48057 – ASSERT while loading reddit.com

Bug 48057 - ASSERT while loading reddit.com

Summary: ASSERT while loading reddit.com

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore JavaScript (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC OS X 10.5

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	NeedsReduction

Depends on:
Blocks:

Reported:	2010-10-21 03:20 PDT by Xan Lopez
Modified:	2011-01-01 10:26 PST (History)
CC List:	5 users (show)

See Also:

Attachments
gdb backtrace (10.66 KB, text/plain) 2011-01-01 10:25 PST, Jeff Johnson	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Xan Lopez 2010-10-21 03:20:50 PDT

Can't seem to be able to repro now, but got this with a debug build, r70214:


ASSERTION FAILED: node->wrapper() == (document ? document->getWrapperCache(currentWorld(exec))->get(node) : domObjectWrapperMapFor(exec).get(node))
(../../WebCore/bindings/js/JSNodeCustom.h:37 WebCore::JSNode* WebCore::getCachedDOMNodeWrapper(JSC::ExecState*, WebCore::Document*, WebCore::Node*))

Program received signal SIGSEGV, Segmentation fault.
0x00d1f720 in WebCore::getCachedDOMNodeWrapper (exec=0xb2b94540, document=0xa173948, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:37
37	        ASSERT(node->wrapper() == (document ? document->getWrapperCache(currentWorld(exec))->get(node) : domObjectWrapperMapFor(exec).get(node)));
(gdb) bt
#0  0x00d1f720 in WebCore::getCachedDOMNodeWrapper (exec=0xb2b94540, document=0xa173948, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:37
#1  0x00d1f7df in WebCore::toJS (exec=0xb2b94540, globalObject=0xb2b40b40, node=0x8b311c0) at ../../WebCore/bindings/js/JSNodeCustom.h:53
#2  0x017a0778 in WebCore::JSNodeList::indexGetter (exec=0xb2b94540, slotBase=..., index=4) at DerivedSources/WebCore/JSNodeList.cpp:260
#3  0x00d6bc7c in JSC::PropertySlot::getValue (this=0xbfffab2c, exec=0xb2b94540, propertyName=4) at ../../JavaScriptCore/runtime/PropertySlot.h:88
#4  0x01a454df in JSC::JSValue::get (this=0xbfffabf4, exec=0xb2b94540, propertyName=4, slot=...) at ../../JavaScriptCore/runtime/JSObject.h:686
#5  0x01a453dc in JSC::JSValue::get (this=0xbfffabf4, exec=0xb2b94540, propertyName=4) at ../../JavaScriptCore/runtime/JSObject.h:672
#6  0x01a3c4ee in JSC::cti_op_get_by_val (args=0xbfffac50) at ../../JavaScriptCore/jit/JITStubs.cpp:2396
#7  0x01a3668a in JSC::JITThunks::tryCacheGetByID (callFrame=0xb2678980, codeBlock=0xfffffffe, returnAddress=..., baseValue=..., propertyName=, slot=..., 
    stubInfo=0xbfffaca8) at ../../JavaScriptCore/jit/JITStubs.cpp:999
#8  0xbfffad8c in ?? ()
#9  0x01a06b1f in JSC::JITCode::execute (this=0x8e6b8ec, registerFile=0x899b5fc, callFrame=0xb2b94048, globalData=0x8996110, exception=0x8996ee4)
    at ../../JavaScriptCore/jit/JITCode.h:77
#10 0x01a03d04 in JSC::Interpreter::executeCall (this=0x899b5f0, callFrame=0xa18141c, function=0xb26ffd40, callType=JSC::CallTypeJS, callData=..., 
    thisValue=..., args=..., exception=0x8996ee4) at ../../JavaScriptCore/interpreter/Interpreter.cpp:825
#11 0x01a90563 in JSC::call (exec=0xa18141c, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at ../../JavaScriptCore/runtime/CallData.cpp:38
#12 0x00d21dbe in WebCore::JSMainThreadExecState::call (exec=0xa18141c, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at ../../WebCore/bindings/js/JSMainThreadExecState.h:48
#13 0x00d5c930 in WebCore::JSEventListener::handleEvent (this=0x8e6a948, scriptExecutionContext=0xa173980, event=0x9f4f9e8)
    at ../../WebCore/bindings/js/JSEventListener.cpp:124
#14 0x00f13254 in WebCore::EventTarget::fireEventListeners (this=0x8b2f1a0, event=0x9f4f9e8, d=0x8b2f228, 
    entry=WTF::Vector of length 2, capacity 16 = {...}) at ../../WebCore/dom/EventTarget.cpp:335
#15 0x00f13105 in WebCore::EventTarget::fireEventListeners (this=0x8b2f1a0, event=0x9f4f9e8) at ../../WebCore/dom/EventTarget.cpp:304
#16 0x011f899e in WebCore::DOMWindow::dispatchEvent (this=0x8b2f1a0, prpEvent=..., prpTarget=...) at ../../WebCore/page/DOMWindow.cpp:1536
#17 0x01181ae0 in WebCore::FrameLoader::stopLoading (this=0x893d1f4, unloadEventPolicy=WebCore::UnloadEventPolicyUnloadAndPageHide, 
    databasePolicy=WebCore::DatabasePolicyStop) at ../../WebCore/loader/FrameLoader.cpp:387
#18 0x01181fd2 in WebCore::FrameLoader::closeURL (this=0x893d1f4) at ../../WebCore/loader/FrameLoader.cpp:467
#19 0x01188641 in WebCore::FrameLoader::transitionToCommitted (this=0x893d1f4, cachedPage=...) at ../../WebCore/loader/FrameLoader.cpp:1923
#20 0x0118804a in WebCore::FrameLoader::commitProvisionalLoad (this=0x893d1f4) at ../../WebCore/loader/FrameLoader.cpp:1839
#21 0x01174d26 in WebCore::DocumentLoader::commitIfReady (this=0x8a91968) at ../../WebCore/loader/DocumentLoader.cpp:266
#22 0x01174dc1 in WebCore::DocumentLoader::commitLoad (this=0x8a91968, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192) at ../../WebCore/loader/DocumentLoader.cpp:286
#23 0x01175016 in WebCore::DocumentLoader::receivedData (this=0x8a91968, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192) at ../../WebCore/loader/DocumentLoader.cpp:319
#24 0x011bc8fa in WebCore::MainResourceLoader::addData (this=0x9f3e400, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, allAtOnce=false)
---Type <return> to continue, or q <return> to quit---
    at ../../WebCore/loader/MainResourceLoader.cpp:156
#25 0x011c7281 in WebCore::ResourceLoader::didReceiveData (this=0x9f3e400, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192, allAtOnce=false)
    at ../../WebCore/loader/ResourceLoader.cpp:262
#26 0x011bd9d6 in WebCore::MainResourceLoader::didReceiveData (this=0x9f3e400, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192, allAtOnce=false)
    at ../../WebCore/loader/MainResourceLoader.cpp:436
#27 0x011c7bc8 in WebCore::ResourceLoader::didReceiveData (this=0x9f3e400, 
    data=0xb2955e0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\" ><head><titl"..., length=8192, lengthReceived=8192)
    at ../../WebCore/loader/ResourceLoader.cpp:415
#28 0x015ecdeb in WebCore::readCallback (source=0xb301e38, asyncResult=0xa56bf88, data=0x0)
    at ../../WebCore/platform/network/soup/ResourceHandleSoup.cpp:809
#29 0x042cdaaf in async_ready_callback_wrapper (source_object=0xb301e38, res=0xa56bf88, user_data=0x0) at ginputstream.c:470
#30 0x042e1818 in g_simple_async_result_complete (simple=0xa56bf88) at gsimpleasyncresult.c:692
#31 0x015f21fd in read_async_done (stream=0xb301e38) at ../../WebCore/platform/network/soup/cache/soup-http-input-stream.c:723
#32 0x015f1419 in webkit_soup_http_input_stream_got_chunk (msg=0xb301dc8, chunk_buffer=0xafe521a8, stream=0xb301e38)
    at ../../WebCore/platform/network/soup/cache/soup-http-input-stream.c:300
#33 0x007331e1 in g_cclosure_marshal_VOID__BOXED (closure=0x94f1bf0, return_value=0x0, n_param_values=2, param_values=0xafe070a0, 
    invocation_hint=0xbfffb72c, marshal_data=0x0) at gmarshal.c:568
#34 0x00719bfd in g_closure_invoke (closure=0x94f1bf0, return_value=0x0, n_param_values=2, param_values=0xafe070a0, invocation_hint=0xbfffb72c)
    at gclosure.c:766
#35 0x00732020 in signal_emit_unlocked_R (node=0x89d5f00, detail=0, instance=0xb301dc8, emission_return=0x0, instance_and_params=0xafe070a0)
    at gsignal.c:3252
#36 0x0073136f in g_signal_emit_valist (instance=0xb301dc8, signal_id=483, detail=0, var_args=0xbfffb920 "\030\022Y") at gsignal.c:2983
#37 0x0073165b in g_signal_emit (instance=0xb301dc8, signal_id=483, detail=0) at gsignal.c:3040
#38 0x0056dd68 in soup_message_got_chunk (msg=0xb301dc8, chunk=0xafe521a8) at soup-message.c:963
#39 0x00572cbb in io_handle_sniffing (msg=0xb301dc8, done_reading=0) at soup-message-io.c:266
#40 0x00573280 in read_body_chunk (msg=0xb301dc8) at soup-message-io.c:447
#41 0x005741a6 in io_read (sock=0x898fb88, msg=0xb301dc8) at soup-message-io.c:923
#42 0x00574992 in io_unpause_internal (msg=0xb301dc8) at soup-message-io.c:1149
#43 0x043dd0a1 in g_idle_dispatch (source=0x9d3bc98, callback=0x57480b <io_unpause_internal>, user_data=0xb301dc8) at gmain.c:4254
#44 0x043d95f2 in g_main_dispatch (context=0x813adc0) at gmain.c:2149
#45 0x043da8e6 in g_main_context_dispatch (context=0x813adc0) at gmain.c:2702
#46 0x043dad3b in g_main_context_iterate (context=0x813adc0, block=1, dispatch=1, self=0x8112f18) at gmain.c:2780
#47 0x043db4a4 in g_main_loop_run (loop=0x816b010) at gmain.c:2988
#48 0x03e8d237 in gtk_main () at gtkmain.c:1321

Comment 1 Xan Lopez 2010-10-21 21:59:52 PDT

Why do you think this is GTK specific Martin?

Comment 2 Martin Robinson 2010-10-21 22:54:02 PDT

Sorry, I was just organizing the GTK+ bugs and I perhaps I didn't look at this one closely enough.

Comment 3 Jeff Johnson 2011-01-01 10:25:27 PST

Created attachment 77746 [details]
gdb backtrace

Comment 4 Jeff Johnson 2011-01-01 10:26:18 PST

I got an assertion failure in the same place while running cross_fuzz http://lcamtuf.coredump.cx/cross_fuzz/

Mac OS X 10.6.5, Safari 5.0.3, WebKit x86_64 Debug build from svn r74844.

Attached is gdb backtrace.