40858 – Reproducible crash in com.apple.JavaScriptCore 0x005d7164 JSC::JSObject::defaultValue(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 1764

RESOLVED FIXED 40858

Reproducible crash in com.apple.JavaScriptCore 0x005d7164 JSC::JSObject::defaultValue(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 1764

https://bugs.webkit.org/show_bug.cgi?id=40858

Summary Reproducible crash in com.apple.JavaScriptCore 0x005d7164 JSC::JSObject::def...

lars.sonchocky-helldorf

Reported 2010-06-18 14:14:53 PDT

I get a reproducible crash when visiting http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fjablickar.cz%2Fcesky-uzivatel-testuje-iphone-4-ukazky-fotografii-a-videa-z-iphone-4-v-clanku%2F&sl=auto&tl=en with the current WebKit Nightly (Safari Version 4.1 (4533.16, r61351) on Mac OS X 10.4.11 PowerPC G4) Date/Time: 2010-06-18 23:08:14.813 +0200 OS Version: 10.4.11 (Build 8S165) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: WindowServer [60] Version: r61351 (61351) PID: 3409 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000008 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x005d7164 JSC::JSObject::defaultValue(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 1764 1 com.apple.JavaScriptCore 0x0050a85c JSC::JSObject::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 44 2 com.apple.JavaScriptCore 0x005d605c JSC::JSObject::toString(JSC::ExecState*) const + 60 3 com.apple.JavaScriptCore 0x0065258c JSC::stringProtoFuncSubstring(JSC::ExecState*) + 284 4 com.apple.JavaScriptCore 0x0059df04 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*, JSC::JSValue*) + 59252 5 com.apple.JavaScriptCore 0x005a4f70 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) + 800 6 com.apple.JavaScriptCore 0x00543ef8 JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 488 See attached crash log

Attachments
crash log for #40858 (25.80 KB, text/plain) 2010-06-18 14:17 PDT, lars.sonchocky-helldorf	no flags	Details
Patch (7.02 KB, patch) 2010-06-19 18:42 PDT, Oliver Hunt	no flags	Details Formatted Diff Diff
Patch (7.05 KB, patch) 2010-06-19 18:57 PDT, Oliver Hunt	no flags	Details Formatted Diff Diff
Patch (7.08 KB, patch) 2010-06-20 11:15 PDT, Oliver Hunt	ggaren: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

lars.sonchocky-helldorf

Comment 1 2010-06-18 14:17:38 PDT

Created attachment 59157 [details] crash log for #40858 crash log for the bug

Alexey Proskuryakov

Comment 2 2010-06-18 14:26:47 PDT

With a local debug build of r61268, I'm getting an assertion failure: ASSERTION FAILED: this[RegisterFile::ScopeChain].Register::scopeChain() (/Users/ap/Safari/OpenSource/JavaScriptCore/interpreter/CallFrame.h:45 JSC::ScopeChainNode* JSC::ExecState::scopeChain() const)

Alexey Proskuryakov

Comment 3 2010-06-18 14:27:25 PDT

<rdar://problem/8108986>

Alexey Proskuryakov

Comment 4 2010-06-19 13:22:34 PDT

Same crash on Intel in bug 40874.

Oliver Hunt

Comment 5 2010-06-19 17:23:36 PDT

I know what this bug is and am working on it.

Oliver Hunt

Comment 6 2010-06-19 18:42:26 PDT

Created attachment 59194 [details] Patch

WebKit Review Bot

Comment 7 2010-06-19 18:44:12 PDT

Attachment 59194 [details] did not pass style-queue: Failed to run "['WebKitTools/Scripts/check-webkit-style', '--no-squash']" exit_code: 1 JavaScriptCore/interpreter/Interpreter.cpp:3650: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] JavaScriptCore/interpreter/Interpreter.cpp:3802: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] JavaScriptCore/interpreter/Interpreter.cpp:4124: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] Total errors found: 3 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.

Eric Seidel (no email)

Comment 8 2010-06-19 18:52:37 PDT

Attachment 59194 [details] did not build on mac: Build output: http://webkit-commit-queue.appspot.com/results/3301444

Early Warning System Bot

Comment 9 2010-06-19 18:55:54 PDT

Attachment 59194 [details] did not build on qt: Build output: http://webkit-commit-queue.appspot.com/results/3316437

Oliver Hunt

Comment 10 2010-06-19 18:57:25 PDT

Created attachment 59195 [details] Patch

WebKit Review Bot

Comment 11 2010-06-19 19:00:45 PDT

Attachment 59195 [details] did not pass style-queue: Failed to run "['WebKitTools/Scripts/check-webkit-style', '--no-squash']" exit_code: 1 JavaScriptCore/interpreter/Interpreter.cpp:3650: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] JavaScriptCore/interpreter/Interpreter.cpp:3802: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] JavaScriptCore/interpreter/Interpreter.cpp:4124: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] Total errors found: 3 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.

WebKit Review Bot

Comment 12 2010-06-19 19:29:21 PDT

Attachment 59194 [details] did not build on gtk: Build output: http://webkit-commit-queue.appspot.com/results/3308438

WebKit Review Bot

Comment 13 2010-06-19 20:14:21 PDT

Attachment 59194 [details] did not build on win: Build output: http://webkit-commit-queue.appspot.com/results/3282403

Zoltan Herczeg

Comment 14 2010-06-20 01:06:33 PDT

Am I see right that the new "RegisterFile* CallFrame::registerFile()" only used for debug purposes? Shouldn't we put NDEBUG protection around it? Or do you plan to use it in other places?

Oliver Hunt

Comment 15 2010-06-20 11:15:40 PDT

Created attachment 59201 [details] Patch

WebKit Review Bot

Comment 16 2010-06-20 11:18:43 PDT

Attachment 59201 [details] did not pass style-queue: Failed to run "['WebKitTools/Scripts/check-webkit-style', '--no-squash']" exit_code: 1 JavaScriptCore/interpreter/Interpreter.cpp:3650: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] JavaScriptCore/interpreter/Interpreter.cpp:3802: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] JavaScriptCore/interpreter/Interpreter.cpp:4124: vm_throw is incorrectly named. Don't use underscores in your identifier names. [readability/naming] [4] Total errors found: 3 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.

Geoffrey Garen

Comment 17 2010-06-21 09:53:45 PDT

Comment on attachment 59201 [details] Patch + CHECK_FOR_EXCEPTION(); + return 0; You want VM_THROW_EXCEPTION() instead. r=me

Oliver Hunt

Comment 18 2010-06-21 10:43:20 PDT

Committed r61553: <http://trac.webkit.org/changeset/61553>

Geoffrey Garen

Comment 19 2010-06-21 11:15:49 PDT

*** Bug 40874 has been marked as a duplicate of this bug. ***

WebKit Review Bot

Comment 20 2010-06-21 12:33:57 PDT

http://trac.webkit.org/changeset/61553 might have broken Tiger Intel Release The following changes are on the blame list: http://trac.webkit.org/changeset/61553 http://trac.webkit.org/changeset/61554 http://trac.webkit.org/changeset/61555 http://trac.webkit.org/changeset/61556 http://trac.webkit.org/changeset/61557

Note You need to log in before you can comment on or make changes to this bug.