CLOSED FIXED 40874
Crash in JavaScriptCore when viewing page with image frame from Google 
https://bugs.webkit.org/show_bug.cgi?id=40874
Summary Crash in JavaScriptCore when viewing page with image frame from Google
Dimitris Apostolou
Reported 2010-06-19 00:06:17 PDT
Created attachment 59178 [details] Crash log 6533.16, r61351 Reproducibility: always Steps: Go to http://www.google.com/imgres?imgurl=http://y.delfi.ee/norm/100169/4910117_MAVojh.jpeg&imgrefurl=http://pilt.delfi.ee/picture/4910117/&usg=__AepAaXV8iS8ug21o5d1vPZjUEGE=&h=426&w=630&sz=59&hl=en&start=2&um=1&itbs=1&tbnid=Td-JwZyHHr9HJM:&tbnh=93&tbnw=137&prev=/images%3Fq%3Dkadri%2Bk%25C3%25B5usaar%26um%3D1%26hl%3Den%26safe%3Doff%26sa%3DN%26tbs%3Disch:1 What happened: WebKit crashes. Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010084dee3 JSC::JSObject::defaultValue(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 4035 1 com.apple.JavaScriptCore 0x000000010076156d JSC::JSObject::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 13 2 com.apple.JavaScriptCore 0x000000010084bf79 JSC::JSObject::toString(JSC::ExecState*) const + 57 3 com.apple.JavaScriptCore 0x00000001008d4fde JSC::stringProtoFuncSubstring(JSC::ExecState*) + 526 4 ??? 0x00002c4094c0017a 0 + 48655885140346 5 com.apple.JavaScriptCore 0x00000001007da686 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) + 518 6 ??? 0x0000000117113480 0 + 4681970816 Expected result: WebKit does not crash.
Attachments
Crash log (36.07 KB, text/plain)
2010-06-19 00:06 PDT, Dimitris Apostolou 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-06-19 13:22:13 PDT
In debug build: ASSERTION FAILED: this[RegisterFile::ScopeChain].Register::scopeChain() (/Users/ap/Safari/OpenSource/JavaScriptCore/interpreter/CallFrame.h:45 JSC::ScopeChainNode* JSC::ExecState::scopeChain() const) Probably a duplicate of bug 40874, even though that one is on PowerPC.
Geoffrey Garen
Comment 2 2010-06-21 11:15:49 PDT
Yes, dup. *** This bug has been marked as a duplicate of bug 40858 ***
Dimitris Apostolou
Comment 3 2010-06-22 01:15:32 PDT
Closing.
Dimitris Apostolou
Comment 4 2010-08-21 07:36:40 PDT
I can see the original bug is marked as resolved but I still crash.
Dimitris Apostolou
Comment 5 2010-08-21 07:37:30 PDT
Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100848057 JSC::JSObject::defaultValue(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 4039 1 com.apple.JavaScriptCore 0x00000001007657dd JSC::JSObject::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 13 2 com.apple.JavaScriptCore 0x00000001008460e9 JSC::JSObject::toString(JSC::ExecState*) const + 57 3 com.apple.JavaScriptCore 0x00000001008ec43e JSC::stringProtoFuncSubstring(JSC::ExecState*) + 174 4 ??? 0x00002930cac001aa 0 + 45289536749994 5 com.apple.JavaScriptCore 0x00000001007d9199 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) + 601
Geoffrey Garen
Comment 6 2010-08-24 10:38:26 PDT
<rdar://problem/8347970>
Dimitris Apostolou
Comment 7 2010-11-27 23:25:11 PST
Fixed in r72487
Dimitris Apostolou
Comment 8 2010-11-27 23:25:23 PST
Closing.
Note You need to log in before you can comment on or make changes to this bug.