20516 – REGRESSION (r35918): Safari crashes when trying to use "Filter messages like these"

RESOLVED FIXED 20516

REGRESSION (r35918): Safari crashes when trying to use "Filter messages like these"

https://bugs.webkit.org/show_bug.cgi?id=20516

Summary REGRESSION (r35918): Safari crashes when trying to use "Filter messages like ...

Ismail Donmez

Reported 2008-08-25 15:35:41 PDT

Select a message, click "Filter messages like these" from actions dropdown box and Safari crash, a recent regression on ToT, backtrace is : Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x00425e12 KJS::Machine::retrieveArguments(KJS::ExecState*, KJS::JSFunction*) const + 34 (Machine.cpp:2975) 1 com.apple.JavaScriptCore 0x0042d69e KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 24830 (PropertySlot.h:60) 2 com.apple.JavaScriptCore 0x00431942 KJS::Machine::execute(KJS::ProgramNode*, KJS::ExecState*, KJS::ScopeChainNode*, KJS::JSObject*, KJS::JSValue**) + 450 (Machine.cpp:791) 3 com.apple.JavaScriptCore 0x003fded1 KJS::Interpreter::evaluate(KJS::ExecState*, KJS::ScopeChain&, KJS::UString const&, int, WTF::PassRefPtr<KJS::SourceProvider>, KJS::JSValue*) + 289 (interpreter.cpp:85) 4 com.apple.WebCore 0x01724d26 WebCore::ScriptController::evaluate(WebCore::String const&, int, WebCore::String const&) + 230 (ScriptController.cpp:115) 5 com.apple.WebCore 0x01386959 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 121 (FrameLoader.cpp:792) 6 com.apple.WebCore 0x013f1674 WebCore::HTMLTokenizer::scriptExecution(WebCore::String const&, WebCore::HTMLTokenizer::State, WebCore::String const&, int) + 244 (HTMLTokenizer.h:321) 7 com.apple.WebCore 0x013f53e3 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 3459 (HTMLTokenizer.cpp:498) 8 com.apple.WebCore 0x013f70e1 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 2369 (HTMLTokenizer.cpp:344) 9 com.apple.WebCore 0x013f9cce WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 8798 (HTMLTokenizer.cpp:1566) 10 com.apple.WebCore 0x013fa94a WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1162 (HTMLTokenizer.cpp:1747) 11 com.apple.WebCore 0x01374c28 WebCore::FrameLoader::write(char const*, int, bool) + 424 (Deque.h:335) 12 com.apple.WebCore 0x013750c7 WebCore::FrameLoader::addData(char const*, int) + 39 (FrameLoader.cpp:1867) 13 com.apple.WebKit 0x001bf069 -[WebFrame(WebInternal) _receivedData:textEncodingName:] + 137 (RefPtr.h:50) 14 com.apple.WebKit 0x001cc748 -[WebHTMLRepresentation receivedData:withDataSource:] + 264 (WebHTMLRepresentation.mm:165) 15 com.apple.WebKit 0x001b2beb -[WebDataSource(WebInternal) _receivedData:] + 91 (WebDataSource.mm:220) 16 com.apple.WebKit 0x001c6ec9 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 137 (WebFrameLoaderClient.mm:709) 17 com.apple.WebCore 0x01316996 WebCore::DocumentLoader::commitLoad(char const*, int) + 70 (RefPtr.h:50) 18 com.apple.WebCore 0x01620055 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 69 (ResourceLoader.cpp:255) 19 com.apple.WebCore 0x0154fc97 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 71 (RefPtr.h:50) 20 com.apple.WebCore 0x0161fb08 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 56 (ResourceLoader.cpp:394) 21 com.apple.Foundation 0x9073ee27 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveData:originalLength:] + 119 22 com.apple.Foundation 0x9073ed71 _NSURLConnectionDidReceiveData + 177 23 com.apple.CFNetwork 0x950066df sendDidReceiveDataCallback + 518 24 com.apple.CFNetwork 0x95003c22 _CFURLConnectionSendCallbacks + 1586 25 com.apple.CFNetwork 0x95003573 muxerSourcePerform + 283 26 com.apple.CoreFoundation 0x96421615 CFRunLoopRunSpecific + 3141 27 com.apple.CoreFoundation 0x96421cf8 CFRunLoopRunInMode + 88 28 com.apple.HIToolbox 0x94967da4 RunCurrentEventLoopInMode + 283 29 com.apple.HIToolbox 0x94967bbd ReceiveNextEventCommon + 374 30 com.apple.HIToolbox 0x94967a31 BlockUntilNextEventMatchingListInMode + 106 31 com.apple.AppKit 0x922f1505 _DPSNextEvent + 657 32 com.apple.AppKit 0x922f0db8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 33 com.apple.Safari 0x00007b3e 0x1000 + 27454 34 com.apple.AppKit 0x922e9df3 -[NSApplication run] + 795 35 com.apple.AppKit 0x922b7030 NSApplicationMain + 574 36 com.apple.Safari 0x000b2776 0x1000 + 726902

Attachments
Proposed patch (2.00 KB, patch) 2008-08-26 05:42 PDT, Cameron Zwarich (cpst)	kmccullough: review-	Details Formatted Diff Diff
Proposed patch and layout test. (4.32 KB, patch) 2008-08-26 16:27 PDT, Kevin McCullough	zwarich: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ismail Donmez

Comment 1 2008-08-25 15:37:22 PDT

Safari<NDA> preview2 crashes with the same backtrace btw.

Cameron Zwarich (cpst)

Comment 2 2008-08-25 16:10:10 PDT

I'll assign this to myself. I'm gonna run errands for a bit, but then I should have some time to fix it. If anyone sees the problem right away, that's fine too.

Mark Rowe (bdash)

Comment 3 2008-08-25 16:35:14 PDT

<rdar://problem/6174740>

Cameron Zwarich (cpst)

Comment 4 2008-08-25 17:24:26 PDT

When I run this in a debug build, I hit an assertion ASSERTION FAILED: m_type == CodeBlockType here: CodeBlock* callerCodeBlock = callFrame[RegisterFile::CallerCodeBlock].codeBlock(); This means that the callframe must have been smashed at some point.

Cameron Zwarich (cpst)

Comment 5 2008-08-25 19:15:06 PDT

This breaks between r35417 and r35531, but it is not r35455. I'll try to narrow it down.

Cameron Zwarich (cpst)

Comment 6 2008-08-26 04:21:51 PDT

This is a really strange bug. It does not exist in r35444 (or any earlier revision, at least from what I can tell by nightlies), and is introduced by r35445, where we get the following assertion: ASSERTION FAILED: iter != end (/Users/Cameron/WebKit/JavaScriptCore/VM/Machine.cpp:1833 KJS::JSValue* KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**)) This makes it seem fairly close to bug 20386. If I manually revert r35445 at r35811 (right before r35812, the fix for bug 20386), the bug is fixed. However, r35812 also seems to fix the bug itself, so it must have been reintroduced afterwards. I'll bisect revisions between r35812 and ToT to find the problem.

Cameron Zwarich (cpst)

Comment 7 2008-08-26 05:23:56 PDT

The revision that regresses this is r35918: http://trac.webkit.org/changeset/35918 I suspect that the change to op_call is the problem.

Cameron Zwarich (cpst)

Comment 8 2008-08-26 05:42:23 PDT

Created attachment 22999 [details] Proposed patch This is the correct fix, but I still need to make a layout test.

Cameron Zwarich (cpst)

Comment 9 2008-08-26 07:19:23 PDT

*** Bug 20521 has been marked as a duplicate of this bug. ***

Cameron Zwarich (cpst)

Comment 10 2008-08-26 10:27:38 PDT

I am able to reproduce this with a local copy of my old Facebook profile, but not with the new profile. The actual crash occurs in a stack walking function used to build stack traces. If I can swap out the JS file with a local version, then I should be able to modify it to see exactly where it crashes.

Kevin McCullough

Comment 11 2008-08-26 14:36:38 PDT

Comment on attachment 22999 [details] Proposed patch This was a purposeful change. I have a fix for this issue and will post it once I have some layout tests.

Kevin McCullough

Comment 12 2008-08-26 16:27:41 PDT

Created attachment 23008 [details] Proposed patch and layout test.

Cameron Zwarich (cpst)

Comment 13 2008-08-26 16:35:34 PDT

Comment on attachment 23008 [details] Proposed patch and layout test. You should probably mention the Bugzilla bug in the ChangeLog as well as the Radar bug. Also, your test file has no newline at the end, and you did not include the expected test results in the diff. Other than that, r=me.

Kevin McCullough

Comment 14 2008-08-26 16:35:37 PDT

*** Bug 20530 has been marked as a duplicate of this bug. ***

Mark Rowe (bdash)

Comment 15 2008-08-27 00:42:26 PDT

This was fixed in <http://trac.webkit.org/changeset/35940>.

Mark Rowe (bdash)

Comment 16 2008-08-27 00:42:39 PDT

*** Bug 20538 has been marked as a duplicate of this bug. ***

Darin Adler

Comment 17 2009-01-13 17:18:38 PST

At what website?

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Mac

OS OS X 10.5

Product WebKit

Component JavaScriptCore

Assignee

Kevin McCullough

Reported

2008-08-25 15:35 PDT

Modified

2009-01-13 17:18 PST History

CC List

7 users Show

URL

Keywords InRadar, NeedsReduction, Regression

Duplicates (3)

20521 20530 20538 View as bug list

Depends on

Blocks