RESOLVED FIXED 15718
ASSERTION FAILED: _hash in KJS::UString::Rep::computedHash()
https://bugs.webkit.org/show_bug.cgi?id=15718
Summary ASSERTION FAILED: _hash in KJS::UString::Rep::computedHash()
Matt Lilek
Reported 2007-10-26 18:48:05 PDT
Hit this assert that was just added in r27127 on either <http://developer.apple.com/> or <http://apple.com/> (both were loading at the time). Couldn't reproduce when I went back and tried though, but I figured I'd file a bug due to the newness anyway. ASSERTION FAILED: _hash (/Users/matt/Code/WebKit/JavaScriptCore/kjs/ustring.h:150 unsigned int KJS::UString::Rep::computedHash() const) Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x0048b4cc KJS::UString::Rep::computedHash() const + 70 (ustring.h:150) 1 com.apple.JavaScriptCore 0x00452b7c KJS::PropertyMap::insert(KJS::UString::Rep*, KJS::JSValue*, int, int) + 88 (property_map.cpp:402) 2 com.apple.JavaScriptCore 0x004539c8 KJS::PropertyMap::createTable() + 220 (property_map.cpp:464) 3 com.apple.JavaScriptCore 0x00453a08 KJS::PropertyMap::expand() + 36 (property_map.cpp:430) 4 com.apple.JavaScriptCore 0x00453b80 KJS::PropertyMap::put(KJS::Identifier const&, KJS::JSValue*, int, bool) + 346 (property_map.cpp:348) 5 com.apple.JavaScriptCore 0x004627d8 KJS::JSObject::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 640 (object.cpp:280) 6 com.apple.JavaScriptCore 0x004831ae KJS::AssignBracketNode::evaluate(KJS::ExecState*) + 914 (nodes.cpp:1732) 7 com.apple.JavaScriptCore 0x0046a237 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1937) 8 com.apple.JavaScriptCore 0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821) 9 com.apple.JavaScriptCore 0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919) 10 com.apple.JavaScriptCore 0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719) 11 com.apple.JavaScriptCore 0x00447452 KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:250) 12 com.apple.JavaScriptCore 0x0046ff00 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:91) 13 com.apple.JavaScriptCore 0x004622a2 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 14 com.apple.JavaScriptCore 0x00479257 KJS::FunctionCallBracketNode::evaluate(KJS::ExecState*) + 959 (nodes.cpp:743) 15 com.apple.JavaScriptCore 0x0046a8fc KJS::ConditionalNode::evaluate(KJS::ExecState*) + 142 (nodes.cpp:1535) 16 com.apple.JavaScriptCore 0x004834b7 KJS::AssignResolveNode::evaluate(KJS::ExecState*) + 303 (nodes.cpp:1637) 17 com.apple.JavaScriptCore 0x0046a237 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1937) 18 com.apple.JavaScriptCore 0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821) 19 com.apple.JavaScriptCore 0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919) 20 com.apple.JavaScriptCore 0x00469c26 KJS::WhileNode::execute(KJS::ExecState*) + 344 (nodes.cpp:2036) 21 com.apple.JavaScriptCore 0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821) 22 com.apple.JavaScriptCore 0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919) 23 com.apple.JavaScriptCore 0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719) 24 com.apple.JavaScriptCore 0x00447452 KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:250) 25 com.apple.JavaScriptCore 0x0046ff00 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:91) 26 com.apple.JavaScriptCore 0x004622a2 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 27 com.apple.JavaScriptCore 0x00478d90 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 772 (nodes.cpp:785) 28 com.apple.JavaScriptCore 0x0046a237 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1937) 29 com.apple.JavaScriptCore 0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821) 30 com.apple.JavaScriptCore 0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919) 31 com.apple.JavaScriptCore 0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719) 32 com.apple.JavaScriptCore 0x00447452 KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:250) 33 com.apple.JavaScriptCore 0x0046ff00 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:91) 34 com.apple.JavaScriptCore 0x004622a2 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 35 com.apple.JavaScriptCore 0x00478d90 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 772 (nodes.cpp:785) 36 com.apple.JavaScriptCore 0x0046a237 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1937) 37 com.apple.JavaScriptCore 0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821) 38 com.apple.JavaScriptCore 0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919) 39 com.apple.JavaScriptCore 0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719) 40 com.apple.JavaScriptCore 0x00447452 KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:250) 41 com.apple.JavaScriptCore 0x0046ff00 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:91) 42 com.apple.JavaScriptCore 0x004622a2 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 43 com.apple.JavaScriptCore 0x00478d90 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 772 (nodes.cpp:785) 44 com.apple.JavaScriptCore 0x00451d2b KJS::AssignExprNode::evaluate(KJS::ExecState*) + 43 (nodes.cpp:1754) 45 com.apple.JavaScriptCore 0x0046a5af KJS::VarDeclNode::evaluate(KJS::ExecState*) + 299 (nodes.cpp:1815) 46 com.apple.JavaScriptCore 0x0046a437 KJS::VarDeclListNode::evaluate(KJS::ExecState*) + 51 (nodes.cpp:1855) 47 com.apple.JavaScriptCore 0x0046a31d KJS::VarStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:1882) 48 com.apple.JavaScriptCore 0x00451f94 KJS::SourceElementsNode::execute(KJS::ExecState*) + 60 (nodes.cpp:2821) 49 com.apple.JavaScriptCore 0x00451d90 KJS::BlockNode::execute(KJS::ExecState*) + 94 (nodes.cpp:1919) 50 com.apple.JavaScriptCore 0x00466e3d KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:2719) 51 com.apple.JavaScriptCore 0x004885ad KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 823 (interpreter.cpp:366) 52 com.apple.WebCore 0x01e9338d WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&) + 235 (kjs_proxy.cpp:87) 53 com.apple.WebCore 0x020925ba WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 92 (FrameLoader.cpp:761) 54 com.apple.WebCore 0x01ba9770 WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 308 (HTMLTokenizer.cpp:520) 55 com.apple.WebCore 0x01bab2bc WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1466 (HTMLTokenizer.cpp:470) 56 com.apple.WebCore 0x01bab7c6 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 932 (HTMLTokenizer.cpp:319) 57 com.apple.WebCore 0x01bad563 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6235 (HTMLTokenizer.cpp:1231) 58 com.apple.WebCore 0x01badd67 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1243 (HTMLTokenizer.cpp:1449) 59 com.apple.WebCore 0x01baa172 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 1048 (HTMLTokenizer.cpp:1762) 60 com.apple.WebCore 0x01d0611e WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:92) 61 com.apple.WebCore 0x01d0627f WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:84) 62 com.apple.WebCore 0x01d08884 WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 340 (loader.cpp:116) 63 com.apple.WebCore 0x0209e11f WebCore::SubresourceLoader::didFinishLoading() + 169 (SubresourceLoader.cpp:195) 64 com.apple.WebCore 0x0209c62c WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:362) 65 com.apple.WebCore 0x0206bbfe -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 116 (ResourceHandleMac.mm:456) 66 com.apple.Foundation 0x91496357 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87 67 com.apple.Foundation 0x914962e4 _NSURLConnectionDidFinishLoading + 68 68 com.apple.CFNetwork 0x92c17adb sendDidFinishLoadingCallback + 148 69 com.apple.CFNetwork 0x92c149ce _CFURLConnectionSendCallbacks + 1908 70 com.apple.CFNetwork 0x92c141df muxerSourcePerform + 283 71 com.apple.CoreFoundation 0x9281f64e CFRunLoopRunSpecific + 3166 72 com.apple.CoreFoundation 0x9281fd38 CFRunLoopRunInMode + 88 73 com.apple.HIToolbox 0x90c0e8a4 RunCurrentEventLoopInMode + 283 74 com.apple.HIToolbox 0x90c0e6bd ReceiveNextEventCommon + 374 75 com.apple.HIToolbox 0x90c0e531 BlockUntilNextEventMatchingListInMode + 106 76 com.apple.AppKit 0x91fa4d5b _DPSNextEvent + 657 77 com.apple.AppKit 0x91fa46a0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 78 com.apple.Safari 0x00009d4e 0x1000 + 36174 79 com.apple.AppKit 0x91f9d6d1 -[NSApplication run] + 795 80 com.apple.AppKit 0x91f6a9ba NSApplicationMain + 574 81 com.apple.Safari 0x00002876 0x1000 + 6262
Attachments
fix (1.12 KB, patch)
2007-10-27 03:31 PDT, Maciej Stachowiak
mrowe: review+
fix 2 (1.60 KB, patch)
2007-10-27 12:16 PDT, Geoffrey Garen
darin: review-
Matt Lilek
Comment 1 2007-10-26 21:15:21 PDT
Actually, Google ads trips this so it's reproducible on any site that uses them (ie: <http://digg.com/>).
Mark Rowe (bdash)
Comment 2 2007-10-27 01:01:17 PDT
I can reproduce this easily at http://webkit.org/blog/wp-admin/. I'll see if I can't cook up a reduction later this evening.
Maciej Stachowiak
Comment 3 2007-10-27 03:31:57 PDT
Mark Rowe (bdash)
Comment 4 2007-10-27 03:33:43 PDT
Comment on attachment 16900 [details] fix r=me
Geoffrey Garen
Comment 6 2007-10-27 12:16:46 PDT
Created attachment 16902 [details] fix 2 I'm in the middle of testing, but I'm pretty sure this is right.
Darin Adler
Comment 7 2007-10-27 12:20:08 PDT
Comment on attachment 16902 [details] fix 2 + if (!strlen(c)) { Need the O(1) check of c[0] instead of the O(string-length) check of strlen. I think it would be even better to do this in UString -- guarantee that null and empty both have a precomputed hash. It's annoying to have extra overhead in Identifier::add for 1-time setup.
Geoffrey Garen
Comment 8 2007-10-27 12:25:51 PDT
Darin suggested on IRC that we could write the hash value directly into Rep::null and Rep::empty, and ASSERT in the UString constructor that it's correct. To save time, I haven't done that, but it seems like a prudent change to make later.
Geoffrey Garen
Comment 9 2007-10-27 12:31:59 PDT
Committed revision 27153, with the O(n) -> O(1) change.
Note You need to log in before you can comment on or make changes to this bug.