RESOLVED WORKSFORME 46443
REGRESSION: Crash in cti_op_strcat 
https://bugs.webkit.org/show_bug.cgi?id=46443
Summary REGRESSION: Crash in cti_op_strcat
Hikari Chan
Reported 2010-09-23 19:24:19 PDT
webkit nightly = r68127 this page will crash
Attachments
this is the source html (24.28 KB, text/html)
2010-09-24 01:39 PDT, Hikari Chan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-09-24 00:13:23 PDT
Could you please attach a crash log <http://webkit.org/quality/crashlogs.html>? This page doesn't open for me for some reason.
Hikari Chan
Comment 2 2010-09-24 01:39:08 PDT
Created attachment 68660 [details] this is the source html
Alexey Proskuryakov
Comment 3 2010-09-24 08:48:59 PDT
Thank you. This crashed r68204 nightly for me: Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100814db0 cti_op_strcat + 96 1 ??? 0x0000388214d98222 0 + 62131346702882 2 com.apple.JavaScriptCore 0x00000001007dd1f5 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSObject*, int, JSC::ScopeChainNode*, JSC::JSValue*) + 1157
Alexey Proskuryakov
Comment 4 2010-09-24 10:11:39 PDT
It's a garbage value used as JSCell: this == 0x1 #0 0x101b2cd5e in JSC::JSCell::isString at JSCell.h:156 #1 0x101b2d905 in JSC::JSValue::isString at JSCell.h:182 #2 0x101bda890 in JSC::jsString at Operations.h:156 #3 0x101bcb602 in cti_op_strcat at JITStubs.cpp:3327
Geoffrey Garen
Comment 5 2010-09-24 11:17:04 PDT
<rdar://problem/8475452>
Michael Saboff
Comment 6 2011-01-06 14:24:46 PST
Cannot reproduce this defect using the web page link or saved web page attachment (https://bugs.webkit.org/attachment.cgi?id=68660).
Note You need to log in before you can comment on or make changes to this bug.