Running OS 10.6.4 webkit: r64341 Webkit consistently crashes in r64341 immediately after logging in to gmail.com. No action other than logging in is required to reproduce the problem. Crashing stack follows: Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100811fd9 cti_op_get_by_val + 473 1 com.apple.JavaScriptCore 0x00000001007d79c8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 728 2 com.apple.Safari 0x0000000100000001 0x100000000 + 1 3 ??? 0x000000011d97a960 0 + 4791445856 4 com.apple.WebCore 0x0000000101141b60 WebCore::JSDOMWindowShell::~JSDOMWindowShell() + 0 5 ??? 0x0000441f0f66ffff 0 + 74900193083391
Looks to me like the most likely suspect for this crash is changeset 64320: "Changed the handling for removing and adding elements at the front of an array" as JSC::JIT:: emit_op_put_by_val was changed. This started failing somewhere in r64246-r64341.
Changing to P1 as this is a reproducible crash.
Cheers Joe, we'll investigate.
Could you check whether this is valid for the latest revision? As for me, r64451 works with both Qt-debug and Mac-Leopard-release. I entered gmail.com into the url bar (immediately redirects to some login page for Google), set the username and password (of a newly created dummy account), click on "Sign in", and the login is succeded.
Webkit still crashes with the most recent nightly: r64451. In order to reproduce, it might require more than just a newly created gmail account. I have lots of gmail messages (more than a "page" full), Buzz, and Chat entries.
Interesting note: gmail works in 32-bit mode for me, but crashes in 64-bit mode.
Created attachment 63404 [details] Patch to fix the number of JSValues to memcpy when unshift'ing
Comment on attachment 63404 [details] Patch to fix the number of JSValues to memcpy when unshift'ing landing by hand
Transmitting file data .. Committed revision 64620.
Could this have a regression test?
Hey Alexey, We discussed this, and it may be tricky to trigger with any consistency in an isolated test case since the bug will only occur if malloc returns non-zerofill (used) memory (along with a bunch of other conditions). As such we thought it better to get the fix landed immediately, but Micheal is going to try to produce a good test case. cheers, G.