Bug 42394 - Crash entering mail.yahoo.com
Summary: Crash entering mail.yahoo.com
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All OS X 10.5
: P1 Normal
Assignee: Nobody
URL: http://mail.yahoo.com
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2010-07-15 13:12 PDT by Simon Fraser (smfr)
Modified: 2010-07-16 10:57 PDT (History)
6 users (show)

See Also:


Attachments
Patch (2.47 KB, patch)
2010-07-15 19:15 PDT, Geoffrey Garen
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fraser (smfr) 2010-07-15 13:12:10 PDT
Going to mail.yahoo.com results in a crash with r63452 

(gdb) bt
#0  0x0000000101ccf2fc in JSC::RegisterID::index (this=0x0) at RegisterID.h:75
#1  0x0000000101cc20c4 in JSC::BytecodeGenerator::argumentNumberFor (this=0x108312600, ident=@0x12464abd8) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:2054
#2  0x0000000101dce102 in JSC::FunctionBodyNode::emitBytecode (this=0x12464aa20, generator=@0x108312600) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2046
#3  0x0000000101cc94cd in JSC::BytecodeGenerator::generate (this=0x108312600) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:144
#4  0x0000000101d15cf2 in JSC::FunctionExecutable::compileForCallInternal (this=0x122eecc10, exec=0x1231116c8, scopeChainNode=0x122eec1d0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/Executable.cpp:167
#5  0x0000000101cb8e4b in JSC::FunctionExecutable::compileForCall (this=0x122eecc10, exec=0x1231116c8, scopeChainNode=0x122eec1d0) at Executable.h:318
#6  0x0000000101d53539 in cti_vm_lazyLinkCall (args=0x7fff5fbfc350) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/jit/JITStubs.cpp:1987
Could not find the frame base for "WTF::doubleHash(unsigned int)".
#7  0x0000000101d4b7db in WTF::doubleHash (key=) at HashTable.h:447
#8  0x0000000101d2bc90 in JSC::JITCode::execute (this=0x123c4cc38, registerFile=0x11ad68f08, callFrame=0x123111510, globalData=0x11b016000, exception=0x11b017920) at JITCode.h:77
#9  0x0000000101d27736 in JSC::Interpreter::executeCall (this=0x11ad68ef0, callFrame=0x1231114a0, function=0x120439cc0, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc6d0, thisValue={m_ptr = 0x124524100}, args=@0x7fff5fbfc6c0, exception=0x11b017920) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:780
#10 0x0000000101ce4477 in JSC::call (exec=0x1231114a0, functionObject={m_ptr = 0x120439cc0}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc6d0, thisValue={m_ptr = 0x124524100}, args=@0x7fff5fbfc6c0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/CallData.cpp:38
#11 0x0000000101d20dfb in JSC::functionProtoFuncApply (exec=0x1231114a0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/FunctionPrototype.cpp:133
#12 0x00003864232001aa in ?? ()
#13 0x0000000101d2bc90 in JSC::JITCode::execute (this=0x122ee08d8, registerFile=0x11ad68f08, callFrame=0x123111370, globalData=0x11b016000, exception=0x11b017920) at JITCode.h:77
#14 0x0000000101d27736 in JSC::Interpreter::executeCall (this=0x11ad68ef0, callFrame=0x123110728, function=0x12452b040, callType=JSC::CallTypeJS, callData=@0x7fff5fbfcad0, thisValue={m_ptr = 0x12452b180}, args=@0x7fff5fbfcac0, exception=0x11b017920) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:780
#15 0x0000000101ce4477 in JSC::call (exec=0x123110728, functionObject={m_ptr = 0x12452b040}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfcad0, thisValue={m_ptr = 0x12452b180}, args=@0x7fff5fbfcac0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/CallData.cpp:38
#16 0x0000000101d20dfb in JSC::functionProtoFuncApply (exec=0x123110728) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/FunctionPrototype.cpp:133
#17 0x00003864232001aa in ?? ()
#18 0x0000000101d2bc90 in JSC::JITCode::execute (this=0x12474c158, registerFile=0x11ad68f08, callFrame=0x123110038, globalData=0x11b016000, exception=0x7fff5fbfcdd0) at JITCode.h:77
#19 0x0000000101d28551 in JSC::Interpreter::execute (this=0x11ad68ef0, program=0x12474c140, callFrame=0x122f61778, scopeChain=0x122f60fe0, thisObj=0x11f740000, exception=0x7fff5fbfcdd0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:701
#20 0x0000000101cfbb95 in JSC::evaluate (exec=0x122f61778, scopeChain=@0x122f61740, source=@0x7fff5fbfd138, thisValue={m_ptr = 0x11f740000}) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/Completion.cpp:63
#21 0x000000010305425a in WebCore::JSMainThreadExecState::evaluate (exec=0x122f61778, chain=@0x122f61740, source=@0x7fff5fbfd138, thisValue={m_ptr = 0x11f740000}) at JSMainThreadExecState.h:54
#22 0x000000010341529a in WebCore::ScriptController::evaluateInWorld (this=0x11c829908, sourceCode=@0x7fff5fbfd130, world=0x11ad77220, shouldAllowXSS=WebCore::DoNotAllowXSS) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/ScriptController.cpp:151
#23 0x00000001034154a4 in WebCore::ScriptController::evaluate (this=0x11c829908, sourceCode=@0x7fff5fbfd130, shouldAllowXSS=WebCore::DoNotAllowXSS) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/ScriptController.cpp:177
#24 0x000000010341ad4c in WebCore::ScriptController::executeScript (this=0x11c829908, sourceCode=@0x7fff5fbfd130, shouldAllowXSS=WebCore::DoNotAllowXSS) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/ScriptControllerBase.cpp:60
#25 0x0000000102e4ad80 in WebCore::HTMLScriptRunner::executeScript (this=0x122f662b0, element=0x12474bd90, sourceCode=@0x7fff5fbfd130) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLScriptRunner.cpp:160
#26 0x0000000102e4af02 in WebCore::HTMLScriptRunner::runScript (this=0x122f662b0, script=0x12474bd90, startingLineNumber=483) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLScriptRunner.cpp:276
#27 0x0000000102e4b4b7 in WebCore::HTMLScriptRunner::execute (this=0x122f662b0, scriptElement=@0x7fff5fbfd230, startLine=483) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLScriptRunner.cpp:185
#28 0x0000000102df39ff in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0x10a044800) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLDocumentParser.cpp:152
#29 0x0000000102df4245 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x10a044800, mode=WebCore::HTMLDocumentParser::AllowYield) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLDocumentParser.cpp:179
#30 0x0000000102df4483 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x10a044800, mode=WebCore::HTMLDocumentParser::AllowYield) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLDocumentParser.cpp:127
#31 0x0000000102df4a00 in WebCore::HTMLDocumentParser::append (this=0x10a044800, source=@0x7fff5fbfd350) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLDocumentParser.cpp:263
#32 0x0000000102bb12ac in WebCore::DecodedDataDocumentParser::appendBytes (this=0x10a044800, writer=0x11c8295f0, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, shouldFlush=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/DecodedDataDocumentParser.cpp:55
#33 0x0000000102c0b688 in WebCore::DocumentWriter::addData (this=0x11c8295f0, str=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., len=56856, flush=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/DocumentWriter.cpp:200
#34 0x0000000102d5acff in WebCore::FrameLoader::addData (this=0x11c829450, bytes=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/FrameLoader.cpp:1143
#35 0x000000010245bf26 in -[WebFrame(WebInternal) _addData:] (self=0x11ba28270, _cmd=0x7fff840c6cd9, data=0x10762e5c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebFrame.mm:502
#36 0x0000000102459157 in -[WebFrame(WebInternal) _receivedData:textEncodingName:] (self=0x11ba28270, _cmd=0x7fff840c6678, data=0x10762e5c0, textEncodingName=0x122f5b090) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebFrame.mm:1011
#37 0x0000000102481484 in -[WebHTMLRepresentation receivedData:withDataSource:] (self=0x122f5a150, _cmd=0x7fff840c2cf2, data=0x10762e5c0, dataSource=0x107626f70) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebHTMLRepresentation.mm:171
#38 0x000000010244298e in -[WebDataSource(WebInternal) _receivedData:] (self=0x107626f70, _cmd=0x7fff840bf434, data=0x10762e5c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebDataSource.mm:239
#39 0x0000000102464d0b in WebFrameLoaderClient::committedLoad (this=0x11ba293c0, loader=0x108065600, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm:853
#40 0x0000000102d58912 in WebCore::FrameLoader::committedLoad (this=0x11c829450, loader=0x108065600, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/FrameLoader.cpp:2749
#41 0x0000000102c01f9b in WebCore::DocumentLoader::commitLoad (this=0x108065600, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/DocumentLoader.cpp:280
#42 0x0000000102c01ff4 in WebCore::DocumentLoader::receivedData (this=0x108065600, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/DocumentLoader.cpp:292
#43 0x0000000102d5a813 in WebCore::FrameLoader::receivedData (this=0x11c829450, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/FrameLoader.cpp:1557
#44 0x0000000103207a9a in WebCore::MainResourceLoader::addData (this=0x108068200, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, allAtOnce=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/MainResourceLoader.cpp:147
#45 0x00000001033f7d06 in WebCore::ResourceLoader::didReceiveData (this=0x108068200, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, lengthReceived=56856, allAtOnce=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/ResourceLoader.cpp:260
#46 0x0000000103207313 in WebCore::MainResourceLoader::didReceiveData (this=0x108068200, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, lengthReceived=56856, allAtOnce=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/MainResourceLoader.cpp:415
#47 0x00000001033f7420 in WebCore::ResourceLoader::didReceiveData (this=0x108068200, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, lengthReceived=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/ResourceLoader.cpp:431
#48 0x00000001033f21fe in -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] (self=0x10762d860, _cmd=0x7fff83e4ca69, connection=0x10762d9b0, data=0x122f58780, lengthReceived=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:861
#49 0x00007fff83d274af in _NSURLConnectionDidReceiveData ()
#50 0x00007fff84668ef8 in URLConnectionClient::_clientDidReceiveData ()
#51 0x00007fff846d03be in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
#52 0x00007fff8465779f in URLConnectionClient::processEvents ()
#53 0x00007fff8465757c in MultiplexerSource::perform ()
#54 0x00007fff87e40d3d in __CFRunLoopDoSources0 ()
#55 0x00007fff87e3f089 in __CFRunLoopRun ()
#56 0x00007fff87e3e84f in CFRunLoopRunSpecific ()
#57 0x00007fff81d6e91a in RunCurrentEventLoopInMode ()
#58 0x00007fff81d6e71f in ReceiveNextEventCommon ()
#59 0x00007fff81d6e5d8 in BlockUntilNextEventMatchingListInMode ()
#60 0x00007fff86eb329e in _DPSNextEvent ()
#61 0x00007fff86eb2bed in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#62 0x00000001000800c9 in -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x107610810, _cmd=0x7fff875a79d0, mask=18446744073709551615, expiration=0x11ad52710, mode=0x7fff70eef3d0, dequeue=1 '\001') at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/BrowserApplication.mm:410
#63 0x00007fff86e788d3 in -[NSApplication run] ()
#64 0x00007fff86e715f8 in NSApplicationMain ()
#65 0x000000010022eb61 in main (argc=5, argv=0x7fff5fbff1f0) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/main.mm:157
Current language:  auto; currently c++
(gdb)
Comment 1 Simon Fraser (smfr) 2010-07-15 13:12:31 PDT
<rdar://problem/8196405>
Comment 2 Geoffrey Garen 2010-07-15 19:15:19 PDT
Created attachment 61757 [details]
Patch
Comment 3 Maciej Stachowiak 2010-07-15 20:33:57 PDT
Comment on attachment 61757 [details]
Patch

r=me. but if the removed null check is not directly related to the other change, please say so in the ChangeLog.
Comment 4 mitz 2010-07-15 20:35:38 PDT
How come there’s no regression test?
Comment 5 Geoffrey Garen 2010-07-15 21:58:50 PDT
Committed r63515: <http://trac.webkit.org/changeset/63515>
Comment 7 Geoffrey Garen 2010-07-16 10:57:24 PDT
(In reply to comment #4)
> How come there’s no regression test?

Sorry -- forgot to include a test in the patch I uploaded, but I did include a patch in the final commit.