WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
19767
REGRESSION: Crash in sort() when visiting
http://www.onnyturf.com/subway/
https://bugs.webkit.org/show_bug.cgi?id=19767
Summary
REGRESSION: Crash in sort() when visiting http://www.onnyturf.com/subway/
Anders Carlsson
Reported
2008-06-25 09:00:56 PDT
When I go to that page I get ASSERTION FAILED: i < size() (./wtf/Vector.h:437 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = KJS::AVLTreeNodeForArrayCompare, long unsigned int inlineCapacity = 0ul]) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x006ad3d1 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::at (this=0xbfffca74, i=2147483647) at Vector.h:437 437 ASSERT(i < size()); (gdb) bt #0 0x006ad3d1 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::at (this=0xbfffca74, i=2147483647) at Vector.h:437 #1 0x006ad414 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::operator[] (this=0xbfffca74, i=2147483647) at Vector.h:446 #2 0x006ad5be in KJS::AVLTreeAbstractorForArrayCompare::set_balance_factor (this=0xbfffca74, h=2147483647, bf=1) at JSArray.cpp:581 #3 0x006ad611 in KJS::AVLTree<KJS::AVLTreeAbstractorForArrayCompare, 44u, KJS::AVLTreeDefaultBSet<44u> >::set_bf (this=0xbfffca74, h=2147483647, bf=1) at AVLTree.h:479 #4 0x006da0c0 in KJS::AVLTree<KJS::AVLTreeAbstractorForArrayCompare, 44u, KJS::AVLTreeDefaultBSet<44u> >::insert (this=0xbfffca74, h=251) at AVLTree.h:662 #5 0x0067a0b4 in KJS::JSArray::sort (this=0x182f5980, exec=0xbfffdabc, compareFunction=0x182f5940) at JSArray.cpp:651 #6 0x0067a738 in KJS::arrayProtoFuncSort (exec=0xbfffdabc, thisObj=0x182f5980, args=@0xbfffcc9c) at ArrayPrototype.cpp:384 #7 0x006555ba in KJS::PrototypeFunction::callAsFunction (this=0x182f59a0, exec=0xbfffdabc, thisObj=0x182f5980, args=@0xbfffcc9c) at JSFunction.cpp:731 #8 0x006f409d in KJS::Machine::privateExecute (this=0x344c5c0, flag=KJS::Machine::Normal, exec=0xbfffdabc, registerFile=0x18708400, r=0x16dc8f1c, scopeChain=0x18708420, codeBlock=0x16dc8bf0, exception=0xbfffdb48) at /Volumes/Shared/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:2122 #9 0x006f611f in KJS::Machine::execute (this=0x344c5c0, programNode=0x18758810, exec=0x18705a50, scopeChain=0x18708420, thisObj=0x182f0000, registerFileStack=0x34eb2e8, exception=0xbfffdb48) at /Volumes/Shared/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:669 #10 0x0069bfbe in KJS::Interpreter::evaluate (exec=0x18705a50, scopeChain=@0x34eb308, sourceURL=@0xbfffdbe4, startingLineNumber=1, source=@0xbfffdbdc, thisValue=0x182f0000) at interpreter.cpp:82 #11 0x014c4f00 in WebCore::ScriptController::evaluate (this=0x38804c0, filename=@0xbfffde08, baseLine=1, str=@0xbfffde88) at /Volumes/Shared/WebKit/OpenSource/WebCore/bindings/js/ScriptController.cpp:90 #12 0x01007767 in WebCore::FrameLoader::executeScript (this=0x3880224, url=@0xbfffde08, baseLine=1, script=@0xbfffde88) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:783 #13 0x01098e16 in WebCore::HTMLTokenizer::scriptExecution (this=0x393fc00, str=@0xbfffde88, state={static EntityShift = 4, m_bits = 0}, scriptURL=@0xbfffdf28, baseLine=1) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:543 #14 0x0109a4d9 in WebCore::HTMLTokenizer::scriptHandler (this=0x393fc00, state={static EntityShift = 4, m_bits = 0}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:483 #15 0x0109ab2a in WebCore::HTMLTokenizer::parseSpecial (this=0x393fc00, src=@0x3940550, state={static EntityShift = 4, m_bits = 128}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:331 #16 0x0109cb98 in WebCore::HTMLTokenizer::parseTag (this=0x393fc00, src=@0x3940550, state={static EntityShift = 4, m_bits = 128}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1497 #17 0x0109d545 in WebCore::HTMLTokenizer::write (this=0x393fc00, str=@0xbfffe234, appendData=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1732 #18 0x00ffeeb1 in WebCore::FrameLoader::write (this=0x3880224, str=0x0, len=0, flush=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1025 #19 0x01006c39 in WebCore::FrameLoader::endIfNotLoadingMainResource (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1061 #20 0x01006c83 in WebCore::FrameLoader::end (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1046 #21 0x00f88410 in WebCore::DocumentLoader::finishedLoading (this=0x3935000) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/DocumentLoader.cpp:343 #22 0x01001ca8 in WebCore::FrameLoader::finishedLoading (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:2899 #23 0x0120029d in WebCore::MainResourceLoader::didFinishLoading (this=0x3936800) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/MainResourceLoader.cpp:320 #24 0x0130dde8 in WebCore::ResourceLoader::didFinishLoading (this=0x3936800) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:389 #25 0x0130b54d in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x16de1070, _cmd=0x945135c4, con=0x16de1eb0) at /Volumes/Shared/WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:521 #26 0x965133f7 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] () #27 0x96513363 in _NSURLConnectionDidFinishLoading () #28 0x96abcd57 in sendDidFinishLoadingCallback () #29 0x96ab9e4a in _CFURLConnectionSendCallbacks () #30 0x96ab95e7 in muxerSourcePerform () #31 0x947ee60e in CFRunLoopRunSpecific () #32 0x947eecf8 in CFRunLoopRunInMode () #33 0x90805da4 in RunCurrentEventLoopInMode () #34 0x90805af6 in ReceiveNextEventCommon () #35 0x90805a31 in BlockUntilNextEventMatchingListInMode () #36 0x952e4505 in _DPSNextEvent () #37 0x952e3db8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #38 0x00026172 in -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x341cb40, _cmd=0x944c6be0, mask=4294967295, expiration=0x3416420, mode=0xa0644b40, dequeue=1 '\001') at /Volumes/Shared/WebKit/Internal/Safari/mac/BrowserApplication.m:183 #39 0x952dcdf3 in -[NSApplication run] () #40 0x952aa030 in NSApplicationMain ()
Attachments
Reduction
(6.87 KB, text/html)
2008-06-25 09:01 PDT
,
Anders Carlsson
no flags
Details
further reduction
(1.60 KB, text/html)
2008-06-26 05:29 PDT
,
Alexey Proskuryakov
no flags
Details
proposed fix
(6.34 KB, patch)
2008-06-26 11:06 PDT
,
Alexey Proskuryakov
darin
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Anders Carlsson
Comment 1
2008-06-25 09:01:55 PDT
Created
attachment 21932
[details]
Reduction Here's a reduction
Alexey Proskuryakov
Comment 2
2008-06-25 09:35:20 PDT
The reduction crashes in release build.
Alexey Proskuryakov
Comment 3
2008-06-26 05:29:01 PDT
Created
attachment 21944
[details]
further reduction So, it's just the data set that makes the algorithm go crazy, not a tricky compare function.
Alexey Proskuryakov
Comment 4
2008-06-26 05:36:23 PDT
Comment on
attachment 21932
[details]
Reduction Actually, the crash happens at a different place, so let's not mark this version obsolete yet.
Alexey Proskuryakov
Comment 5
2008-06-26 11:06:45 PDT
Created
attachment 21954
[details]
proposed fix
Darin Adler
Comment 6
2008-06-26 11:33:23 PDT
Comment on
attachment 21954
[details]
proposed fix r=me
Alexey Proskuryakov
Comment 7
2008-06-26 11:38:08 PDT
Committed revision 34809.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug