WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
110017
Crash @ thesuperficial.com beneath llint_slow_path_resolve
https://bugs.webkit.org/show_bug.cgi?id=110017
Summary
Crash @ thesuperficial.com beneath llint_slow_path_resolve
Geoffrey Garen
Reported
2013-02-16 08:11:24 PST
Steps to reproduce: 1. Go to the best website on the internets (
http://www.thesuperficial.com/photos/the-crap-we-missed-friday-2-15-13/the-crap-we-missed-0215-07-2
) 2. Use the arrow keys on your keyboard to browse through the pictures
Attachments
Add attachment
proposed patch, testcase, etc.
Geoffrey Garen
Comment 1
2013-02-16 08:11:34 PST
<
rdar://problem/13230420
>
Geoffrey Garen
Comment 2
2013-02-16 08:11:54 PST
I've been seeing this crash just running the plt, too.
Geoffrey Garen
Comment 3
2013-02-16 08:13:08 PST
Bisecting shows this crash started with between
r142731
and 142734. The only non-layout-test change in that range is <
http://trac.webkit.org/changeset/142734
>.
Geoffrey Garen
Comment 4
2013-02-16 08:24:52 PST
I confirmed that manually rolling out <
http://trac.webkit.org/changeset/142734
> fixes both crashes.
Geoffrey Garen
Comment 5
2013-02-16 08:29:35 PST
Let's roll out <
http://trac.webkit.org/changeset/142734
> until we can resolve why throwing an exception in that place causes crashes. Most likely, it just made a very rare crash into a very common crash.
Geoffrey Garen
Comment 6
2013-02-16 08:33:59 PST
Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100b324f0 llint_slow_path_resolve + 128 1 com.apple.JavaScriptCore 0x0000000100b3c1b0 llint_op_resolve + 137 2 com.apple.JavaScriptCore 0x0000000100ab12ee JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4222 3 com.apple.JavaScriptCore 0x00000001009e2bbb JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 619 4 com.apple.WebCore 0x0000000100dea33a WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 442 5 com.apple.WebCore 0x0000000100de9f69 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 6 com.apple.WebCore 0x0000000100e0a01e WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 478 7 com.apple.WebCore 0x0000000100e35e64 WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 228 8 com.apple.WebCore 0x0000000100e35d61 WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 273 9 com.apple.WebCore 0x0000000101505678 WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 24 10 com.apple.WebCore 0x0000000100e3748f WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 63 11 com.apple.WebCore 0x0000000100e373ad WebCore::CachedResource::checkNotify() + 93 12 com.apple.WebCore 0x0000000100e34b7f WebCore::SubresourceLoader::didFinishLoading(double) + 143 13 com.apple.WebKit2 0x000000010064aafe void CoreIPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(CoreIPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 60 14 com.apple.WebKit2 0x000000010054cb69 CoreIPC::Connection::dispatchMessage(WTF::PassOwnPtr<CoreIPC::MessageDecoder>) + 105 15 com.apple.WebKit2 0x000000010054df74 CoreIPC::Connection::dispatchOneMessage() + 96 16 com.apple.WebCore 0x000000010199b9d9 WebCore::RunLoop::performWork() + 153 17 com.apple.WebCore 0x000000010199c075 WebCore::RunLoop::performWork(void*) + 53 18 com.apple.CoreFoundation 0x00007fff8a868b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 19 com.apple.CoreFoundation 0x00007fff8a868455 __CFRunLoopDoSources0 + 245 20 com.apple.CoreFoundation 0x00007fff8a88b7f5 __CFRunLoopRun + 789 21 com.apple.CoreFoundation 0x00007fff8a88b0e2 CFRunLoopRunSpecific + 290 22 com.apple.HIToolbox 0x00007fff8c3ddeb4 RunCurrentEventLoopInMode + 209 23 com.apple.HIToolbox 0x00007fff8c3ddc52 ReceiveNextEventCommon + 356 24 com.apple.HIToolbox 0x00007fff8c3ddae3 BlockUntilNextEventMatchingListInMode + 62 25 com.apple.AppKit 0x00007fff85dc8563 _DPSNextEvent + 685 26 com.apple.AppKit 0x00007fff85dc7e22 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 27 com.apple.AppKit 0x00007fff85dbf1d3 -[NSApplication run] + 517 28 com.apple.WebCore 0x000000010199c65d WebCore::RunLoop::run() + 77 29 com.apple.WebKit2 0x00000001005cf0b1 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 631 30 com.apple.WebProcess 0x00000001004cde43 0x1004cd000 + 3651 31 libdyld.dylib 0x00007fff8f6b77e1 start + 1
Geoffrey Garen
Comment 7
2013-02-16 09:44:41 PST
Rolled out in
https://bugs.webkit.org/show_bug.cgi?id=110018
.
Maciej Stachowiak
Comment 8
2013-02-16 12:44:48 PST
Some of the sites that crashed due to this, when loaded a few times (generally manifesting in lint_slow_path_resolve):
http://news.yahoo.com/three-stories-love-white-house-144030722.html
http://sports.yahoo.com/blogs/olympics-fourth-place-medal/reeva-steenkamp-cover-model-law-degree-164016410--oly.html
http://smg.beta.photobucket.com/user/scottle/library/fight/?fromLegacy=true
Geoffrey Garen
Comment 9
2013-02-16 14:26:52 PST
***
Bug 109838
has been marked as a duplicate of this bug. ***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug