Bug 48057

Summary: ASSERT while loading reddit.com
Product: WebKit Reporter: Xan Lopez <xan.lopez@gmail.com>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned@lists.webkit.org>
Status: NEW    
Severity: Normal CC: ap@webkit.org, ggaren@apple.com, mrobinson@webkit.org, opendarwin@lapcatsoftware.com, xan.lopez@gmail.com
Priority: P2 Keywords: NeedsReduction
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Mac OS X 10.5   
Attachments:
Description Flags
gdb backtrace none

Description From 2010-10-21 03:20:50 PST
Can't seem to be able to repro now, but got this with a debug build, r70214:


ASSERTION FAILED: node->wrapper() == (document ? document->getWrapperCache(currentWorld(exec))->get(node) : domObjectWrapperMapFor(exec).get(node))
(../../WebCore/bindings/js/JSNodeCustom.h:37 WebCore::JSNode* WebCore::getCachedDOMNodeWrapper(JSC::ExecState*, WebCore::Document*, WebCore::Node*))

Program received signal SIGSEGV, Segmentation fault.
0x00d1f720 in WebCore::getCachedDOMNodeWrapper (exec=0xb2b94540, document=0xa173948, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:37
37            ASSERT(node->wrapper() == (document ? document->getWrapperCache(currentWorld(exec))->get(node) : domObjectWrapperMapFor(exec).get(node)));
(gdb) bt
#0  0x00d1f720 in WebCore::getCachedDOMNodeWrapper (exec=0xb2b94540, document=0xa173948, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:37
#1  0x00d1f7df in WebCore::toJS (exec=0xb2b94540, globalObject=0xb2b40b40, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:53
#2  0x017a0778 in WebCore::JSNodeList::indexGetter (exec=0xb2b94540, slotBase=..., index=4) at DerivedSources/WebCore/JSNodeList.cpp:260
#3  0x00d6bc7c in JSC::PropertySlot::getValue (this=0xbfffab2c, exec=0xb2b94540, propertyName=4) at ../../JavaScriptCore/runtime/PropertySlot.h:88
#4  0x01a454df in JSC::JSValue::get (this=0xbfffabf4, exec=0xb2b94540, propertyName=4, slot=...) at ../../JavaScriptCore/runtime/JSObject.h:686
#5  0x01a453dc in JSC::JSValue::get (this=0xbfffabf4, exec=0xb2b94540, propertyName=4) at ../../JavaScriptCore/runtime/JSObject.h:672
#6  0x01a3c4ee in JSC::cti_op_get_by_val (args=0xbfffac50) at ../../JavaScriptCore/jit/JITStubs.cpp:2396
#7  0x01a3668a in JSC::JITThunks::tryCacheGetByID (callFrame=0xb2678980, codeBlock=0xfffffffe, returnAddress=..., baseValue=..., propertyName=, slot=..., 
    stubInfo=0xbfffaca8) at ../../JavaScriptCore/jit/JITStubs.cpp:999
#8  0xbfffad8c in ?? ()
#9  0x01a06b1f in JSC::JITCode::execute (this=0x8e6b8ec, registerFile=0x899b5fc, callFrame=0xb2b94048, globalData=0x8996110, exception=0x8996ee4)
    at ../../JavaScriptCore/jit/JITCode.h:77
#10 0x01a03d04 in JSC::Interpreter::executeCall (this=0x899b5f0, callFrame=0xa18141c, function=0xb26ffd40, callType=JSC::CallTypeJS, callData=..., 
    thisValue=..., args=..., exception=0x8996ee4) at ../../JavaScriptCore/interpreter/Interpreter.cpp:825
#11 0x01a90563 in JSC::call (exec=0xa18141c, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at ../../JavaScriptCore/runtime/CallData.cpp:38
#12 0x00d21dbe in WebCore::JSMainThreadExecState::call (exec=0xa18141c, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at ../../WebCore/bindings/js/JSMainThreadExecState.h:48
#13 0x00d5c930 in WebCore::JSEventListener::handleEvent (this=0x8e6a948, scriptExecutionContext=0xa173980, event=0x9f4f9e8)
    at ../../WebCore/bindings/js/JSEventListener.cpp:124
#14 0x00f13254 in WebCore::EventTarget::fireEventListeners (this=0x8b2f1a0, event=0x9f4f9e8, d=0x8b2f228, 
    entry=WTF::Vector of length 2, capacity 16 = {...}) at ../../WebCore/dom/EventTarget.cpp:335
#15 0x00f13105 in WebCore::EventTarget::fireEventListeners (this=0x8b2f1a0, event=0x9f4f9e8) at ../../WebCore/dom/EventTarget.cpp:304
#16 0x011f899e in WebCore::DOMWindow::dispatchEvent (this=0x8b2f1a0, prpEvent=..., prpTarget=...) at ../../WebCore/page/DOMWindow.cpp:1536
#17 0x01181ae0 in WebCore::FrameLoader::stopLoading (this=0x893d1f4, unloadEventPolicy=WebCore::UnloadEventPolicyUnloadAndPageHide, 
    databasePolicy=WebCore::DatabasePolicyStop) at ../../WebCore/loader/FrameLoader.cpp:387
#18 0x01181fd2 in WebCore::FrameLoader::closeURL (this=0x893d1f4) at ../../WebCore/loader/FrameLoader.cpp:467
#19 0x01188641 in WebCore::FrameLoader::transitionToCommitted (this=0x893d1f4, cachedPage=...) at ../../WebCore/loader/FrameLoader.cpp:1923
#20 0x0118804a in WebCore::FrameLoader::commitProvisionalLoad (this=0x893d1f4) at ../../WebCore/loader/FrameLoader.cpp:1839
#21 0x01174d26 in WebCore::DocumentLoader::commitIfReady (this=0x8a91968) at ../../WebCore/loader/DocumentLoader.cpp:266
#22 0x01174dc1 in WebCore::DocumentLoader::commitLoad (this=0x8a91968, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192) at ../../WebCore/loader/DocumentLoader.cpp:286
#23 0x01175016 in WebCore::DocumentLoader::receivedData (this=0x8a91968, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192) at ../../WebCore/loader/DocumentLoader.cpp:319
#24 0x011bc8fa in WebCore::MainResourceLoader::addData (this=0x9f3e400, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, allAtOnce=false)
---Type <return> to continue, or q <return> to quit---
    at ../../WebCore/loader/MainResourceLoader.cpp:156
#25 0x011c7281 in WebCore::ResourceLoader::didReceiveData (this=0x9f3e400, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192, allAtOnce=false)
    at ../../WebCore/loader/ResourceLoader.cpp:262
#26 0x011bd9d6 in WebCore::MainResourceLoader::didReceiveData (this=0x9f3e400, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192, allAtOnce=false)
    at ../../WebCore/loader/MainResourceLoader.cpp:436
#27 0x011c7bc8 in WebCore::ResourceLoader::didReceiveData (this=0x9f3e400, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192)
    at ../../WebCore/loader/ResourceLoader.cpp:415
#28 0x015ecdeb in WebCore::readCallback (source=0xb301e38, asyncResult=0xa56bf88, data=0x0)
    at ../../WebCore/platform/network/soup/ResourceHandleSoup.cpp:809
#29 0x042cdaaf in async_ready_callback_wrapper (source_object=0xb301e38, res=0xa56bf88, user_data=0x0) at ginputstream.c:470
#30 0x042e1818 in g_simple_async_result_complete (simple=0xa56bf88) at gsimpleasyncresult.c:692
#31 0x015f21fd in read_async_done (stream=0xb301e38) at ../../WebCore/platform/network/soup/cache/soup-http-input-stream.c:723
#32 0x015f1419 in webkit_soup_http_input_stream_got_chunk (msg=0xb301dc8, chunk_buffer=0xafe521a8, stream=0xb301e38)
    at ../../WebCore/platform/network/soup/cache/soup-http-input-stream.c:300
#33 0x007331e1 in g_cclosure_marshal_VOID__BOXED (closure=0x94f1bf0, return_value=0x0, n_param_values=2, param_values=0xafe070a0, 
    invocation_hint=0xbfffb72c, marshal_data=0x0) at gmarshal.c:568
#34 0x00719bfd in g_closure_invoke (closure=0x94f1bf0, return_value=0x0, n_param_values=2, param_values=0xafe070a0, invocation_hint=0xbfffb72c)
    at gclosure.c:766
#35 0x00732020 in signal_emit_unlocked_R (node=0x89d5f00, detail=0, instance=0xb301dc8, emission_return=0x0, instance_and_params=0xafe070a0)
    at gsignal.c:3252
#36 0x0073136f in g_signal_emit_valist (instance=0xb301dc8, signal_id=483, detail=0, var_args=0xbfffb920 "\030\022Y") at gsignal.c:2983
#37 0x0073165b in g_signal_emit (instance=0xb301dc8, signal_id=483, detail=0) at gsignal.c:3040
#38 0x0056dd68 in soup_message_got_chunk (msg=0xb301dc8, chunk=0xafe521a8) at soup-message.c:963
#39 0x00572cbb in io_handle_sniffing (msg=0xb301dc8, done_reading=0) at soup-message-io.c:266
#40 0x00573280 in read_body_chunk (msg=0xb301dc8) at soup-message-io.c:447
#41 0x005741a6 in io_read (sock=0x898fb88, msg=0xb301dc8) at soup-message-io.c:923
#42 0x00574992 in io_unpause_internal (msg=0xb301dc8) at soup-message-io.c:1149
#43 0x043dd0a1 in g_idle_dispatch (source=0x9d3bc98, callback=0x57480b <io_unpause_internal>, user_data=0xb301dc8) at gmain.c:4254
#44 0x043d95f2 in g_main_dispatch (context=0x813adc0) at gmain.c:2149
#45 0x043da8e6 in g_main_context_dispatch (context=0x813adc0) at gmain.c:2702
#46 0x043dad3b in g_main_context_iterate (context=0x813adc0, block=1, dispatch=1, self=0x8112f18) at gmain.c:2780
#47 0x043db4a4 in g_main_loop_run (loop=0x816b010) at gmain.c:2988
#48 0x03e8d237 in gtk_main () at gtkmain.c:1321
------- Comment #1 From 2010-10-21 21:59:52 PST -------
Why do you think this is GTK specific Martin?
------- Comment #2 From 2010-10-21 22:54:02 PST -------
Sorry, I was just organizing the GTK+ bugs and I perhaps I didn't look at this one closely enough.
------- Comment #3 From 2011-01-01 10:25:27 PST -------
Created an attachment (id=77746) [details]
gdb backtrace
------- Comment #4 From 2011-01-01 10:26:18 PST -------
I got an assertion failure in the same place while running cross_fuzz http://lcamtuf.coredump.cx/cross_fuzz/

Mac OS X 10.6.5, Safari 5.0.3, WebKit x86_64 Debug build from svn r74844.

Attached is gdb backtrace.