/js/JSMainThreadExecState.h:48 #13 0x00d5c930 in WebCore::JSEventListener::handleEvent (this=0x8e6a948, scriptExecutionContext=0xa173980, event=0x9f4f9e8) at ../../WebCore/bindings/js/JSEventListener.cpp:124 #14 0x00f13254 in WebCore::EventTarget::fireEventListeners (this=0x8b2f1a0, event=0x9f4f9e8, d=0x8b2f228, entry=WTF::Vector of length 2, capacity 16 = {...}) at ../../WebCore/dom/EventTarget.cpp:335 #15 0x00f13105 in WebCore::EventTarget::fireEventListeners (this=0x8b2f1a0, event=0x9f4f9e8) at ../../WebCore/dom/EventTarget.cpp:304 #16 0x011f899e in WebCore::DOMWindow::dispatchEvent (this=0x8b2f1a0, prpEvent=..., prpTarget=...) at ../../WebCore/page/DOMWindow.cpp:1536 #17 0x01181ae0 in WebCore::FrameLoader::stopLoading (this=0x893d1f4, unloadEventPolicy=WebCore::UnloadEventPolicyUnloadAndPageHide, databasePolicy=WebCore::DatabasePolicyStop) at ../../WebCore/loader/FrameLoader.cpp:387 #18 0x01181fd2 in WebCore::FrameLoader::closeURL (this=0x893d1f4) at ../../WebCore/loader/FrameLoader.cpp:467 #19 0x01188641 in WebCore::FrameLoader::transitionToCommitted (this=0x893d1f4, cachedPage=...) at ../../WebCore/loader/FrameLoader.cpp:1923 #20 0x0118804a in WebCore::FrameLoader::commitProvisionalLoad (this=0x893d1f4) at ../../WebCore/loader/FrameLoader.cpp:1839 #21 0x01174d26 in WebCore::DocumentLoader::commitIfReady (this=0x8a91968) at ../../WebCore/loader/DocumentLoader.cpp:266 #22 0x01174dc1 in WebCore::DocumentLoader::commitLoad (this=0x8a91968, data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192) at ../../WebCore/loader/DocumentLoader.cpp:286 #23 0x01175016 in WebCore::DocumentLoader::receivedData (this=0x8a91968, data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192) at ../../WebCore/loader/DocumentLoader.cpp:319 #24 0x011bc8fa in WebCore::MainResourceLoader::addData (this=0x9f3e400, data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, allAtOnce=false) ---Type <return> to continue, or q <return> to quit--- at ../../WebCore/loader/MainResourceLoader.cpp:156 #25 0x011c7281 in WebCore::ResourceLoader::didReceiveData (this=0x9f3e400, data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192, allAtOnce=false) at ../../WebCore/loader/ResourceLoader.cpp:262 #26 0x011bd9d6 in WebCore::MainResourceLoader::didReceiveData (this=0x9f3e400, data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192, allAtOnce=false) at ../../WebCore/loader/MainResourceLoader.cpp:436 #27 0x011c7bc8 in WebCore::ResourceLoader::didReceiveData (this=0x9f3e400, data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192) at ../../WebCore/loader/ResourceLoader.cpp:415 #28 0x015ecdeb in WebCore::readCallback (source=0xb301e38, asyncResult=0xa56bf88, data=0x0) at ../../WebCore/platform/network/soup/ResourceHandleSoup.cpp:809 #29 0x042cdaaf in async_ready_callback_wrapper (source_object=0xb301e38, res=0xa56bf88, user_data=0x0) at ginputstream.c:470 #30 0x042e1818 in g_simple_async_result_complete (simple=0xa56bf88) at gsimpleasyncresult.c:692 #31 0x015f21fd in read_async_done (stream=0xb301e38) at ../../WebCore/platform/network/soup/cache/soup-http-input-stream.c:723 #32 0x015f1419 in webkit_soup_http_input_stream_got_chunk (msg=0xb301dc8, chunk_buffer=0xafe521a8, stream=0xb301e38) at ../../WebCore/platform/network/soup/cache/soup-http-input-stream.c:300 #33 0x007331e1 in g_cclosure_marshal_VOID__BOXED (closure=0x94f1bf0, return_value=0x0, n_param_values=2, param_values=0xafe070a0, invocation_hint=0xbfffb72c, marshal_data=0x0) at gmarshal.c:568 #34 0x00719bfd in g_closure_invoke (closure=0x94f1bf0, return_value=0x0, n_param_values=2, param_values=0xafe070a0, invocation_hint=0xbfffb72c) at gclosure.c:766 #35 0x00732020 in signal_emit_unlocked_R (node=0x89d5f00, detail=0, instance=0xb301dc8, emission_return=0x0, instance_and_params=0xafe070a0) at gsignal.c:3252 #36 0x0073136f in g_signal_emit_valist (instance=0xb301dc8, signal_id=483, detail=0, var_args=0xbfffb920 "\030\022Y") at gsignal.c:2983 #37 0x0073165b in g_signal_emit (instance=0xb301dc8, signal_id=483, detail=0) at gsignal.c:3040 #38 0x0056dd68 in soup_message_got_chunk (msg=0xb301dc8, chunk=0xafe521a8) at soup-message.c:963 #39 0x00572cbb in io_handle_sniffing (msg=0xb301dc8, done_reading=0) at soup-message-io.c:266 #40 0x00573280 in read_body_chunk (msg=0xb301dc8) at soup-message-io.c:447 #41 0x005741a6 in io_read (sock=0x898fb88, msg=0xb301dc8) at soup-message-io.c:923 #42 0x00574992 in io_unpause_internal (msg=0xb301dc8) at soup-message-io.c:1149 #43 0x043dd0a1 in g_idle_dispatch (source=0x9d3bc98, callback=0x57480b <io_unpause_internal>, user_data=0xb301dc8) at gmain.c:4254 #44 0x043d95f2 in g_main_dispatch (context=0x813adc0) at gmain.c:2149 #45 0x043da8e6 in g_main_context_dispatch (context=0x813adc0) at gmain.c:2702 #46 0x043dad3b in g_main_context_iterate (context=0x813adc0, block=1, dispatch=1, self=0x8112f18) at gmain.c:2780 #47 0x043db4a4 in g_main_loop_run (loop=0x816b010) at gmain.c:2988 #48 0x03e8d237 in gtk_main () at gtkmain.c:1321
Attachments
gdb backtrace (10.66 KB, text/plain)
2011-01-01 10:25 PST, Jeff Johnson 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Xan Lopez
Comment 1 2010-10-21 21:59:52 PDT
Why do you think this is GTK specific Martin?
Martin Robinson
Comment 2 2010-10-21 22:54:02 PDT
Sorry, I was just organizing the GTK+ bugs and I perhaps I didn't look at this one closely enough.
Jeff Johnson
Comment 3 2011-01-01 10:25:27 PST
Created attachment 77746 [details] gdb backtrace
Jeff Johnson
Comment 4 2011-01-01 10:26:18 PST
I got an assertion failure in the same place while running cross_fuzz http://lcamtuf.coredump.cx/cross_fuzz/ Mac OS X 10.6.5, Safari 5.0.3, WebKit x86_64 Debug build from svn r74844. Attached is gdb backtrace.
Note You need to log in before you can comment on or make changes to this bug.