[Webkit-unassigned] [Bug 16284] New: REGRESSION: "object was probably modified after being freed" error under jsRegExpCompile

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 3 22:23:13 PST 2007 

http://bugs.webkit.org/show_bug.cgi?id=16284

           Summary: REGRESSION: "object was probably modified after being
                    freed" error under jsRegExpCompile
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: Macintosh
               URL: http://www.mouse.co.il/CM.articles_item,607,209,17622,.a
                    spx
        OS/Version: Mac OS X 10.4
            Status: NEW
          Keywords: NeedsReduction, Regression
          Severity: Normal
          Priority: P1
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mitz at webkit.org


Opening the URL or reloading it several times (NOTE: due to another regression,
you need to disable plug-ins before loading the URL) crashes WebKit after it
prints several messages like

Safari(6659,0xa0055f60) malloc: *** error for object 0x16f4fc40: incorrect
checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug

Setting a breakpoint reveals that this first occurs with the following call
stack:

#0  0x9027f9f1 in malloc_error_break ()
#1  0x9027a9df in szone_error ()
#2  0x901a011e in szone_free ()
#3  0x9019f9ed in free ()
#4  0x0057a2fe in WTF::fastFree (p=0x16f4fb30) at FastMalloc.cpp:171
#5  0x00615e73 in jsRegExpCompile (pattern=0x16f4fa90, patternLength=77,
ignoreCase=JSRegExpDoNotIgnoreCase, multiline=JSRegExpSingleLine,
numSubpatterns=0x18fcc2dc, errorptr=0x18fcc2d8) at
/WebKit/OpenSource/JavaScriptCore/pcre/pcre_compile.cpp:2855
#6  0x00582cc1 in KJS::RegExp::RegExp (this=0x18fcc2c0, pattern=@0x16fe7358,
flags=@0x16fe735c) at regexp.cpp:70
#7  0x00582cef in KJS::RegExp::RegExp (this=0x18fcc2c0, pattern=@0x16fe7358,
flags=@0x16fe735c) at regexp.cpp:71
#8  0x005e49fb in KJS::RegExpNode::RegExpNode (this=0x18fcc2b0,
pattern=@0x16fe7358, flags=@0x16fe735c) at nodes.h:281
#9  0x005e4a31 in KJS::RegExpNode::RegExpNode (this=0x18fcc2b0,
pattern=@0x16fe7358, flags=@0x16fe735c) at nodes.h:283
#10 0x005b2f9b in kjsyyparse () at grammar.y:227
#11 0x005b6f1e in KJS::Parser::parse (this=0x64cc88, sourceURL=@0xbfffdf54,
startingLineNumber=0, code=0x19376000, length=9147, sourceId=0xbfffde98,
errLine=0xbfffde94, errMsg=0xbfffde90) at Parser.cpp:76
#12 0x005b7066 in KJS::Parser::parseProgram (this=0x64cc88,
sourceURL=@0xbfffdf54, startingLineNumber=0, code=0x19376000, length=9147,
sourceId=0xbfffde98, errLine=0xbfffde94, errMsg=0xbfffde90) at Parser.cpp:46
#13 0x005b7139 in KJS::Interpreter::evaluate (this=0x16fe3280,
sourceURL=@0xbfffdf54, startingLineNumber=0, code=0x19376000, codeLength=9147,
thisV=0x19340000) at interpreter.cpp:345
#14 0x022fcf4f in WebCore::KJSProxy::evaluate (this=0x18b8cbd0,
filename=@0xbfffe058, baseLine=0, str=@0xbfffe054) at
/WebKit/OpenSource/WebCore/bindings/js/kjs_proxy.cpp:90
#15 0x01f4440c in WebCore::FrameLoader::executeScript (this=0x40d5200,
URL=@0xbfffe058, baseLine=0, script=@0xbfffe054) at
/WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:759
#16 0x01fc06e2 in WebCore::HTMLTokenizer::scriptExecution (this=0x45fcc00,
str=@0xbfffe154, state={static EntityShift = <optimized out>, m_bits =
4194304}, scriptURL=@0xbfffe124, baseLine=0) at
/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:520
#17 0x01fc0ba4 in WebCore::HTMLTokenizer::notifyFinished (this=0x45fcc00) at
/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1737
#18 0x01e2b52e in WebCore::CachedScript::checkNotify (this=0x18fca8b0) at
/WebKit/OpenSource/WebCore/loader/CachedScript.cpp:98
#19 0x01e2b68f in WebCore::CachedScript::data (this=0x18fca8b0,
data=@0xbfffe28c, allDataReceived=true) at
/WebKit/OpenSource/WebCore/loader/CachedScript.cpp:88
#20 0x0230bae6 in WebCore::Loader::didFinishLoading (this=0x152ccf38,
loader=0x45f2000) at /WebKit/OpenSource/WebCore/loader/loader.cpp:116
#21 0x022896c7 in WebCore::SubresourceLoader::didFinishLoading (this=0x45f2000)
at /WebKit/OpenSource/WebCore/loader/SubresourceLoader.cpp:193
#22 0x02245cec in WebCore::ResourceLoader::didFinishLoading (this=0x45f2000) at
/WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:361
#23 0x0224372c in -[WebCoreResourceHandleAsDelegate
connectionDidFinishLoading:] (self=0x195f0160, _cmd=0x9692d5c4, con=0x18f97e80)
at /WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:455


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list