44099 – REGRESSION(r65468): Crashes in StringImpl::find

RESOLVED FIXED 44099

REGRESSION(r65468): Crashes in StringImpl::find

https://bugs.webkit.org/show_bug.cgi?id=44099

Summary REGRESSION(r65468): Crashes in StringImpl::find

Yuta Kitamura

Reported 2010-08-17 04:11:28 PDT

Since r65468, Chromium buildbots are reporting a lot of crashes inside StringImpl::find. I guess I have found the problem; I'll upload a patch shortly.

Attachments
Patch (1.54 KB, patch) 2010-08-17 04:29 PDT, Yuta Kitamura	no flags	Details Formatted Diff Diff
Fix for second overrun (4.73 KB, patch) 2010-08-17 16:14 PDT, Gavin Barraclough	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Yuta Kitamura

Comment 1 2010-08-17 04:29:20 PDT

Created attachment 64573 [details] Patch

Shinichiro Hamaji

Comment 2 2010-08-17 04:35:58 PDT

Comment on attachment 64573 [details] Patch Looks good.

WebKit Commit Bot

Comment 3 2010-08-17 04:55:11 PDT

Comment on attachment 64573 [details] Patch Clearing flags on attachment: 64573 Committed r65493: <http://trac.webkit.org/changeset/65493>

WebKit Commit Bot

Comment 4 2010-08-17 04:55:16 PDT

All reviewed patches have been landed. Closing bug.

Yuta Kitamura

Comment 5 2010-08-17 05:59:37 PDT

Unfortunately, my patch didn't work. Stack trace is available at: http://build.chromium.org/buildbot/waterfall/builders/Chromium%20Reliability/builds/11720/steps/reliability:%20partial%20result%20of%20current%20build/logs/stdio http://build.chromium.org/buildbot/waterfall/builders/Chromium%20Reliability/builds/11721/steps/reliability:%20partial%20result%20of%20current%20build/logs/stdio For now, I'm not sure the real reason why r65468 causes crashes.

Darin Adler

Comment 6 2010-08-17 14:16:20 PDT

Comment on attachment 64573 [details] Patch I would have preferred a fix that used a break inside the loop rather than repeating the logic from inside the loop. for (unsigned i = 0; ; ++i) { if (searchHash == matchHash && equal(searchCharacters + i, matchString, matchLength)) return index + i; if (i >= delta) break; ...

Adam Roben (:aroben)

Comment 7 2010-08-17 15:43:44 PDT

This seems to be happening on Windows, too: http://build.webkit.org/results/Windows%20Debug%20(Tests)/r65537%20(18204)/CrashLog_09b4_2010-08-17_15-14-54-014.txt http://build.webkit.org/results/Windows%20Debug%20(Tests)/r65537%20(18204)/CrashLog_0c14_2010-08-17_15-05-47-171.txt

Gavin Barraclough

Comment 8 2010-08-17 16:14:36 PDT

Created attachment 64650 [details] Fix for second overrun Landed in r65571

Gavin Barraclough

Comment 9 2010-08-17 16:17:35 PDT

Thanks for catching this Yuta. I think the problem is just the overrun, but there is a second find method with the same issue, so I've landed a fix for this. Hopefully this should resolved the remaining crashes.

Yuta Kitamura

Comment 10 2010-08-18 06:49:39 PDT

(In reply to comment #9) > Thanks for catching this Yuta. I think the problem is just the overrun, but there is a second find method with the same issue, so I've landed a fix for this. Hopefully this should resolved the remaining crashes. It seems the crashes are gone. Thanks!

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS All

Product WebKit

Component Web Template Framework

Assignee

Yuta Kitamura

Reported

2010-08-17 04:11 PDT

Modified

2010-08-18 06:49 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks

44080

Dependencies

tree graph