[Webkit-unassigned] [Bug 55052] New: Crash in JSC::appendSourceToError when running fast/dom/objc-big-method-name.html on Windows with full page heap enabled
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 23 09:01:58 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=55052
Summary: Crash in JSC::appendSourceToError when running
fast/dom/objc-big-method-name.html on Windows with
full page heap enabled
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Keywords: NeedsRadar
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: aroben at apple.com
CC: ggaren at apple.com, oliver at apple.com,
barraclough at apple.com
To reproduce:
1. gflags /p /enable dumprendertree.exe /full
2. run-webkit-tests fast/dom/objc-big-method-name.html
You'll crash in JSC::appendSourceToError, on this line:
while (stop > expressionStart && isStrWhiteSpace(data[stop]))
We're reading off the end of the data buffer. Here's a little more context:
while (stop < dataLength && (stop - expressionStart < 20) && data[stop] != '\n')
stop++;
while (stop > expressionStart && isStrWhiteSpace(data[stop]))
stop--;
The first loop exits when stop == dataLength. The next line reads data[dataLength], which is 1 character off the end of the data buffer.
Here's the backtrace:
> JavaScriptCore.dll!JSC::appendSourceToError(JSC::ExecState * callFrame=0x131b00f0, JSC::ErrorInstance * exception=0x3d8f7320, unsigned int bytecodeOffset=16) Line 648 + 0xe bytes C++
JavaScriptCore.dll!JSC::Interpreter::throwException(JSC::ExecState * & callFrame=0x131b00f0, JSC::JSValue & exceptionValue={...}, unsigned int bytecodeOffset=16) Line 666 + 0x13 bytes C++
JavaScriptCore.dll!JSC::jitThrow(JSC::JSGlobalData * globalData=0x10ffce78, JSC::ExecState * callFrame=0x131b00f0, JSC::JSValue exceptionValue={...}, JSC::ReturnAddressPtr faultLocation={...}) Line 970 + 0x1a bytes C++
JavaScriptCore.dll!cti_vm_throw(void * * args=0x0012e690) Line 3482 + 0x2f bytes C++
JavaScriptCore.dll!@cti_op_create_this at 4() + 0x1cf bytes C++
JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x1076dfcc, JSC::ExecState * callFrame=0x131b00f0, JSC::JSGlobalData * globalData=0x10ffce78) Line 77 + 0x22 bytes C++
JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval=0x5a044fa8, JSC::ExecState * callFrame=0x131b0080, JSC::JSObject * thisObj=0x135c1020, int globalRegisterOffset=30, JSC::ScopeChainNode * scopeChain=0x5875afe8) Line 1153 + 0x2b bytes C++
JavaScriptCore.dll!JSC::Interpreter::callEval(JSC::ExecState * callFrame=0x131b0080, JSC::RegisterFile * registerFile=0x1076dfcc, JSC::Register * argv=0x131b00b0, int argc=2, int registerOffset=14) Line 418 + 0x71 bytes C++
JavaScriptCore.dll!cti_op_call_eval(void * * args=0x0012e990) Line 3125 C++
JavaScriptCore.dll!@cti_op_create_this at 4() + 0x1cf bytes C++
JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x1076dfcc, JSC::ExecState * callFrame=0x131b0040, JSC::JSGlobalData * globalData=0x10ffce78) Line 77 + 0x22 bytes C++
JavaScriptCore.dll!JSC::Interpreter::executeCall(JSC::ExecState * callFrame=0x56762e78, JSC::JSObject * function=0x135d12a0, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 851 + 0x2a bytes C++
JavaScriptCore.dll!JSC::call(JSC::ExecState * exec=0x56762e78, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 38 + 0x3c bytes C++
WebKit.dll!WebCore::JSMainThreadExecState::call(JSC::ExecState * exec=0x56762e78, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 48 + 0x29 bytes C++
WebKit.dll!WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext * scriptExecutionContext=, WebCore::Event * event=) Line 123 + 0x6a bytes C++
WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x53530fc8, WebCore::EventTargetData * d=0x56586fa0, WTF::Vector<WebCore::RegisteredEventListener,1> & entry=[1]({listener=0x5920dfc8 {m_functionName={} m_eventParameterName={} m_code={} ...} useCapture=false })) Line 354 + 0x35 bytes C++
WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x53530fc8) Line 325 C++
WebKit.dll!WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event> prpEvent={...}, WTF::PassRefPtr<WebCore::EventTarget> prpTarget={...}) Line 1552 + 0x11 bytes C++
WebKit.dll!WebCore::DOMWindow::dispatchTimedEvent(WTF::PassRefPtr<WebCore::Event> event={...}, WebCore::Document * target=0x55460278, double * startTime=0x54e0afd8, double * endTime=0x54e0afe0) Line 1565 C++
WebKit.dll!WebCore::DOMWindow::dispatchLoadEvent() Line 1525 C++
WebKit.dll!WebCore::Document::dispatchWindowLoadEvent() Line 3481 C++
WebKit.dll!WebCore::Document::implicitClose() Line 2075 C++
WebKit.dll!WebCore::FrameLoader::checkCallImplicitClose() Line 896 C++
WebKit.dll!WebCore::FrameLoader::checkCompleted() Line 845 C++
WebKit.dll!WebCore::FrameLoader::finishedParsing() Line 779 C++
WebKit.dll!WebCore::Document::finishedParsing() Line 4231 C++
WebKit.dll!WebCore::HTMLTreeBuilder::finished() Line 2804 + 0x18 bytes C++
WebKit.dll!WebCore::HTMLDocumentParser::end() Line 350 C++
WebKit.dll!WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() Line 359 C++
WebKit.dll!WebCore::HTMLDocumentParser::prepareToStopParsing() Line 152 C++
WebKit.dll!WebCore::HTMLDocumentParser::attemptToEnd() Line 370 + 0xf bytes C++
WebKit.dll!WebCore::HTMLDocumentParser::finish() Line 399 C++
WebKit.dll!WebCore::Document::finishParsing() Line 2233 + 0x20 bytes C++
WebKit.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource() Line 223 C++
WebKit.dll!WebCore::DocumentWriter::end() Line 208 C++
WebKit.dll!WebCore::DocumentLoader::finishedLoading() Line 286 C++
WebKit.dll!WebCore::FrameLoader::finishedLoading() Line 2193 C++
WebKit.dll!WebCore::MainResourceLoader::didFinishLoading(double finishTime=0.00000000000000000) Line 465 C++
WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x556deff0, double finishTime=0.00000000000000000) Line 436 + 0x18 bytes C++
WebKit.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x5587cfe0, const void * clientInfo=0x556deff0) Line 241 + 0x26 bytes C++
CFNetwork.dll!URLConnectionClient::_clientDidFinishLoading() + 0x2b bytes C++
CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload() C++
CFNetwork.dll!URLConnectionClient::processEvents() + 0x21 bytes C++
CFNetwork.dll!URLConnectionWndProc() C++
user32.dll!_InternalCallWinProc at 20() + 0x28 bytes
user32.dll!_UserCallWinProcCheckWow at 32() + 0xb7 bytes
user32.dll!_DispatchMessageWorker at 8() + 0xdc bytes
user32.dll!_DispatchMessageW at 4() + 0xf bytes
DumpRenderTree.exe!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & testPathOrURL="c:\Documents and Settings\Adam Roben\dev\WebKit\OpenSource\LayoutTests\fast\dom\objc-big-method-name.html") Line 1002 + 0xf bytes C++
DumpRenderTree.exe!main(int argc=2, char * * argv=0x07c57f98) Line 1379 + 0x28 bytes C++
DumpRenderTree.exe!__tmainCRTStartup() Line 597 + 0x17 bytes C
kernel32.dll!_BaseProcessStart at 4() + 0x23 bytes
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list