RESOLVED FIXED Bug 20626
REGRESSION (r36016): Assertion failure in CodeBlock::derefStructureIDs followed by crash when loading v2.dromaeo.com or logging in to Yahoo! Mail 
https://bugs.webkit.org/show_bug.cgi?id=20626
Summary REGRESSION (r36016): Assertion failure in CodeBlock::derefStructureIDs follow...
Adam Roben (:aroben)
Reported 2008-09-03 08:49:15 PDT
To reproduce: 1. Go to http://v2.dromaeo.com/ or 1. Go to http://mail.yahoo.com/ 2. Log in I don't know the effect in Release builds. I have so far only tested on Windows (building on Mac now to test). ASSERTION FAILED: vPC[0].u.opcode == machine->getOpcode(op_get_by_id) || vPC[0].u.opcode == machine->getOpcode(op_put_by_id) || vPC[0].u.opcode == machine->getOpcode(op_get_by_id_generic) || vPC[0].u.opcode == machine->getOpcode(op_put_by_id_generic) vPC[0].u.opcode is op_mov Here's the call frame: 509 instructions; 2496 bytes at 0BBA25F0; 15 locals (2 parameters); 26 temporaries [ 0] resolve_skip tr28, Array(@id0), 0 [ 4] mov tr39, tr0 [ 7] construct lr8, tr28, 38, 2 [ 12] mov lr9, tr1 [ 15] mov lr10, tr1 [ 18] get_scoped_var tr28, -6, 0 [ 22] get_by_id_generic lr1, tr28, document(@id1) [ 30] get_by_id_generic lr11, lr1, body(@id2) [ 38] put_by_val lr8, tr2, tr3 [ 42] put_by_val lr8, tr4, lr14 [ 46] put_by_val lr8, tr5, tr6 [ 50] get_by_id tr28, lr8, join(@id3) [ 58] mov tr39, tr1 [ 61] call lr10, tr28, lr8, 38, 2 [ 67] get_scoped_var tr28, -895, 0 [ 71] get_by_id_generic tr28, tr28, Rb(@id4) [ 79] get_scoped_var tr29, -6, 0 [ 83] in tr28, tr28, tr29 [ 87] jfalse tr28, 228(->317) [ 90] resolve_skip tr28, ActiveXObject(@id5), 0 [ 94] mov tr39, tr7 [ 97] construct lr6, tr28, 38, 2 [ 102] mov tr28, lr6 [ 105] mov tr29, lr6 [ 108] put_by_id lr6, validateOnParse(@id6), tr8 [ 114] put_by_id tr29, resolveExternals(@id7), tr8 [ 120] put_by_id tr28, async(@id8), tr8 [ 126] get_by_id tr28, lr6, loadXML(@id9) [ 134] mov tr39, lr10 [ 137] call tr28, tr28, lr6, 38, 2 [ 143] get_by_id tr28, lr6, selectNodes(@id10) [ 151] mov tr39, tr9 [ 154] call lr2, tr28, lr6, 38, 2 [ 160] jmp 137(->298) [ 162] get_by_id tr28, lr4, getAttribute(@id11) [ 170] mov tr39, tr10 [ 173] call lr9, tr28, lr4, 38, 2 [ 179] get_by_id tr28, lr1, createElement(@id12) [ 187] mov tr39, tr11 [ 190] call lr12, tr28, lr1, 38, 2 [ 196] put_by_id lr12, id(@id13), lr9 [ 202] get_by_id lr5, lr4, firstChild(@id14) [ 210] get_by_id tr28, lr11, appendChild(@id15) [ 218] mov tr39, lr12 [ 221] call tr28, tr28, lr11, 38, 2 [ 227] jfalse lr5, 69(->298) [ 230] get_by_id tr28, lr12, XMLDocument(@id16) [ 238] put_by_id tr28, documentElement(@id17), lr5 [ 244] jmp 53(->298) [ 246] catch tr28 [ 248] push_new_scope tr28, A(@id18), tr28 [ 252] resolve_base tr29, A(@id18) [ 255] put_by_id tr29, A(@id18), tr12 [ 261] resolve tr29, X(@id19) [ 264] get_by_id tr29, tr29, XMLDocument(@id16) [ 272] get_by_id tr30, tr29, loadXML(@id9) [ 280] resolve tr42, V(@id20) [ 283] get_by_id tr41, tr42, xml(@id21) [ 291] call tr29, tr30, tr29, 40, 2 [ 297] pop_scope [ 298] get_by_id tr28, lr2, nextNode(@id22) [ 306] call lr4, tr28, lr2, 38, 1 [ 312] loop_if_true lr4, -152(->162) [ 315] jmp 291(->607) [ 317] resolve_skip tr28, DOMParser(@id23), 0 [ 321] construct tr28, tr28, 38, 1 [ 326] get_by_id_generic tr29, tr28, parseFromString(@id24) [ 334] get_by_id_generic tr41, lr10, replace(@id25) [ 342] new_regexp tr52, /\n/g(@re0) [ 345] mov tr53, tr13 [ 348] call tr40, tr41, lr10, 51, 3 [ 354] get_scoped_var tr42, -895, 0 [ 358] get_by_id_generic tr41, tr42, Pj(@id26) [ 366] call lr6, tr29, tr28, 39, 3 [ 372] get_by_id tr28, lr6, createNSResolver(@id27) [ 380] get_by_id_generic tr39, lr6, documentElement(@id17) [ 388] call lr3, tr28, lr6, 38, 2 [ 394] get_by_id tr28, lr6, evaluate(@id28) [ 402] mov tr39, tr14 [ 405] mov tr40, lr6 [ 408] mov tr41, lr3 [ 411] mov tr42, tr15 [ 414] mov tr43, tr12 [ 417] call lr2, tr28, lr6, 38, 6 [ 423] jmp 180(->604) [ 425] get_by_id_generic tr28, lr2, iterateNext(@id29) [ 433] call lr4, tr28, lr2, 38, 1 [ 439] jtrue lr4, 3(->444) [ 442] jmp 164(->607) [ 444] get_by_id_proto tr28, lr4, getAttribute(@id11) [ 452] mov tr39, tr16 [ 455] call lr9, tr28, lr4, 38, 2 [ 461] get_by_id_chain tr28, lr1, createElement(@id12) [ 469] mov tr39, tr17 [ 472] call lr12, tr28, lr1, 38, 2 [ 478] put_by_id_generic lr12, id(@id13), lr9 [ 484] get_by_id_generic tr28, lr11, appendChild(@id15) [ 492] mov tr39, lr12 [ 495] call tr28, tr28, lr11, 38, 2 [ 501] get_by_id_generic lr5, lr4, firstChild(@id14) [ 509] jfalse lr5, 79(->590) [ 512] get_by_id_generic tr28, lr1, implementation(@id30) [ 520] get_by_id_generic tr29, tr28, createDocument(@id31) [ 528] mov tr40, tr1 [ 531] mov tr41, tr1 [ 534] mov tr42, tr12 [ 537] call lr7, tr29, tr28, 39, 4 [ 543] resolve_base tr28, oNode3(@id32) [ 546] get_by_id_proto tr29, lr7, importNode(@id33) [ 554] mov tr40, lr5 [ 557] mov tr41, tr18 [ 560] call tr29, tr29, lr7, 39, 3 [ 566] put_by_id_generic tr28, oNode3(@id32), tr29 [ 572] get_by_id_generic tr28, lr7, appendChild(@id15) [ 580] resolve_skip tr39, oNode3(@id32), 0 [ 584] call tr28, tr28, lr7, 38, 2 [ 590] get_scoped_var tr28, -6, 0 [ 594] put_by_val tr28, lr9, lr12 [ 598] put_by_id_generic lr12, XMLDocument(@id16), lr7 [ 604] loop_if_true tr18, -181(->425) [ 607] mov lr7, tr12 [ 610] mov lr3, lr7 [ 613] mov lr2, lr3 [ 616] mov lr4, lr2 [ 619] mov lr6, lr4 [ 622] ret tr19 Identifiers: id0 = Array id1 = document id2 = body id3 = join id4 = Rb id5 = ActiveXObject id6 = validateOnParse id7 = resolveExternals id8 = async id9 = loadXML id10 = selectNodes id11 = getAttribute id12 = createElement id13 = id id14 = firstChild id15 = appendChild id16 = XMLDocument id17 = documentElement id18 = A id19 = X id20 = V id21 = xml id22 = nextNode id23 = DOMParser id24 = parseFromString id25 = replace id26 = Pj id27 = createNSResolver id28 = evaluate id29 = iterateNext id30 = implementation id31 = createDocument id32 = oNode3 id33 = importNode Constants: tr0 = 3 tr1 = "" tr2 = 0 tr3 = "<Y>" tr4 = 1 tr5 = 2 tr6 = "</Y>" tr7 = "MSXML2.DOMDocument" tr8 = false tr9 = "/Y/xml" tr10 = "id" tr11 = "xml" tr12 = null tr13 = "&#10;" tr14 = "/Y/xml" tr15 = 5 tr16 = "id" tr17 = "xml" tr18 = true tr19 = undefined RegExps: re0 = /\n/g StructureIDs: [ 50] get_by_id: 090AA590 [ 108] put_by_id: 00000000 [ 114] put_by_id: 00000000 [ 120] put_by_id: 00000000 [ 126] get_by_id: 00000000 [ 143] get_by_id: 00000000 [ 162] get_by_id: 00000000 [ 179] get_by_id: 00000000 [ 196] put_by_id: 00000000 [ 202] get_by_id: 00000000 [ 210] get_by_id: 00000000 [ 230] get_by_id: 00000000 [ 238] put_by_id: 00000000 [ 255] put_by_id: 00000000 [ 264] get_by_id: 00000000 [ 272] get_by_id: 00000000 [ 283] get_by_id: 00000000 [ 298] get_by_id: 00000000 [ 372] get_by_id: 073891C0 [ 394] get_by_id: 073891C0 [ 444] get_by_id_proto: 0BDC5518, 0BFF3B60 [ 461] get_by_id_chain: 09770818, 0B1C9048 [ 546] get_by_id_proto: 073891C0, 0C0127C8 Exception Handlers: 1: { start: [ 230] end: [ 244] target: [ 246] } Register frame: ---------------------------------------------------- use | address | value ---------------------------------------------------- [CallerCodeBlock] | 08850288 | 098B9830 [ReturnVPC] | 08850290 | 0C300228 [CallerScopeChain] | 08850298 | 0BB9E028 [CallerRegisterOffset] | 088502A0 | 08850198 [ReturnValueRegister] | 088502A8 | 0000001E [ArgumentStartRegister] | 088502B0 | 00000028 [ArgumentCount] | 088502B8 | 00000002 [CalledAsConstructor] | 088502C0 | 00000000 [Callee] | 088502C8 | 08A7AE40 [OptionalCalleeActivation] | 088502D0 | 083447C0 ---------------------------------------------------- [this] | 088502D8 | 08340000 [param] | 088502E0 | 08344920 ---------------------------------------------------- [var] | 088502E8 | 0000000A [var] | 088502F0 | 08344300 [var] | 088502F8 | 083452E0 [var] | 08850300 | 08344780 [var] | 08850308 | 08344220 [var] | 08850310 | 083447A0 [var] | 08850318 | 083442C0 [var] | 08850320 | 083446A0 [var] | 08850328 | 083442E0 [var] | 08850330 | 08344260 [var] | 08850338 | 08344620 [var] | 08850340 | 083445A0 [var] | 08850348 | 083487C0 ---------------------------------------------------- [temp] | 08850350 | 00000007 [temp] | 08850358 | 08340080 [temp] | 08850360 | 00000001 [temp] | 08850368 | 08344900 [temp] | 08850370 | 00000003 [temp] | 08850378 | 00000005 [temp] | 08850380 | 083448E0 [temp] | 08850388 | 083448C0 [temp] | 08850390 | 00000006 [temp] | 08850398 | 083448A0 [temp] | 088503A0 | 08344880 [temp] | 088503A8 | 08344860 [temp] | 088503B0 | 00000002 [temp] | 088503B8 | 08344840 [temp] | 088503C0 | 08344820 [temp] | 088503C8 | 0000000B [temp] | 088503D0 | 08344800 [temp] | 088503D8 | 083447E0 [temp] | 088503E0 | 00000016 [temp] | 088503E8 | 0000000A [temp] | 088503F0 | 08346C20 [temp] | 088503F8 | 08346C00 [temp] | 08850400 | 08346BE0 [temp] | 08850408 | 08346BC0 [temp] | 08850410 | 08346BA0 [temp] | 08850418 | 08346B80 Here's the backtrace: WebKit_debug.dll!KJS::CodeBlock::derefStructureIDs(KJS::Instruction * vPC=0x0bba08f4) Line 831 + 0x60 bytes C++ WebKit_debug.dll!KJS::Machine::uncacheGetByID(KJS::CodeBlock * codeBlock=0x0bba25f0, KJS::Instruction * vPC=0x0bba08f4) Line 1267 C++ > WebKit_debug.dll!KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag flag=Normal, KJS::ExecState * exec=0x0012ebd4, KJS::RegisterFile * registerFile=0x0730ee14, KJS::Register * r=0x08850350, KJS::ScopeChainNode * scopeChain=0x09659058, KJS::CodeBlock * codeBlock=0x0bba25f0, KJS::JSValue * * exception=0x0012ec54) Line 2243 C++ WebKit_debug.dll!KJS::Machine::execute(KJS::ProgramNode * programNode=0x092bc928, KJS::ExecState * exec=0x0751c9c0, KJS::ScopeChainNode * scopeChain=0x0735ae70, KJS::JSObject * thisObj=0x08340000, KJS::JSValue * * exception=0x0012ec54) Line 794 + 0x25 bytes C++ WebKit_debug.dll!KJS::Interpreter::evaluate(KJS::ExecState * exec=0x0751c9c0, KJS::ScopeChain & scopeChain={...}, const KJS::UString & sourceURL={...}, int startingLineNumber=655, WTF::PassRefPtr<KJS::SourceProvider> source={...}, KJS::JSValue * thisValue=0x08340000) Line 83 + 0x2d bytes C++ WebKit_debug.dll!WebCore::ScriptController::evaluate(const WebCore::String & sourceURL={...}, int baseLine=655, const WebCore::String & str={...}) Line 116 + 0x52 bytes C++ WebKit_debug.dll!WebCore::FrameLoader::executeScript(const WebCore::String & url={...}, int baseLine=655, const WebCore::String & script={...}) Line 790 + 0x1d bytes C++ WebKit_debug.dll!WebCore::HTMLTokenizer::scriptExecution(const WebCore::String & str={...}, WebCore::HTMLTokenizer::State state={...}, const WebCore::String & scriptURL={...}, int baseLine=655) Line 559 C++ WebKit_debug.dll!WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State state={...}) Line 498 + 0x2d bytes C++ WebKit_debug.dll!WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 344 + 0x10 bytes C++ WebKit_debug.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 1512 + 0x17 bytes C++ WebKit_debug.dll!WebCore::HTMLTokenizer::write(const WebCore::SegmentedString & str={...}, bool appendData=true) Line 1747 + 0x1d bytes C++ WebKit_debug.dll!WebCore::FrameLoader::write(const char * str=0x0972bd60, int len=44759, bool flush=false) Line 1032 + 0x21 bytes C++ WebKit_debug.dll!WebCore::FrameLoader::addData(const char * bytes=0x0972bd60, int length=44759) Line 1872 C++ WebKit_debug.dll!WebFrameLoaderClient::receivedData(const char * data=0x0972bd60, int length=44759, const WebCore::String & textEncoding={...}) Line 406 C++ WebKit_debug.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader=0x09075960, const char * data=0x0972bd60, int length=44759) Line 377 C++ WebKit_debug.dll!WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader * loader=0x09075960, const char * data=0x0972bd60, int length=44759) Line 3373 + 0x24 bytes C++ WebKit_debug.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x0972bd60, int length=44759) Line 356 C++ WebKit_debug.dll!WebCore::DocumentLoader::receivedData(const char * data=0x0972bd60, int length=44759) Line 368 C++ WebKit_debug.dll!WebCore::FrameLoader::receivedData(const char * data=0x0972bd60, int length=44759) Line 2323 C++ WebKit_debug.dll!WebCore::MainResourceLoader::addData(const char * data=0x0972bd60, int length=44759, bool allAtOnce=false) Line 146 C++ WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x0972bd60, int length=44759, __int64 lengthReceived=44759, bool allAtOnce=false) Line 251 + 0x1b bytes C++ WebKit_debug.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x0972bd60, int length=44759, __int64 lengthReceived=44759, bool allAtOnce=false) Line 306 C++ WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x08d5f028, const char * data=0x0972bd60, int length=44759, int lengthReceived=44759) Line 393 + 0x1f bytes C++ WebKit_debug.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x07310e90, const __CFData * data=0x0972acd0, long originalLength=44759, const void * clientInfo=0x08d5f028) Line 109 + 0x2a bytes C++ CFNetwork_debug.dll!URLConnectionClient::sendOrBufferData(const __CFData * data=0x0972acd0) Line 1051 + 0x54 bytes C++ CFNetwork_debug.dll!URLConnectionClient::clientDidReceiveData(const __CFData * data=0x0972acd0) Line 841 C++ CFNetwork_debug.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<enum XClientEvent,XClientEventParams> * e=0x08d1c0e4, long count=3) Line 1206 + 0x22 bytes C++ CFNetwork_debug.dll!XConnectionEventQueue<enum XClientEvent,XClientEventParams>::processAllEvents() Line 131 + 0x23 bytes C++ CFNetwork_debug.dll!URLConnectionClient::processEvents() Line 233 C++ CFNetwork_debug.dll!URLConnectionWndProc(HWND__ * hWnd=0x0007055a, unsigned int message=1231, unsigned int wParam=120655504, long lParam=0) Line 82 + 0x2e bytes C++ user32.dll!_InternalCallWinProc@20() + 0x28 bytes user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes user32.dll!_DispatchMessageWorker@8() + 0xdc bytes user32.dll!_DispatchMessageW@4() + 0xf bytes Safari_debug.exe!RunMessagePump(WTL::CMessageLoop & messageLoop={...}) Line 185 + 0xc bytes C++ Safari_debug.exe!run(int nCmdShow=1) Line 249 + 0x9 bytes C++ Safari_debug.exe!wWinMain(HINSTANCE__ * hInstance=0x00400000, HINSTANCE__ * __formal=0x00000000, wchar_t * lpstrCmdLine=0x00020ea0, int nCmdShow=1) Line 464 + 0x9 bytes C++ Safari_debug.exe!__tmainCRTStartup() Line 589 + 0x35 bytes C Safari_debug.exe!wWinMainCRTStartup() Line 414 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
Attachments
Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2008-09-03 08:49:24 PDT
9/2/08 3:54 PM Adam Roben: This seems to occur only on Windows. Spoofing as Safari/win on Mac does not trigger the bug, either. 9/2/08 7:34 PM Geoff Garen: I bet this would happen on mac if we disabled computed goto. The ASSERT indicates either a memory leak or a corrupt opcode stream. Neither sounds appetizing.
Adam Roben (:aroben)
Comment 2 2008-09-03 08:49:40 PDT
<rdar://problem/6190603>
Adam Roben (:aroben)
Comment 3 2008-09-03 10:13:36 PDT
Happens when loading http://www.new.facebook.com/ as well. Reports from users of nightlies lead me to believe that this crashes in Release builds.
Feng Qian
Comment 4 2008-09-03 10:18:58 PDT
Minor correction: I am not sure if I was using nightly build, the revision I used is 3.1.2 (525.21). The url is http://www.new.facebook.com/friends/, Safari crashes after login. (In reply to comment #3) > Happens when loading http://www.new.facebook.com/ as well. > > Reports from users of nightlies lead me to believe that this crashes in Release > builds. >
Adam Roben (:aroben)
Comment 5 2008-09-03 10:33:09 PDT
(In reply to comment #4) > Minor correction: > > I am not sure if I was using nightly build, the revision I used is 3.1.2 > (525.21). > The url is http://www.new.facebook.com/friends/, Safari crashes after login. Sounds like this is a different bug.
Feng Qian
Comment 6 2008-09-03 10:38:23 PDT
Not reproducible in nightly r36012. (In reply to comment #5) > (In reply to comment #4) > > Minor correction: > > > > I am not sure if I was using nightly build, the revision I used is 3.1.2 > > (525.21). > > The url is http://www.new.facebook.com/friends/, Safari crashes after login. > > Sounds like this is a different bug. >
Cameron Zwarich (cpst)
Comment 7 2008-09-03 13:43:26 PDT
I disabled COMPUTED_GOTO in an r36063 debug build on the Mac, but I can't seem to make it crash while running Dromaeo and simultaneously logging in and out of Yahoo Mail.
Adam Roben (:aroben)
Comment 8 2008-09-04 13:15:45 PDT
Looks like this has been fixed (possibly by r36081).
Note You need to log in before you can comment on or make changes to this bug.