[Webkit-unassigned] [Bug 40874] New: Crash in JavaScriptCore when viewing page with image frame from Google

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Jun 19 00:06:17 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=40874

           Summary: Crash in JavaScriptCore when viewing page with image
                    frame from Google
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
               URL: http://www.google.com/imgres?imgurl=http://y.delfi.ee/
                    norm/100169/4910117_MAVojh.jpeg&imgrefurl=http://pilt.
                    delfi.ee/picture/4910117/&usg=__AepAaXV8iS8ug21o5d1vPZ
                    jUEGE=&h=426&w=630&sz=59&hl=en&start=2&um=1&itbs=1&tbn
                    id=Td-JwZyHHr9HJM:&tbnh=93&tbnw=137&prev=/images%3Fq%3
                    Dkadri%2Bk%25C3%25B5usaar%26um%3D1%26hl%3Den%26safe%3D
                    off%26sa%3DN%26tbs%3Disch:1
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rex_4539 at yahoo.com


Created an attachment (id=59178)
 --> (https://bugs.webkit.org/attachment.cgi?id=59178)
Crash log

6533.16, r61351

Reproducibility: always

Steps:
Go to http://www.google.com/imgres?imgurl=http://y.delfi.ee/norm/100169/4910117_MAVojh.jpeg&imgrefurl=http://pilt.delfi.ee/picture/4910117/&usg=__AepAaXV8iS8ug21o5d1vPZjUEGE=&h=426&w=630&sz=59&hl=en&start=2&um=1&itbs=1&tbnid=Td-JwZyHHr9HJM:&tbnh=93&tbnw=137&prev=/images%3Fq%3Dkadri%2Bk%25C3%25B5usaar%26um%3D1%26hl%3Den%26safe%3Doff%26sa%3DN%26tbs%3Disch:1

What happened:
WebKit crashes.

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore          0x000000010084dee3 JSC::JSObject::defaultValue(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 4035
1   com.apple.JavaScriptCore          0x000000010076156d JSC::JSObject::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 13
2   com.apple.JavaScriptCore          0x000000010084bf79 JSC::JSObject::toString(JSC::ExecState*) const + 57
3   com.apple.JavaScriptCore          0x00000001008d4fde JSC::stringProtoFuncSubstring(JSC::ExecState*) + 526
4   ???                               0x00002c4094c0017a 0 + 48655885140346
5   com.apple.JavaScriptCore          0x00000001007da686 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) + 518
6   ???                               0x0000000117113480 0 + 4681970816

Expected result:
WebKit does not crash.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list