20516 – REGRESSION (r35918): Safari crashes when trying to use "Filter messages like these"

Bug 20516 - REGRESSION (r35918): Safari crashes when trying to use "Filter messages like these"

Summary: REGRESSION (r35918): Safari crashes when trying to use "Filter messages like ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.5

Importance:	P2 Normal
Assignee:	Kevin McCullough

URL:
Keywords:	InRadar, NeedsReduction, Regression

Duplicates (3):	20521 20530 20538 (view as bug list)
Depends on:
Blocks:

Reported:	2008-08-25 15:35 PDT by Ismail Donmez
Modified:	2009-01-13 17:18 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Proposed patch (2.00 KB, patch) 2008-08-26 05:42 PDT, Cameron Zwarich (cpst)	kmccullough: review-	Details \| Formatted Diff \| Diff
Proposed patch and layout test. (4.32 KB, patch) 2008-08-26 16:27 PDT, Kevin McCullough	zwarich: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ismail Donmez 2008-08-25 15:35:41 PDT

Select a message, click "Filter messages like these" from actions dropdown box and Safari crash, a recent regression on ToT, backtrace is :

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x00425e12 KJS::Machine::retrieveArguments(KJS::ExecState*, KJS::JSFunction*) const + 34 (Machine.cpp:2975)
1   com.apple.JavaScriptCore      	0x0042d69e KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 24830 (PropertySlot.h:60)
2   com.apple.JavaScriptCore      	0x00431942 KJS::Machine::execute(KJS::ProgramNode*, KJS::ExecState*, KJS::ScopeChainNode*, KJS::JSObject*, KJS::JSValue**) + 450 (Machine.cpp:791)
3   com.apple.JavaScriptCore      	0x003fded1 KJS::Interpreter::evaluate(KJS::ExecState*, KJS::ScopeChain&, KJS::UString const&, int, WTF::PassRefPtr<KJS::SourceProvider>, KJS::JSValue*) + 289 (interpreter.cpp:85)
4   com.apple.WebCore             	0x01724d26 WebCore::ScriptController::evaluate(WebCore::String const&, int, WebCore::String const&) + 230 (ScriptController.cpp:115)
5   com.apple.WebCore             	0x01386959 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 121 (FrameLoader.cpp:792)
6   com.apple.WebCore             	0x013f1674 WebCore::HTMLTokenizer::scriptExecution(WebCore::String const&, WebCore::HTMLTokenizer::State, WebCore::String const&, int) + 244 (HTMLTokenizer.h:321)
7   com.apple.WebCore             	0x013f53e3 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 3459 (HTMLTokenizer.cpp:498)
8   com.apple.WebCore             	0x013f70e1 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 2369 (HTMLTokenizer.cpp:344)
9   com.apple.WebCore             	0x013f9cce WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 8798 (HTMLTokenizer.cpp:1566)
10  com.apple.WebCore             	0x013fa94a WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1162 (HTMLTokenizer.cpp:1747)
11  com.apple.WebCore             	0x01374c28 WebCore::FrameLoader::write(char const*, int, bool) + 424 (Deque.h:335)
12  com.apple.WebCore             	0x013750c7 WebCore::FrameLoader::addData(char const*, int) + 39 (FrameLoader.cpp:1867)
13  com.apple.WebKit              	0x001bf069 -[WebFrame(WebInternal) _receivedData:textEncodingName:] + 137 (RefPtr.h:50)
14  com.apple.WebKit              	0x001cc748 -[WebHTMLRepresentation receivedData:withDataSource:] + 264 (WebHTMLRepresentation.mm:165)
15  com.apple.WebKit              	0x001b2beb -[WebDataSource(WebInternal) _receivedData:] + 91 (WebDataSource.mm:220)
16  com.apple.WebKit              	0x001c6ec9 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 137 (WebFrameLoaderClient.mm:709)
17  com.apple.WebCore             	0x01316996 WebCore::DocumentLoader::commitLoad(char const*, int) + 70 (RefPtr.h:50)
18  com.apple.WebCore             	0x01620055 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 69 (ResourceLoader.cpp:255)
19  com.apple.WebCore             	0x0154fc97 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 71 (RefPtr.h:50)
20  com.apple.WebCore             	0x0161fb08 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 56 (ResourceLoader.cpp:394)
21  com.apple.Foundation          	0x9073ee27 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveData:originalLength:] + 119
22  com.apple.Foundation          	0x9073ed71 _NSURLConnectionDidReceiveData + 177
23  com.apple.CFNetwork           	0x950066df sendDidReceiveDataCallback + 518
24  com.apple.CFNetwork           	0x95003c22 _CFURLConnectionSendCallbacks + 1586
25  com.apple.CFNetwork           	0x95003573 muxerSourcePerform + 283
26  com.apple.CoreFoundation      	0x96421615 CFRunLoopRunSpecific + 3141
27  com.apple.CoreFoundation      	0x96421cf8 CFRunLoopRunInMode + 88
28  com.apple.HIToolbox           	0x94967da4 RunCurrentEventLoopInMode + 283
29  com.apple.HIToolbox           	0x94967bbd ReceiveNextEventCommon + 374
30  com.apple.HIToolbox           	0x94967a31 BlockUntilNextEventMatchingListInMode + 106
31  com.apple.AppKit              	0x922f1505 _DPSNextEvent + 657
32  com.apple.AppKit              	0x922f0db8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
33  com.apple.Safari              	0x00007b3e 0x1000 + 27454
34  com.apple.AppKit              	0x922e9df3 -[NSApplication run] + 795
35  com.apple.AppKit              	0x922b7030 NSApplicationMain + 574
36  com.apple.Safari              	0x000b2776 0x1000 + 726902

Comment 1 Ismail Donmez 2008-08-25 15:37:22 PDT

Safari<NDA> preview2 crashes with the same backtrace btw.

Comment 2 Cameron Zwarich (cpst) 2008-08-25 16:10:10 PDT

I'll assign this to myself. I'm gonna run errands for a bit, but then I should have some time to fix it. If anyone sees the problem right away, that's fine too.

Comment 3 Mark Rowe (bdash) 2008-08-25 16:35:14 PDT

<rdar://problem/6174740>

Comment 4 Cameron Zwarich (cpst) 2008-08-25 17:24:26 PDT

When I run this in a debug build, I hit an assertion

ASSERTION FAILED: m_type == CodeBlockType

here:

        CodeBlock* callerCodeBlock = callFrame[RegisterFile::CallerCodeBlock].codeBlock();

This means that the callframe must have been smashed at some point.

Comment 5 Cameron Zwarich (cpst) 2008-08-25 19:15:06 PDT

This breaks between r35417 and r35531, but it is not r35455. I'll try to narrow it down.

Comment 6 Cameron Zwarich (cpst) 2008-08-26 04:21:51 PDT

This is a really strange bug. It does not exist in r35444 (or any earlier revision, at least from what I can tell by nightlies), and is introduced by r35445, where we get the following assertion:

ASSERTION FAILED: iter != end
(/Users/Cameron/WebKit/JavaScriptCore/VM/Machine.cpp:1833 KJS::JSValue* KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**))

This makes it seem fairly close to bug 20386. If I manually revert r35445 at r35811 (right before r35812, the fix for bug 20386), the bug is fixed. However, r35812 also seems to fix the bug itself, so it must have been reintroduced afterwards. I'll bisect revisions between r35812 and ToT to find the problem.

Comment 7 Cameron Zwarich (cpst) 2008-08-26 05:23:56 PDT

The revision that regresses this is r35918:

http://trac.webkit.org/changeset/35918

I suspect that the change to op_call is the problem.

Comment 8 Cameron Zwarich (cpst) 2008-08-26 05:42:23 PDT

Created attachment 22999 [details]
Proposed patch

This is the correct fix, but I still need to make a layout test.

Comment 9 Cameron Zwarich (cpst) 2008-08-26 07:19:23 PDT

*** Bug 20521 has been marked as a duplicate of this bug. ***

Comment 10 Cameron Zwarich (cpst) 2008-08-26 10:27:38 PDT

I am able to reproduce this with a local copy of my old Facebook profile, but not with the new profile. The actual crash occurs in a stack walking function used to build stack traces. If I can swap out the JS file with a local version, then I should be able to modify it to see exactly where it crashes.

Comment 11 Kevin McCullough 2008-08-26 14:36:38 PDT

Comment on attachment 22999 [details]
Proposed patch

This was a purposeful change.  I have a fix for this issue and will post it once I have some layout tests.

Comment 12 Kevin McCullough 2008-08-26 16:27:41 PDT

Created attachment 23008 [details]
Proposed patch and layout test.

Comment 13 Cameron Zwarich (cpst) 2008-08-26 16:35:34 PDT

Comment on attachment 23008 [details]
Proposed patch and layout test.

You should probably mention the Bugzilla bug in the ChangeLog as well as the Radar bug. Also, your test file has no newline at the end, and you did not include the expected test results in the diff.

Other than that, r=me.

Comment 14 Kevin McCullough 2008-08-26 16:35:37 PDT

*** Bug 20530 has been marked as a duplicate of this bug. ***

Comment 15 Mark Rowe (bdash) 2008-08-27 00:42:26 PDT

This was fixed in <http://trac.webkit.org/changeset/35940>.

Comment 16 Mark Rowe (bdash) 2008-08-27 00:42:39 PDT

*** Bug 20538 has been marked as a duplicate of this bug. ***

Comment 17 Darin Adler 2009-01-13 17:18:38 PST

At what website?