[Webkit-unassigned] [Bug 20626] New: Assertion failure in CodeBlock::derefStructureIDs when loading v2.dromaeo.com or logging in to Yahoo! Mail
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 3 08:49:15 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20626
Summary: Assertion failure in CodeBlock::derefStructureIDs when
loading v2.dromaeo.com or logging in to Yahoo! Mail
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
URL: http://v2.dromaeo.com/
OS/Version: Windows XP
Status: NEW
Severity: Major
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: aroben at apple.com
CC: ggaren at apple.com
To reproduce:
1. Go to http://v2.dromaeo.com/
or
1. Go to http://mail.yahoo.com/
2. Log in
I don't know the effect in Release builds. I have so far only tested on Windows
(building on Mac now to test).
ASSERTION FAILED: vPC[0].u.opcode == machine->getOpcode(op_get_by_id) ||
vPC[0].u.opcode == machine->getOpcode(op_put_by_id) || vPC[0].u.opcode ==
machine->getOpcode(op_get_by_id_generic) || vPC[0].u.opcode ==
machine->getOpcode(op_put_by_id_generic)
vPC[0].u.opcode is op_mov
Here's the call frame:
509 instructions; 2496 bytes at 0BBA25F0; 15 locals (2 parameters); 26
temporaries
[ 0] resolve_skip tr28, Array(@id0), 0
[ 4] mov tr39, tr0
[ 7] construct lr8, tr28, 38, 2
[ 12] mov lr9, tr1
[ 15] mov lr10, tr1
[ 18] get_scoped_var tr28, -6, 0
[ 22] get_by_id_generic lr1, tr28, document(@id1)
[ 30] get_by_id_generic lr11, lr1, body(@id2)
[ 38] put_by_val lr8, tr2, tr3
[ 42] put_by_val lr8, tr4, lr14
[ 46] put_by_val lr8, tr5, tr6
[ 50] get_by_id tr28, lr8, join(@id3)
[ 58] mov tr39, tr1
[ 61] call lr10, tr28, lr8, 38, 2
[ 67] get_scoped_var tr28, -895, 0
[ 71] get_by_id_generic tr28, tr28, Rb(@id4)
[ 79] get_scoped_var tr29, -6, 0
[ 83] in tr28, tr28, tr29
[ 87] jfalse tr28, 228(->317)
[ 90] resolve_skip tr28, ActiveXObject(@id5), 0
[ 94] mov tr39, tr7
[ 97] construct lr6, tr28, 38, 2
[ 102] mov tr28, lr6
[ 105] mov tr29, lr6
[ 108] put_by_id lr6, validateOnParse(@id6), tr8
[ 114] put_by_id tr29, resolveExternals(@id7), tr8
[ 120] put_by_id tr28, async(@id8), tr8
[ 126] get_by_id tr28, lr6, loadXML(@id9)
[ 134] mov tr39, lr10
[ 137] call tr28, tr28, lr6, 38, 2
[ 143] get_by_id tr28, lr6, selectNodes(@id10)
[ 151] mov tr39, tr9
[ 154] call lr2, tr28, lr6, 38, 2
[ 160] jmp 137(->298)
[ 162] get_by_id tr28, lr4, getAttribute(@id11)
[ 170] mov tr39, tr10
[ 173] call lr9, tr28, lr4, 38, 2
[ 179] get_by_id tr28, lr1, createElement(@id12)
[ 187] mov tr39, tr11
[ 190] call lr12, tr28, lr1, 38, 2
[ 196] put_by_id lr12, id(@id13), lr9
[ 202] get_by_id lr5, lr4, firstChild(@id14)
[ 210] get_by_id tr28, lr11, appendChild(@id15)
[ 218] mov tr39, lr12
[ 221] call tr28, tr28, lr11, 38, 2
[ 227] jfalse lr5, 69(->298)
[ 230] get_by_id tr28, lr12, XMLDocument(@id16)
[ 238] put_by_id tr28, documentElement(@id17), lr5
[ 244] jmp 53(->298)
[ 246] catch tr28
[ 248] push_new_scope tr28, A(@id18), tr28
[ 252] resolve_base tr29, A(@id18)
[ 255] put_by_id tr29, A(@id18), tr12
[ 261] resolve tr29, X(@id19)
[ 264] get_by_id tr29, tr29, XMLDocument(@id16)
[ 272] get_by_id tr30, tr29, loadXML(@id9)
[ 280] resolve tr42, V(@id20)
[ 283] get_by_id tr41, tr42, xml(@id21)
[ 291] call tr29, tr30, tr29, 40, 2
[ 297] pop_scope
[ 298] get_by_id tr28, lr2, nextNode(@id22)
[ 306] call lr4, tr28, lr2, 38, 1
[ 312] loop_if_true lr4, -152(->162)
[ 315] jmp 291(->607)
[ 317] resolve_skip tr28, DOMParser(@id23), 0
[ 321] construct tr28, tr28, 38, 1
[ 326] get_by_id_generic tr29, tr28, parseFromString(@id24)
[ 334] get_by_id_generic tr41, lr10, replace(@id25)
[ 342] new_regexp tr52, /\n/g(@re0)
[ 345] mov tr53, tr13
[ 348] call tr40, tr41, lr10, 51, 3
[ 354] get_scoped_var tr42, -895, 0
[ 358] get_by_id_generic tr41, tr42, Pj(@id26)
[ 366] call lr6, tr29, tr28, 39, 3
[ 372] get_by_id tr28, lr6, createNSResolver(@id27)
[ 380] get_by_id_generic tr39, lr6, documentElement(@id17)
[ 388] call lr3, tr28, lr6, 38, 2
[ 394] get_by_id tr28, lr6, evaluate(@id28)
[ 402] mov tr39, tr14
[ 405] mov tr40, lr6
[ 408] mov tr41, lr3
[ 411] mov tr42, tr15
[ 414] mov tr43, tr12
[ 417] call lr2, tr28, lr6, 38, 6
[ 423] jmp 180(->604)
[ 425] get_by_id_generic tr28, lr2, iterateNext(@id29)
[ 433] call lr4, tr28, lr2, 38, 1
[ 439] jtrue lr4, 3(->444)
[ 442] jmp 164(->607)
[ 444] get_by_id_proto tr28, lr4, getAttribute(@id11)
[ 452] mov tr39, tr16
[ 455] call lr9, tr28, lr4, 38, 2
[ 461] get_by_id_chain tr28, lr1, createElement(@id12)
[ 469] mov tr39, tr17
[ 472] call lr12, tr28, lr1, 38, 2
[ 478] put_by_id_generic lr12, id(@id13), lr9
[ 484] get_by_id_generic tr28, lr11, appendChild(@id15)
[ 492] mov tr39, lr12
[ 495] call tr28, tr28, lr11, 38, 2
[ 501] get_by_id_generic lr5, lr4, firstChild(@id14)
[ 509] jfalse lr5, 79(->590)
[ 512] get_by_id_generic tr28, lr1, implementation(@id30)
[ 520] get_by_id_generic tr29, tr28, createDocument(@id31)
[ 528] mov tr40, tr1
[ 531] mov tr41, tr1
[ 534] mov tr42, tr12
[ 537] call lr7, tr29, tr28, 39, 4
[ 543] resolve_base tr28, oNode3(@id32)
[ 546] get_by_id_proto tr29, lr7, importNode(@id33)
[ 554] mov tr40, lr5
[ 557] mov tr41, tr18
[ 560] call tr29, tr29, lr7, 39, 3
[ 566] put_by_id_generic tr28, oNode3(@id32), tr29
[ 572] get_by_id_generic tr28, lr7, appendChild(@id15)
[ 580] resolve_skip tr39, oNode3(@id32), 0
[ 584] call tr28, tr28, lr7, 38, 2
[ 590] get_scoped_var tr28, -6, 0
[ 594] put_by_val tr28, lr9, lr12
[ 598] put_by_id_generic lr12, XMLDocument(@id16), lr7
[ 604] loop_if_true tr18, -181(->425)
[ 607] mov lr7, tr12
[ 610] mov lr3, lr7
[ 613] mov lr2, lr3
[ 616] mov lr4, lr2
[ 619] mov lr6, lr4
[ 622] ret tr19
Identifiers:
id0 = Array
id1 = document
id2 = body
id3 = join
id4 = Rb
id5 = ActiveXObject
id6 = validateOnParse
id7 = resolveExternals
id8 = async
id9 = loadXML
id10 = selectNodes
id11 = getAttribute
id12 = createElement
id13 = id
id14 = firstChild
id15 = appendChild
id16 = XMLDocument
id17 = documentElement
id18 = A
id19 = X
id20 = V
id21 = xml
id22 = nextNode
id23 = DOMParser
id24 = parseFromString
id25 = replace
id26 = Pj
id27 = createNSResolver
id28 = evaluate
id29 = iterateNext
id30 = implementation
id31 = createDocument
id32 = oNode3
id33 = importNode
Constants:
tr0 = 3
tr1 = ""
tr2 = 0
tr3 = "<Y>"
tr4 = 1
tr5 = 2
tr6 = "</Y>"
tr7 = "MSXML2.DOMDocument"
tr8 = false
tr9 = "/Y/xml"
tr10 = "id"
tr11 = "xml"
tr12 = null
tr13 = "
"
tr14 = "/Y/xml"
tr15 = 5
tr16 = "id"
tr17 = "xml"
tr18 = true
tr19 = undefined
RegExps:
re0 = /\n/g
StructureIDs:
[ 50] get_by_id: 090AA590
[ 108] put_by_id: 00000000
[ 114] put_by_id: 00000000
[ 120] put_by_id: 00000000
[ 126] get_by_id: 00000000
[ 143] get_by_id: 00000000
[ 162] get_by_id: 00000000
[ 179] get_by_id: 00000000
[ 196] put_by_id: 00000000
[ 202] get_by_id: 00000000
[ 210] get_by_id: 00000000
[ 230] get_by_id: 00000000
[ 238] put_by_id: 00000000
[ 255] put_by_id: 00000000
[ 264] get_by_id: 00000000
[ 272] get_by_id: 00000000
[ 283] get_by_id: 00000000
[ 298] get_by_id: 00000000
[ 372] get_by_id: 073891C0
[ 394] get_by_id: 073891C0
[ 444] get_by_id_proto: 0BDC5518, 0BFF3B60
[ 461] get_by_id_chain: 09770818, 0B1C9048
[ 546] get_by_id_proto: 073891C0, 0C0127C8
Exception Handlers:
1: { start: [ 230] end: [ 244] target: [ 246] }
Register frame:
----------------------------------------------------
use | address | value
----------------------------------------------------
[CallerCodeBlock] | 08850288 | 098B9830
[ReturnVPC] | 08850290 | 0C300228
[CallerScopeChain] | 08850298 | 0BB9E028
[CallerRegisterOffset] | 088502A0 | 08850198
[ReturnValueRegister] | 088502A8 | 0000001E
[ArgumentStartRegister] | 088502B0 | 00000028
[ArgumentCount] | 088502B8 | 00000002
[CalledAsConstructor] | 088502C0 | 00000000
[Callee] | 088502C8 | 08A7AE40
[OptionalCalleeActivation] | 088502D0 | 083447C0
----------------------------------------------------
[this] | 088502D8 | 08340000
[param] | 088502E0 | 08344920
----------------------------------------------------
[var] | 088502E8 | 0000000A
[var] | 088502F0 | 08344300
[var] | 088502F8 | 083452E0
[var] | 08850300 | 08344780
[var] | 08850308 | 08344220
[var] | 08850310 | 083447A0
[var] | 08850318 | 083442C0
[var] | 08850320 | 083446A0
[var] | 08850328 | 083442E0
[var] | 08850330 | 08344260
[var] | 08850338 | 08344620
[var] | 08850340 | 083445A0
[var] | 08850348 | 083487C0
----------------------------------------------------
[temp] | 08850350 | 00000007
[temp] | 08850358 | 08340080
[temp] | 08850360 | 00000001
[temp] | 08850368 | 08344900
[temp] | 08850370 | 00000003
[temp] | 08850378 | 00000005
[temp] | 08850380 | 083448E0
[temp] | 08850388 | 083448C0
[temp] | 08850390 | 00000006
[temp] | 08850398 | 083448A0
[temp] | 088503A0 | 08344880
[temp] | 088503A8 | 08344860
[temp] | 088503B0 | 00000002
[temp] | 088503B8 | 08344840
[temp] | 088503C0 | 08344820
[temp] | 088503C8 | 0000000B
[temp] | 088503D0 | 08344800
[temp] | 088503D8 | 083447E0
[temp] | 088503E0 | 00000016
[temp] | 088503E8 | 0000000A
[temp] | 088503F0 | 08346C20
[temp] | 088503F8 | 08346C00
[temp] | 08850400 | 08346BE0
[temp] | 08850408 | 08346BC0
[temp] | 08850410 | 08346BA0
[temp] | 08850418 | 08346B80
Here's the backtrace:
WebKit_debug.dll!KJS::CodeBlock::derefStructureIDs(KJS::Instruction *
vPC=0x0bba08f4) Line 831 + 0x60 bytes C++
WebKit_debug.dll!KJS::Machine::uncacheGetByID(KJS::CodeBlock *
codeBlock=0x0bba25f0, KJS::Instruction * vPC=0x0bba08f4) Line 1267 C++
> WebKit_debug.dll!KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag flag=Normal, KJS::ExecState * exec=0x0012ebd4, KJS::RegisterFile * registerFile=0x0730ee14, KJS::Register * r=0x08850350, KJS::ScopeChainNode * scopeChain=0x09659058, KJS::CodeBlock * codeBlock=0x0bba25f0, KJS::JSValue * * exception=0x0012ec54) Line 2243 C++
WebKit_debug.dll!KJS::Machine::execute(KJS::ProgramNode *
programNode=0x092bc928, KJS::ExecState * exec=0x0751c9c0, KJS::ScopeChainNode *
scopeChain=0x0735ae70, KJS::JSObject * thisObj=0x08340000, KJS::JSValue * *
exception=0x0012ec54) Line 794 + 0x25 bytes C++
WebKit_debug.dll!KJS::Interpreter::evaluate(KJS::ExecState *
exec=0x0751c9c0, KJS::ScopeChain & scopeChain={...}, const KJS::UString &
sourceURL={...}, int startingLineNumber=655,
WTF::PassRefPtr<KJS::SourceProvider> source={...}, KJS::JSValue *
thisValue=0x08340000) Line 83 + 0x2d bytes C++
WebKit_debug.dll!WebCore::ScriptController::evaluate(const
WebCore::String & sourceURL={...}, int baseLine=655, const WebCore::String &
str={...}) Line 116 + 0x52 bytes C++
WebKit_debug.dll!WebCore::FrameLoader::executeScript(const
WebCore::String & url={...}, int baseLine=655, const WebCore::String &
script={...}) Line 790 + 0x1d bytes C++
WebKit_debug.dll!WebCore::HTMLTokenizer::scriptExecution(const
WebCore::String & str={...}, WebCore::HTMLTokenizer::State state={...}, const
WebCore::String & scriptURL={...}, int baseLine=655) Line 559 C++
WebKit_debug.dll!WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State
state={...}) Line 498 + 0x2d bytes C++
WebKit_debug.dll!WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString
& src={...}, WebCore::HTMLTokenizer::State state={...}) Line 344 + 0x10 bytes
C++
WebKit_debug.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString &
src={...}, WebCore::HTMLTokenizer::State state={...}) Line 1512 + 0x17 bytes
C++
WebKit_debug.dll!WebCore::HTMLTokenizer::write(const
WebCore::SegmentedString & str={...}, bool appendData=true) Line 1747 + 0x1d
bytes C++
WebKit_debug.dll!WebCore::FrameLoader::write(const char *
str=0x0972bd60, int len=44759, bool flush=false) Line 1032 + 0x21 bytes
C++
WebKit_debug.dll!WebCore::FrameLoader::addData(const char *
bytes=0x0972bd60, int length=44759) Line 1872 C++
WebKit_debug.dll!WebFrameLoaderClient::receivedData(const char *
data=0x0972bd60, int length=44759, const WebCore::String & textEncoding={...})
Line 406 C++
WebKit_debug.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader *
loader=0x09075960, const char * data=0x0972bd60, int length=44759) Line 377
C++
WebKit_debug.dll!WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader *
loader=0x09075960, const char * data=0x0972bd60, int length=44759) Line 3373 +
0x24 bytes C++
WebKit_debug.dll!WebCore::DocumentLoader::commitLoad(const char *
data=0x0972bd60, int length=44759) Line 356 C++
WebKit_debug.dll!WebCore::DocumentLoader::receivedData(const char *
data=0x0972bd60, int length=44759) Line 368 C++
WebKit_debug.dll!WebCore::FrameLoader::receivedData(const char *
data=0x0972bd60, int length=44759) Line 2323 C++
WebKit_debug.dll!WebCore::MainResourceLoader::addData(const char *
data=0x0972bd60, int length=44759, bool allAtOnce=false) Line 146 C++
WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(const char *
data=0x0972bd60, int length=44759, __int64 lengthReceived=44759, bool
allAtOnce=false) Line 251 + 0x1b bytes C++
WebKit_debug.dll!WebCore::MainResourceLoader::didReceiveData(const char
* data=0x0972bd60, int length=44759, __int64 lengthReceived=44759, bool
allAtOnce=false) Line 306 C++
WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle
* __formal=0x08d5f028, const char * data=0x0972bd60, int length=44759, int
lengthReceived=44759) Line 393 + 0x1f bytes C++
WebKit_debug.dll!WebCore::didReceiveData(_CFURLConnection *
conn=0x07310e90, const __CFData * data=0x0972acd0, long originalLength=44759,
const void * clientInfo=0x08d5f028) Line 109 + 0x2a bytes C++
CFNetwork_debug.dll!URLConnectionClient::sendOrBufferData(const
__CFData * data=0x0972acd0) Line 1051 + 0x54 bytes C++
CFNetwork_debug.dll!URLConnectionClient::clientDidReceiveData(const
__CFData * data=0x0972acd0) Line 841 C++
CFNetwork_debug.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<enum
XClientEvent,XClientEventParams> * e=0x08d1c0e4, long count=3) Line 1206 +
0x22 bytes C++
CFNetwork_debug.dll!XConnectionEventQueue<enum
XClientEvent,XClientEventParams>::processAllEvents() Line 131 + 0x23 bytes
C++
CFNetwork_debug.dll!URLConnectionClient::processEvents() Line 233
C++
CFNetwork_debug.dll!URLConnectionWndProc(HWND__ * hWnd=0x0007055a,
unsigned int message=1231, unsigned int wParam=120655504, long lParam=0) Line
82 + 0x2e bytes C++
user32.dll!_InternalCallWinProc at 20() + 0x28 bytes
user32.dll!_UserCallWinProcCheckWow at 32() + 0xb7 bytes
user32.dll!_DispatchMessageWorker at 8() + 0xdc bytes
user32.dll!_DispatchMessageW at 4() + 0xf bytes
Safari_debug.exe!RunMessagePump(WTL::CMessageLoop & messageLoop={...})
Line 185 + 0xc bytes C++
Safari_debug.exe!run(int nCmdShow=1) Line 249 + 0x9 bytes C++
Safari_debug.exe!wWinMain(HINSTANCE__ * hInstance=0x00400000,
HINSTANCE__ * __formal=0x00000000, wchar_t * lpstrCmdLine=0x00020ea0, int
nCmdShow=1) Line 464 + 0x9 bytes C++
Safari_debug.exe!__tmainCRTStartup() Line 589 + 0x35 bytes C
Safari_debug.exe!wWinMainCRTStartup() Line 414 C
kernel32.dll!_BaseProcessStart at 4() + 0x23 bytes
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list