RESOLVED FIXED 19767
REGRESSION: Crash in sort() when visiting http://www.onnyturf.com/subway/
https://bugs.webkit.org/show_bug.cgi?id=19767
Summary REGRESSION: Crash in sort() when visiting http://www.onnyturf.com/subway/
Anders Carlsson
Reported 2008-06-25 09:00:56 PDT
When I go to that page I get ASSERTION FAILED: i < size() (./wtf/Vector.h:437 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = KJS::AVLTreeNodeForArrayCompare, long unsigned int inlineCapacity = 0ul]) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x006ad3d1 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::at (this=0xbfffca74, i=2147483647) at Vector.h:437 437 ASSERT(i < size()); (gdb) bt #0 0x006ad3d1 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::at (this=0xbfffca74, i=2147483647) at Vector.h:437 #1 0x006ad414 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::operator[] (this=0xbfffca74, i=2147483647) at Vector.h:446 #2 0x006ad5be in KJS::AVLTreeAbstractorForArrayCompare::set_balance_factor (this=0xbfffca74, h=2147483647, bf=1) at JSArray.cpp:581 #3 0x006ad611 in KJS::AVLTree<KJS::AVLTreeAbstractorForArrayCompare, 44u, KJS::AVLTreeDefaultBSet<44u> >::set_bf (this=0xbfffca74, h=2147483647, bf=1) at AVLTree.h:479 #4 0x006da0c0 in KJS::AVLTree<KJS::AVLTreeAbstractorForArrayCompare, 44u, KJS::AVLTreeDefaultBSet<44u> >::insert (this=0xbfffca74, h=251) at AVLTree.h:662 #5 0x0067a0b4 in KJS::JSArray::sort (this=0x182f5980, exec=0xbfffdabc, compareFunction=0x182f5940) at JSArray.cpp:651 #6 0x0067a738 in KJS::arrayProtoFuncSort (exec=0xbfffdabc, thisObj=0x182f5980, args=@0xbfffcc9c) at ArrayPrototype.cpp:384 #7 0x006555ba in KJS::PrototypeFunction::callAsFunction (this=0x182f59a0, exec=0xbfffdabc, thisObj=0x182f5980, args=@0xbfffcc9c) at JSFunction.cpp:731 #8 0x006f409d in KJS::Machine::privateExecute (this=0x344c5c0, flag=KJS::Machine::Normal, exec=0xbfffdabc, registerFile=0x18708400, r=0x16dc8f1c, scopeChain=0x18708420, codeBlock=0x16dc8bf0, exception=0xbfffdb48) at /Volumes/Shared/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:2122 #9 0x006f611f in KJS::Machine::execute (this=0x344c5c0, programNode=0x18758810, exec=0x18705a50, scopeChain=0x18708420, thisObj=0x182f0000, registerFileStack=0x34eb2e8, exception=0xbfffdb48) at /Volumes/Shared/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:669 #10 0x0069bfbe in KJS::Interpreter::evaluate (exec=0x18705a50, scopeChain=@0x34eb308, sourceURL=@0xbfffdbe4, startingLineNumber=1, source=@0xbfffdbdc, thisValue=0x182f0000) at interpreter.cpp:82 #11 0x014c4f00 in WebCore::ScriptController::evaluate (this=0x38804c0, filename=@0xbfffde08, baseLine=1, str=@0xbfffde88) at /Volumes/Shared/WebKit/OpenSource/WebCore/bindings/js/ScriptController.cpp:90 #12 0x01007767 in WebCore::FrameLoader::executeScript (this=0x3880224, url=@0xbfffde08, baseLine=1, script=@0xbfffde88) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:783 #13 0x01098e16 in WebCore::HTMLTokenizer::scriptExecution (this=0x393fc00, str=@0xbfffde88, state={static EntityShift = 4, m_bits = 0}, scriptURL=@0xbfffdf28, baseLine=1) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:543 #14 0x0109a4d9 in WebCore::HTMLTokenizer::scriptHandler (this=0x393fc00, state={static EntityShift = 4, m_bits = 0}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:483 #15 0x0109ab2a in WebCore::HTMLTokenizer::parseSpecial (this=0x393fc00, src=@0x3940550, state={static EntityShift = 4, m_bits = 128}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:331 #16 0x0109cb98 in WebCore::HTMLTokenizer::parseTag (this=0x393fc00, src=@0x3940550, state={static EntityShift = 4, m_bits = 128}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1497 #17 0x0109d545 in WebCore::HTMLTokenizer::write (this=0x393fc00, str=@0xbfffe234, appendData=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1732 #18 0x00ffeeb1 in WebCore::FrameLoader::write (this=0x3880224, str=0x0, len=0, flush=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1025 #19 0x01006c39 in WebCore::FrameLoader::endIfNotLoadingMainResource (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1061 #20 0x01006c83 in WebCore::FrameLoader::end (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1046 #21 0x00f88410 in WebCore::DocumentLoader::finishedLoading (this=0x3935000) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/DocumentLoader.cpp:343 #22 0x01001ca8 in WebCore::FrameLoader::finishedLoading (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:2899 #23 0x0120029d in WebCore::MainResourceLoader::didFinishLoading (this=0x3936800) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/MainResourceLoader.cpp:320 #24 0x0130dde8 in WebCore::ResourceLoader::didFinishLoading (this=0x3936800) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:389 #25 0x0130b54d in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x16de1070, _cmd=0x945135c4, con=0x16de1eb0) at /Volumes/Shared/WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:521 #26 0x965133f7 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] () #27 0x96513363 in _NSURLConnectionDidFinishLoading () #28 0x96abcd57 in sendDidFinishLoadingCallback () #29 0x96ab9e4a in _CFURLConnectionSendCallbacks () #30 0x96ab95e7 in muxerSourcePerform () #31 0x947ee60e in CFRunLoopRunSpecific () #32 0x947eecf8 in CFRunLoopRunInMode () #33 0x90805da4 in RunCurrentEventLoopInMode () #34 0x90805af6 in ReceiveNextEventCommon () #35 0x90805a31 in BlockUntilNextEventMatchingListInMode () #36 0x952e4505 in _DPSNextEvent () #37 0x952e3db8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #38 0x00026172 in -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x341cb40, _cmd=0x944c6be0, mask=4294967295, expiration=0x3416420, mode=0xa0644b40, dequeue=1 '\001') at /Volumes/Shared/WebKit/Internal/Safari/mac/BrowserApplication.m:183 #39 0x952dcdf3 in -[NSApplication run] () #40 0x952aa030 in NSApplicationMain ()
Attachments
Reduction (6.87 KB, text/html)
2008-06-25 09:01 PDT, Anders Carlsson
no flags
further reduction (1.60 KB, text/html)
2008-06-26 05:29 PDT, Alexey Proskuryakov
no flags
proposed fix (6.34 KB, patch)
2008-06-26 11:06 PDT, Alexey Proskuryakov
darin: review+
Anders Carlsson
Comment 1 2008-06-25 09:01:55 PDT
Created attachment 21932 [details] Reduction Here's a reduction
Alexey Proskuryakov
Comment 2 2008-06-25 09:35:20 PDT
The reduction crashes in release build.
Alexey Proskuryakov
Comment 3 2008-06-26 05:29:01 PDT
Created attachment 21944 [details] further reduction So, it's just the data set that makes the algorithm go crazy, not a tricky compare function.
Alexey Proskuryakov
Comment 4 2008-06-26 05:36:23 PDT
Comment on attachment 21932 [details] Reduction Actually, the crash happens at a different place, so let's not mark this version obsolete yet.
Alexey Proskuryakov
Comment 5 2008-06-26 11:06:45 PDT
Created attachment 21954 [details] proposed fix
Darin Adler
Comment 6 2008-06-26 11:33:23 PDT
Comment on attachment 21954 [details] proposed fix r=me
Alexey Proskuryakov
Comment 7 2008-06-26 11:38:08 PDT
Committed revision 34809.
Note You need to log in before you can comment on or make changes to this bug.