RESOLVED FIXED 42394
Crash entering mail.yahoo.com
https://bugs.webkit.org/show_bug.cgi?id=42394
Summary Crash entering mail.yahoo.com
Simon Fraser (smfr)
Reported 2010-07-15 13:12:10 PDT
Going to mail.yahoo.com results in a crash with r63452 (gdb) bt #0 0x0000000101ccf2fc in JSC::RegisterID::index (this=0x0) at RegisterID.h:75 #1 0x0000000101cc20c4 in JSC::BytecodeGenerator::argumentNumberFor (this=0x108312600, ident=@0x12464abd8) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:2054 #2 0x0000000101dce102 in JSC::FunctionBodyNode::emitBytecode (this=0x12464aa20, generator=@0x108312600) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2046 #3 0x0000000101cc94cd in JSC::BytecodeGenerator::generate (this=0x108312600) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:144 #4 0x0000000101d15cf2 in JSC::FunctionExecutable::compileForCallInternal (this=0x122eecc10, exec=0x1231116c8, scopeChainNode=0x122eec1d0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/Executable.cpp:167 #5 0x0000000101cb8e4b in JSC::FunctionExecutable::compileForCall (this=0x122eecc10, exec=0x1231116c8, scopeChainNode=0x122eec1d0) at Executable.h:318 #6 0x0000000101d53539 in cti_vm_lazyLinkCall (args=0x7fff5fbfc350) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/jit/JITStubs.cpp:1987 Could not find the frame base for "WTF::doubleHash(unsigned int)". #7 0x0000000101d4b7db in WTF::doubleHash (key=) at HashTable.h:447 #8 0x0000000101d2bc90 in JSC::JITCode::execute (this=0x123c4cc38, registerFile=0x11ad68f08, callFrame=0x123111510, globalData=0x11b016000, exception=0x11b017920) at JITCode.h:77 #9 0x0000000101d27736 in JSC::Interpreter::executeCall (this=0x11ad68ef0, callFrame=0x1231114a0, function=0x120439cc0, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc6d0, thisValue={m_ptr = 0x124524100}, args=@0x7fff5fbfc6c0, exception=0x11b017920) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:780 #10 0x0000000101ce4477 in JSC::call (exec=0x1231114a0, functionObject={m_ptr = 0x120439cc0}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc6d0, thisValue={m_ptr = 0x124524100}, args=@0x7fff5fbfc6c0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/CallData.cpp:38 #11 0x0000000101d20dfb in JSC::functionProtoFuncApply (exec=0x1231114a0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/FunctionPrototype.cpp:133 #12 0x00003864232001aa in ?? () #13 0x0000000101d2bc90 in JSC::JITCode::execute (this=0x122ee08d8, registerFile=0x11ad68f08, callFrame=0x123111370, globalData=0x11b016000, exception=0x11b017920) at JITCode.h:77 #14 0x0000000101d27736 in JSC::Interpreter::executeCall (this=0x11ad68ef0, callFrame=0x123110728, function=0x12452b040, callType=JSC::CallTypeJS, callData=@0x7fff5fbfcad0, thisValue={m_ptr = 0x12452b180}, args=@0x7fff5fbfcac0, exception=0x11b017920) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:780 #15 0x0000000101ce4477 in JSC::call (exec=0x123110728, functionObject={m_ptr = 0x12452b040}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfcad0, thisValue={m_ptr = 0x12452b180}, args=@0x7fff5fbfcac0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/CallData.cpp:38 #16 0x0000000101d20dfb in JSC::functionProtoFuncApply (exec=0x123110728) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/FunctionPrototype.cpp:133 #17 0x00003864232001aa in ?? () #18 0x0000000101d2bc90 in JSC::JITCode::execute (this=0x12474c158, registerFile=0x11ad68f08, callFrame=0x123110038, globalData=0x11b016000, exception=0x7fff5fbfcdd0) at JITCode.h:77 #19 0x0000000101d28551 in JSC::Interpreter::execute (this=0x11ad68ef0, program=0x12474c140, callFrame=0x122f61778, scopeChain=0x122f60fe0, thisObj=0x11f740000, exception=0x7fff5fbfcdd0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:701 #20 0x0000000101cfbb95 in JSC::evaluate (exec=0x122f61778, scopeChain=@0x122f61740, source=@0x7fff5fbfd138, thisValue={m_ptr = 0x11f740000}) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/Completion.cpp:63 #21 0x000000010305425a in WebCore::JSMainThreadExecState::evaluate (exec=0x122f61778, chain=@0x122f61740, source=@0x7fff5fbfd138, thisValue={m_ptr = 0x11f740000}) at JSMainThreadExecState.h:54 #22 0x000000010341529a in WebCore::ScriptController::evaluateInWorld (this=0x11c829908, sourceCode=@0x7fff5fbfd130, world=0x11ad77220, shouldAllowXSS=WebCore::DoNotAllowXSS) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/ScriptController.cpp:151 #23 0x00000001034154a4 in WebCore::ScriptController::evaluate (this=0x11c829908, sourceCode=@0x7fff5fbfd130, shouldAllowXSS=WebCore::DoNotAllowXSS) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/ScriptController.cpp:177 #24 0x000000010341ad4c in WebCore::ScriptController::executeScript (this=0x11c829908, sourceCode=@0x7fff5fbfd130, shouldAllowXSS=WebCore::DoNotAllowXSS) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/ScriptControllerBase.cpp:60 #25 0x0000000102e4ad80 in WebCore::HTMLScriptRunner::executeScript (this=0x122f662b0, element=0x12474bd90, sourceCode=@0x7fff5fbfd130) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLScriptRunner.cpp:160 #26 0x0000000102e4af02 in WebCore::HTMLScriptRunner::runScript (this=0x122f662b0, script=0x12474bd90, startingLineNumber=483) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLScriptRunner.cpp:276 #27 0x0000000102e4b4b7 in WebCore::HTMLScriptRunner::execute (this=0x122f662b0, scriptElement=@0x7fff5fbfd230, startLine=483) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLScriptRunner.cpp:185 #28 0x0000000102df39ff in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0x10a044800) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLDocumentParser.cpp:152 #29 0x0000000102df4245 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x10a044800, mode=WebCore::HTMLDocumentParser::AllowYield) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLDocumentParser.cpp:179 #30 0x0000000102df4483 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x10a044800, mode=WebCore::HTMLDocumentParser::AllowYield) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLDocumentParser.cpp:127 #31 0x0000000102df4a00 in WebCore::HTMLDocumentParser::append (this=0x10a044800, source=@0x7fff5fbfd350) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/html/HTMLDocumentParser.cpp:263 #32 0x0000000102bb12ac in WebCore::DecodedDataDocumentParser::appendBytes (this=0x10a044800, writer=0x11c8295f0, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, shouldFlush=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/DecodedDataDocumentParser.cpp:55 #33 0x0000000102c0b688 in WebCore::DocumentWriter::addData (this=0x11c8295f0, str=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., len=56856, flush=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/DocumentWriter.cpp:200 #34 0x0000000102d5acff in WebCore::FrameLoader::addData (this=0x11c829450, bytes=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/FrameLoader.cpp:1143 #35 0x000000010245bf26 in -[WebFrame(WebInternal) _addData:] (self=0x11ba28270, _cmd=0x7fff840c6cd9, data=0x10762e5c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebFrame.mm:502 #36 0x0000000102459157 in -[WebFrame(WebInternal) _receivedData:textEncodingName:] (self=0x11ba28270, _cmd=0x7fff840c6678, data=0x10762e5c0, textEncodingName=0x122f5b090) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebFrame.mm:1011 #37 0x0000000102481484 in -[WebHTMLRepresentation receivedData:withDataSource:] (self=0x122f5a150, _cmd=0x7fff840c2cf2, data=0x10762e5c0, dataSource=0x107626f70) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebHTMLRepresentation.mm:171 #38 0x000000010244298e in -[WebDataSource(WebInternal) _receivedData:] (self=0x107626f70, _cmd=0x7fff840bf434, data=0x10762e5c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebDataSource.mm:239 #39 0x0000000102464d0b in WebFrameLoaderClient::committedLoad (this=0x11ba293c0, loader=0x108065600, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm:853 #40 0x0000000102d58912 in WebCore::FrameLoader::committedLoad (this=0x11c829450, loader=0x108065600, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/FrameLoader.cpp:2749 #41 0x0000000102c01f9b in WebCore::DocumentLoader::commitLoad (this=0x108065600, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/DocumentLoader.cpp:280 #42 0x0000000102c01ff4 in WebCore::DocumentLoader::receivedData (this=0x108065600, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/DocumentLoader.cpp:292 #43 0x0000000102d5a813 in WebCore::FrameLoader::receivedData (this=0x11c829450, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/FrameLoader.cpp:1557 #44 0x0000000103207a9a in WebCore::MainResourceLoader::addData (this=0x108068200, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, allAtOnce=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/MainResourceLoader.cpp:147 #45 0x00000001033f7d06 in WebCore::ResourceLoader::didReceiveData (this=0x108068200, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, lengthReceived=56856, allAtOnce=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/ResourceLoader.cpp:260 #46 0x0000000103207313 in WebCore::MainResourceLoader::didReceiveData (this=0x108068200, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, lengthReceived=56856, allAtOnce=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/MainResourceLoader.cpp:415 #47 0x00000001033f7420 in WebCore::ResourceLoader::didReceiveData (this=0x108068200, data=0x10a18e000 "_con\\\"><img class=\\\"spinner\\\" src=\\\"http:\\/\\/d.yimg.com\\/a\\/i\\/ww\\/met\\/anim_loading_sm_082208.gif\\\" \\/><\\/div>", ' ' <repeats 12 times>, "<div id=\\\"gx_news\\\">\\n", ' ' <repeats 12 times>, "<ul id=\\\"news_list\\\">\\n", ' ' <repeats 20 times>..., length=56856, lengthReceived=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/loader/ResourceLoader.cpp:431 #48 0x00000001033f21fe in -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] (self=0x10762d860, _cmd=0x7fff83e4ca69, connection=0x10762d9b0, data=0x122f58780, lengthReceived=56856) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:861 #49 0x00007fff83d274af in _NSURLConnectionDidReceiveData () #50 0x00007fff84668ef8 in URLConnectionClient::_clientDidReceiveData () #51 0x00007fff846d03be in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload () #52 0x00007fff8465779f in URLConnectionClient::processEvents () #53 0x00007fff8465757c in MultiplexerSource::perform () #54 0x00007fff87e40d3d in __CFRunLoopDoSources0 () #55 0x00007fff87e3f089 in __CFRunLoopRun () #56 0x00007fff87e3e84f in CFRunLoopRunSpecific () #57 0x00007fff81d6e91a in RunCurrentEventLoopInMode () #58 0x00007fff81d6e71f in ReceiveNextEventCommon () #59 0x00007fff81d6e5d8 in BlockUntilNextEventMatchingListInMode () #60 0x00007fff86eb329e in _DPSNextEvent () #61 0x00007fff86eb2bed in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #62 0x00000001000800c9 in -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x107610810, _cmd=0x7fff875a79d0, mask=18446744073709551615, expiration=0x11ad52710, mode=0x7fff70eef3d0, dequeue=1 '\001') at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/BrowserApplication.mm:410 #63 0x00007fff86e788d3 in -[NSApplication run] () #64 0x00007fff86e715f8 in NSApplicationMain () #65 0x000000010022eb61 in main (argc=5, argv=0x7fff5fbff1f0) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/main.mm:157 Current language: auto; currently c++ (gdb)
Attachments
Patch (2.47 KB, patch)
2010-07-15 19:15 PDT, Geoffrey Garen
mjs: review+
Simon Fraser (smfr)
Comment 1 2010-07-15 13:12:31 PDT
Geoffrey Garen
Comment 2 2010-07-15 19:15:19 PDT
Maciej Stachowiak
Comment 3 2010-07-15 20:33:57 PDT
Comment on attachment 61757 [details] Patch r=me. but if the removed null check is not directly related to the other change, please say so in the ChangeLog.
mitz
Comment 4 2010-07-15 20:35:38 PDT
How come there’s no regression test?
Geoffrey Garen
Comment 5 2010-07-15 21:58:50 PDT
Geoffrey Garen
Comment 7 2010-07-16 10:57:24 PDT
(In reply to comment #4) > How come there’s no regression test? Sorry -- forgot to include a test in the patch I uploaded, but I did include a patch in the final commit.
Note You need to log in before you can comment on or make changes to this bug.