RESOLVED FIXED 20330
JSCore crash loading any filehurricane media page 
https://bugs.webkit.org/show_bug.cgi?id=20330
Summary JSCore crash loading any filehurricane media page
Matt Lilek
Reported 2008-08-08 07:58:57 PDT
Loading any media page on <http://www.filehurricane.com/> (load the URL and click any item on the homepage) hits an ASSERT coming from <http://trac.webkit.org/browser/trunk/JavaScriptCore/VM/Machine.cpp?rev=35640#L2781> ASSERTION FAILED: i < size() (./wtf/Vector.h:439 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = KJS::JSValue*, long unsigned int inlineCapacity = 0ul]) Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x004fe4bf WTF::Vector<KJS::JSValue*, 0ul>::at(unsigned long) + 81 (Vector.h:439) 1 com.apple.JavaScriptCore 0x004fe4fc WTF::Vector<KJS::JSValue*, 0ul>::operator[](unsigned long) + 24 (Vector.h:448) 2 com.apple.JavaScriptCore 0x004faab2 KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 34414 (Machine.cpp:2781) 3 com.apple.JavaScriptCore 0x004fbf22 KJS::Machine::execute(KJS::ProgramNode*, KJS::ExecState*, KJS::ScopeChainNode*, KJS::JSObject*, KJS::JSValue**) + 698 (Machine.cpp:785) 4 com.apple.JavaScriptCore 0x00494bd9 KJS::Interpreter::evaluate(KJS::ExecState*, KJS::ScopeChain&, KJS::UString const&, int, WTF::PassRefPtr<KJS::SourceProvider>, KJS::JSValue*) + 409 (interpreter.cpp:78) 5 com.apple.WebCore 0x037f22a7 WebCore::ScriptController::evaluate(WebCore::String const&, int, WebCore::String const&) + 249 (ScriptController.cpp:112) 6 com.apple.WebCore 0x03383903 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 153 (FrameLoader.cpp:787) 7 com.apple.WebCore 0x03415476 WebCore::HTMLTokenizer::scriptExecution(WebCore::String const&, WebCore::HTMLTokenizer::State, WebCore::String const&, int) + 300 (HTMLTokenizer.cpp:547) 8 com.apple.WebCore 0x034158c4 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 600 (HTMLTokenizer.cpp:1994) 9 com.apple.WebCore 0x031c7088 WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:92) 10 com.apple.WebCore 0x031c71e9 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:84)
Attachments
Reduction (2.40 KB, text/html)
2008-08-08 19:56 PDT, Cameron Zwarich (cpst) 		no flags
Details
Further reduction (259 bytes, text/html)
2008-08-08 20:21 PDT, Cameron Zwarich (cpst) 		no flags
Details
Proposed patch (1.95 KB, patch)
2008-08-08 20:38 PDT, Cameron Zwarich (cpst) 		oliver: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-08-08 08:54:48 PDT
That's not good. I'll assign this to myself.
Matt Lilek
Comment 2 2008-08-08 16:01:44 PDT
1) This doesn't actually crash in a release build (r35641 nightly). 2) I've narrowed it down to the file <http://filehurricane.com/ScriptResource.axd?d=Jk6eFL2oyqXuZsKToyn_TnFngeTB5WBWbchvVHNKADewHLoypStd1H_VInlzL52wsLdiUZDyfvhggbm_oCgaqtGEuqd422VOX7p4jbTGbYo1&amp;t=633449716710937500> - though it's 7500 lines entangled fun.
Cameron Zwarich (cpst)
Comment 3 2008-08-08 19:56:32 PDT
Created attachment 22717 [details] Reduction Here's a reduction. I'll try to make one that crashes on the console as well, but this is good for a start.
Cameron Zwarich (cpst)
Comment 4 2008-08-08 20:21:17 PDT
Created attachment 22718 [details] Further reduction This one also works with the JS shell.
Cameron Zwarich (cpst)
Comment 5 2008-08-08 20:38:36 PDT
Created attachment 22719 [details] Proposed patch
Oliver Hunt
Comment 6 2008-08-08 20:40:09 PDT
Comment on attachment 22719 [details] Proposed patch r=me, assuming you include the testcase as a layout test
Cameron Zwarich (cpst)
Comment 7 2008-08-08 20:57:10 PDT
Landed in r35651.
Note You need to log in before you can comment on or make changes to this bug.