Bug 19767 - REGRESSION: Crash in sort() when visiting http://www.onnyturf.com/subway/
Summary: REGRESSION: Crash in sort() when visiting http://www.onnyturf.com/subway/
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords: Regression
Depends on:
Blocks:
 
Reported: 2008-06-25 09:00 PDT by Anders Carlsson
Modified: 2008-06-26 11:38 PDT (History)
1 user (show)

See Also:


Attachments
Reduction (6.87 KB, text/html)
2008-06-25 09:01 PDT, Anders Carlsson
no flags Details
further reduction (1.60 KB, text/html)
2008-06-26 05:29 PDT, Alexey Proskuryakov
no flags Details
proposed fix (6.34 KB, patch)
2008-06-26 11:06 PDT, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Anders Carlsson 2008-06-25 09:00:56 PDT
When I go to that page I get 

ASSERTION FAILED: i < size()
(./wtf/Vector.h:437 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = KJS::AVLTreeNodeForArrayCompare, long unsigned int inlineCapacity = 0ul])

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
0x006ad3d1 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::at (this=0xbfffca74, i=2147483647) at Vector.h:437
437	            ASSERT(i < size());

(gdb) bt
#0  0x006ad3d1 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::at (this=0xbfffca74, i=2147483647) at Vector.h:437
#1  0x006ad414 in WTF::Vector<KJS::AVLTreeNodeForArrayCompare, 0ul>::operator[] (this=0xbfffca74, i=2147483647) at Vector.h:446
#2  0x006ad5be in KJS::AVLTreeAbstractorForArrayCompare::set_balance_factor (this=0xbfffca74, h=2147483647, bf=1) at JSArray.cpp:581
#3  0x006ad611 in KJS::AVLTree<KJS::AVLTreeAbstractorForArrayCompare, 44u, KJS::AVLTreeDefaultBSet<44u> >::set_bf (this=0xbfffca74, h=2147483647, bf=1) at AVLTree.h:479
#4  0x006da0c0 in KJS::AVLTree<KJS::AVLTreeAbstractorForArrayCompare, 44u, KJS::AVLTreeDefaultBSet<44u> >::insert (this=0xbfffca74, h=251) at AVLTree.h:662
#5  0x0067a0b4 in KJS::JSArray::sort (this=0x182f5980, exec=0xbfffdabc, compareFunction=0x182f5940) at JSArray.cpp:651
#6  0x0067a738 in KJS::arrayProtoFuncSort (exec=0xbfffdabc, thisObj=0x182f5980, args=@0xbfffcc9c) at ArrayPrototype.cpp:384
#7  0x006555ba in KJS::PrototypeFunction::callAsFunction (this=0x182f59a0, exec=0xbfffdabc, thisObj=0x182f5980, args=@0xbfffcc9c) at JSFunction.cpp:731
#8  0x006f409d in KJS::Machine::privateExecute (this=0x344c5c0, flag=KJS::Machine::Normal, exec=0xbfffdabc, registerFile=0x18708400, r=0x16dc8f1c, scopeChain=0x18708420, codeBlock=0x16dc8bf0, exception=0xbfffdb48) at /Volumes/Shared/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:2122
#9  0x006f611f in KJS::Machine::execute (this=0x344c5c0, programNode=0x18758810, exec=0x18705a50, scopeChain=0x18708420, thisObj=0x182f0000, registerFileStack=0x34eb2e8, exception=0xbfffdb48) at /Volumes/Shared/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:669
#10 0x0069bfbe in KJS::Interpreter::evaluate (exec=0x18705a50, scopeChain=@0x34eb308, sourceURL=@0xbfffdbe4, startingLineNumber=1, source=@0xbfffdbdc, thisValue=0x182f0000) at interpreter.cpp:82
#11 0x014c4f00 in WebCore::ScriptController::evaluate (this=0x38804c0, filename=@0xbfffde08, baseLine=1, str=@0xbfffde88) at /Volumes/Shared/WebKit/OpenSource/WebCore/bindings/js/ScriptController.cpp:90
#12 0x01007767 in WebCore::FrameLoader::executeScript (this=0x3880224, url=@0xbfffde08, baseLine=1, script=@0xbfffde88) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:783
#13 0x01098e16 in WebCore::HTMLTokenizer::scriptExecution (this=0x393fc00, str=@0xbfffde88, state={static EntityShift = 4, m_bits = 0}, scriptURL=@0xbfffdf28, baseLine=1) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:543
#14 0x0109a4d9 in WebCore::HTMLTokenizer::scriptHandler (this=0x393fc00, state={static EntityShift = 4, m_bits = 0}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:483
#15 0x0109ab2a in WebCore::HTMLTokenizer::parseSpecial (this=0x393fc00, src=@0x3940550, state={static EntityShift = 4, m_bits = 128}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:331
#16 0x0109cb98 in WebCore::HTMLTokenizer::parseTag (this=0x393fc00, src=@0x3940550, state={static EntityShift = 4, m_bits = 128}) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1497
#17 0x0109d545 in WebCore::HTMLTokenizer::write (this=0x393fc00, str=@0xbfffe234, appendData=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1732
#18 0x00ffeeb1 in WebCore::FrameLoader::write (this=0x3880224, str=0x0, len=0, flush=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1025
#19 0x01006c39 in WebCore::FrameLoader::endIfNotLoadingMainResource (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1061
#20 0x01006c83 in WebCore::FrameLoader::end (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:1046
#21 0x00f88410 in WebCore::DocumentLoader::finishedLoading (this=0x3935000) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/DocumentLoader.cpp:343
#22 0x01001ca8 in WebCore::FrameLoader::finishedLoading (this=0x3880224) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:2899
#23 0x0120029d in WebCore::MainResourceLoader::didFinishLoading (this=0x3936800) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/MainResourceLoader.cpp:320
#24 0x0130dde8 in WebCore::ResourceLoader::didFinishLoading (this=0x3936800) at /Volumes/Shared/WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:389
#25 0x0130b54d in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x16de1070, _cmd=0x945135c4, con=0x16de1eb0) at /Volumes/Shared/WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:521
#26 0x965133f7 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] ()
#27 0x96513363 in _NSURLConnectionDidFinishLoading ()
#28 0x96abcd57 in sendDidFinishLoadingCallback ()
#29 0x96ab9e4a in _CFURLConnectionSendCallbacks ()
#30 0x96ab95e7 in muxerSourcePerform ()
#31 0x947ee60e in CFRunLoopRunSpecific ()
#32 0x947eecf8 in CFRunLoopRunInMode ()
#33 0x90805da4 in RunCurrentEventLoopInMode ()
#34 0x90805af6 in ReceiveNextEventCommon ()
#35 0x90805a31 in BlockUntilNextEventMatchingListInMode ()
#36 0x952e4505 in _DPSNextEvent ()
#37 0x952e3db8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#38 0x00026172 in -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x341cb40, _cmd=0x944c6be0, mask=4294967295, expiration=0x3416420, mode=0xa0644b40, dequeue=1 '\001') at /Volumes/Shared/WebKit/Internal/Safari/mac/BrowserApplication.m:183
#39 0x952dcdf3 in -[NSApplication run] ()
#40 0x952aa030 in NSApplicationMain ()
Comment 1 Anders Carlsson 2008-06-25 09:01:55 PDT
Created attachment 21932 [details]
Reduction

Here's a reduction
Comment 2 Alexey Proskuryakov 2008-06-25 09:35:20 PDT
The reduction crashes in release build.
Comment 3 Alexey Proskuryakov 2008-06-26 05:29:01 PDT
Created attachment 21944 [details]
further reduction

So, it's just the data set that makes the algorithm go crazy, not a tricky compare function.
Comment 4 Alexey Proskuryakov 2008-06-26 05:36:23 PDT
Comment on attachment 21932 [details]
Reduction

Actually, the crash happens at a different place, so let's not mark this version obsolete yet.
Comment 5 Alexey Proskuryakov 2008-06-26 11:06:45 PDT
Created attachment 21954 [details]
proposed fix
Comment 6 Darin Adler 2008-06-26 11:33:23 PDT
Comment on attachment 21954 [details]
proposed fix

r=me
Comment 7 Alexey Proskuryakov 2008-06-26 11:38:08 PDT
Committed revision 34809.