[Webkit-unassigned] [Bug 72292] New: Crash in JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*)

Mon Nov 14 11:29:44 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=72292

           Summary: Crash in
                    JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSREx
                    it const&, JSC::DFG::SpeculationRecovery*)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: http://thenextweb.com/shareables/2011/11/09/absolutely
                    -amazing-6th-grade-iphone-app-developer-speaks-at-tedx
                    /
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dieter at komendera.com

This crash is related to the YouTube5 Safari extension (http://www.verticalforest.com/youtube5-extension/, version 2.2.7). With that extension disabled, it doesn't crash.

With the extension enabled, the Webkit Nightly Version 5.1.1 (7534.51.22, r100143) Safari Web Content process reproducibly crashes with EXC_BAD_ACCESS on 10.7.2 when visiting this URL:
http://thenextweb.com/shareables/2011/11/09/absolutely-amazing-6th-grade-iphone-app-developer-speaks-at-tedx/

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000000006fd

VM Regions Near 0x6fd:
--> 
    __TEXT                 0000000108ac6000-0000000108ac7000 [    4K] r-x/rwx SM=COW  /Applications/WebKit.app/Contents/Frameworks/10.7/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess

Application Specific Information:
objc[55280]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore          0x00000001090baf85 JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*) + 6101
1   com.apple.JavaScriptCore          0x00000001090bba43 compileOSRExit + 259
2   ???                               0x0000502520cfe3b6 0 + 88120394507190
3   com.apple.JavaScriptCore          0x0000000108f5e118 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 3288
4   com.apple.JavaScriptCore          0x0000000108f17608 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 328
5   com.apple.WebCore                 0x0000000109aa71e3 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 419
6   com.apple.WebCore                 0x0000000109aa7309 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41
7   com.apple.WebCore                 0x0000000109aae83b WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 155
8   com.apple.WebCore                 0x0000000109aaeba6 WebCore::ScriptElement::execute(WebCore::CachedScript*) + 166
9   com.apple.WebCore                 0x0000000109ab30b6 WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner>*) + 310

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.