[Webkit-unassigned] [Bug 13401] New: Reproducible crash calling myArray.sort(compareFn) from within a sort comparison function
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 19 04:37:42 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=13401
Summary: Reproducible crash calling myArray.sort(compareFn) from
within a sort comparison function
Product: WebKit
Version: 522+ (nightly)
Platform: Macintosh
OS/Version: Mac OS X 10.5
Status: NEW
Keywords: NeedsRadar
Severity: Major
Priority: P1
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: bdash at webkit.org
The following code leads to a crash:
function compareFn1(a, b) {
return b - a;
}
function compareFn2(a, b) {
numbers1.sort(compareFn1);
return b - a;
}
numbers2.sort(compareFn2);
The crash log is below. The root cause of this crash is the use of a static
variable compareWithCompareFunctionArguments to keep track of the comparison
function to be used by the sort operation. The nested sort operations result
in the static variable being overwritten and both attempt to clean up the same
data structure upon completion of the comparisons.
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000008
Crashed Thread: 0
Thread 0 Crashed:
0 com.apple.JavaScriptCore 0x002fc296 KJS::List::clear() + 6
1 com.apple.JavaScriptCore 0x002c25ce
compareWithCompareFunctionForQSort(void const*, void const*) + 110
2 libSystem.B.dylib 0x90c4347e qsort + 1123
3 com.apple.JavaScriptCore 0x002c28eb
KJS::ArrayInstance::sort(KJS::ExecState*, KJS::JSObject*) + 155
4 com.apple.JavaScriptCore 0x002c5d6c
KJS::ArrayProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List
const&) + 8684
5 com.apple.JavaScriptCore 0x002e9b27
KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 135
6 com.apple.JavaScriptCore 0x002dd209
KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 745
7 com.apple.JavaScriptCore 0x002e172d
KJS::ExprStatementNode::execute(KJS::ExecState*) + 77
8 com.apple.JavaScriptCore 0x002e487d
KJS::SourceElementsNode::execute(KJS::ExecState*) + 461
9 com.apple.JavaScriptCore 0x002e1661
KJS::BlockNode::execute(KJS::ExecState*) + 65
10 com.apple.JavaScriptCore 0x002cf687
KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 39
11 com.apple.JavaScriptCore 0x002cf157
KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List
const&) + 359
12 com.apple.JavaScriptCore 0x002e9b27
KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 135
13 com.apple.JavaScriptCore 0x002dd8dc
KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 620
14 com.apple.JavaScriptCore 0x002e172d
KJS::ExprStatementNode::execute(KJS::ExecState*) + 77
15 com.apple.JavaScriptCore 0x002e4761
KJS::SourceElementsNode::execute(KJS::ExecState*) + 177
16 com.apple.JavaScriptCore 0x002e1661
KJS::BlockNode::execute(KJS::ExecState*) + 65
17 com.apple.JavaScriptCore 0x002d2ee6
KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int,
KJS::JSValue*) + 1110
18 com.apple.WebCore 0x00a0cf11
WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String
const&, WebCore::Node*) + 193
19 com.apple.WebCore 0x00b70572
WebCore::FrameLoader::executeScript(WebCore::String const&, int,
WebCore::Node*, WebCore::String const&) + 82
20 com.apple.WebCore 0x00b705f1
WebCore::FrameLoader::executeScript(WebCore::Node*, WebCore::String const&,
bool) + 65
21 com.apple.WebCore 0x00b70c25
WebCore::FrameLoader::urlSelected(WebCore::ResourceRequest const&,
WebCore::String const&, WebCore::Event*, bool) + 1093
22 com.apple.WebCore 0x00a4816d
WebCore::HTMLAnchorElement::defaultEventHandler(WebCore::Event*) + 1757
23 com.apple.WebCore 0x009ca0c3
WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>,
int&, bool) + 739
24 com.apple.WebCore 0x009ca530
WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&,
bool, WebCore::EventTarget*) + 160
25 com.apple.WebCore 0x009ca5fd
WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&,
bool) + 61
26 com.apple.WebCore 0x009cabdc
WebCore::EventTargetNode::dispatchMouseEvent(WebCore::AtomicString const&, int,
int, int, int, int, int, bool, bool, bool, bool, bool, WebCore::Node*,
WTF::PassRefPtr<WebCore::Event>) + 508
27 com.apple.WebCore 0x009cb271
WebCore::EventTargetNode::dispatchMouseEvent(WebCore::PlatformMouseEvent
const&, WebCore::AtomicString const&, int, WebCore::Node*) + 193
28 com.apple.WebCore 0x00b99459
WebCore::EventHandler::dispatchMouseEvent(WebCore::AtomicString const&,
WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 425
29 com.apple.WebCore 0x00b9e08d
WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent
const&) + 685
30 com.apple.WebCore 0x00b96b19
WebCore::EventHandler::mouseUp(NSEvent*) + 233
31 com.apple.WebKit 0x0019a77c -[WebHTMLView mouseUp:] +
220
32 com.apple.AppKit 0x9237df7d -[NSWindow sendEvent:] +
5523
33 com.apple.Safari 0x000a71d3 0x1000 + 680403
34 com.apple.AppKit 0x9236f6fc -[NSApplication sendEvent:]
+ 2759
35 com.apple.Safari 0x00016d98 0x1000 + 89496
36 com.apple.AppKit 0x922a1b4e -[NSApplication run] + 847
37 com.apple.AppKit 0x92294f16 NSApplicationMain + 663
38 com.apple.Safari 0x00002daf 0x1000 + 7599
39 com.apple.Safari 0x0004e329 0x1000 + 316201
40 ??? 0x00000002 0 + 2
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list