RESOLVED FIXED 45074
Adding a new issue template in code.google.com crashes in HTMLElementStack::popUntil() 
https://bugs.webkit.org/show_bug.cgi?id=45074
Summary Adding a new issue template in code.google.com crashes in HTMLElementStack::p...
Ridley Combs
Reported 2010-09-01 17:32:49 PDT
If you administer a project at code.google.com, trying to add a new issue template causes the EXACT same EXC_BAD_ACCESS EVERY time. I've tried this multiple times, and the only difference is in like 13 of Thread 0 of the report (just variations in the numbers). I'd say this is a blocker, as I can't perform that administrative action.
Attachments
Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-09-01 17:36:07 PDT
Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000008 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000100f8262c WebCore::HTMLElementStack::popUntil(WTF::AtomicString const&) + 28 1 com.apple.WebCore 0x0000000100f82661 WebCore::HTMLElementStack::popUntilPopped(WTF::AtomicString const&) + 17 2 com.apple.WebCore 0x0000000100fdd82e WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken&) + 2270 3 com.apple.WebCore 0x0000000100fe1385 WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) + 37 4 com.apple.WebCore 0x0000000100f70a83 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 131 5 com.apple.WebCore 0x0000000100f71a89 WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString const&) + 121 6 com.apple.WebCore 0x0000000100f70803 WebCore::HTMLDocumentParser::parseDocumentFragment(WTF::String const&, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission) + 227 7 com.apple.WebCore 0x0000000100f7b839 WebCore::createFragmentFromSource(WTF::String const&, WebCore::Element*, int&) + 185 8 com.apple.WebCore 0x0000000100f7c122 WebCore::HTMLElement::setInnerHTML(WTF::String const&, int&) + 210 9 com.apple.WebCore 0x00000001011d2890 WebCore::setJSHTMLElementInnerHTML(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) + 64 10 com.apple.WebCore 0x00000001011d513a WebCore::JSHTMLElement::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 186 11 com.apple.WebCore 0x0000000101230565 WebCore::JSHTMLSelectElement::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 149 12 com.apple.JavaScriptCore 0x0000000100825de4 cti_op_put_by_id + 100 13 ??? 0x00003e2b8218f040 0 + 68356587188288 14 com.apple.JavaScriptCore 0x00000001007e5b88 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 888 We just need a reduction. :) I suspect this is a parser bug.
Eric Seidel (no email)
Comment 2 2010-09-01 17:40:34 PDT
Sadly the line numbers don't match up to tip of tree, so I don't know which popUntilPopped call this might be.
Ridley Combs
Comment 3 2010-09-01 17:43:09 PDT
When mentioning the variation at line 13, I meant: 13 ??? 0x00003e2b8218f040 0 + 68356587188288
Eric Seidel (no email)
Comment 4 2010-09-01 17:45:51 PDT
That's just the stack crawller not being able to dump anything sensible for JIT code.
Eric Seidel (no email)
Comment 5 2010-09-01 17:52:01 PDT
bug 41115 is the compatibility master bug. I don't suspect this is a compat issue though, just a crash which as soon as we catch it in the debugger will get fixed.
Adam Barth
Comment 6 2010-09-01 18:55:17 PDT
We've already fixed this crash in http://trac.webkit.org/changeset/66443 Thanks for the report.
Note You need to log in before you can comment on or make changes to this bug.