[Webkit-unassigned] [Bug 70689] New: Crash in void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Oct 23 01:30:51 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=70689

           Summary: Crash in void
                    JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
               URL: http://www.imdb.com/name/nm0000241/
        OS/Version: Mac OS X 10.7
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rex_4539 at yahoo.com


Created an attachment (id=112105)
 --> (https://bugs.webkit.org/attachment.cgi?id=112105&action=review)
Crash log.

r98197

Reproducibility: once

Steps:
1. I opened http://www.imdb.com/title/tt1764651/
2. I clicked on http://www.imdb.com/name/nm0000241/
3. I clicked on the "Back" button in Safari.

What happened:
3. Crash while the page was loading.

1   0x1022cd9e4 void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)
2   0x1022cd905 JSC::WriteBarrierBase<JSC::RegExp>::set(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*)
3   0x1022cd888 JSC::WriteBarrier<JSC::RegExp>::WriteBarrier(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*)
4   0x1022cd83d JSC::WriteBarrier<JSC::RegExp>::WriteBarrier(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*)
5   0x1024c5e27 JSC::RegExpObject::RegExpObjectData::RegExpObjectData(JSC::JSGlobalData&, JSC::RegExpObject*, JSC::RegExp*)
6   0x1024c53ed JSC::RegExpObject::RegExpObjectData::RegExpObjectData(JSC::JSGlobalData&, JSC::RegExpObject*, JSC::RegExp*)
7   0x1024c4667 JSC::RegExpObject::RegExpObject(JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*)
8   0x1024c45ad JSC::RegExpObject::RegExpObject(JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*)
9   0x102340f9d JSC::RegExpObject::create(JSC::JSGlobalData&, JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*)
10  0x1023be397 cti_op_new_regexp
11  0x1023c12f0 jscGeneratedNativeCode
12  0x10237e069 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
13  0x102379fcd JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*)
14  0x1022ed91a JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
15  0x103a619f1 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
16  0x10410de8f WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*)
17  0x1034d552b WebCore::Frame::injectUserScriptsForWorld(WebCore::DOMWrapperWorld*, WTF::Vector<WTF::OwnPtr<WebCore::UserScript>, 0ul> const&, WebCore::UserScriptInjectionTime)
18  0x1034d5327 WebCore::Frame::injectUserScripts(WebCore::UserScriptInjectionTime)
19  0x1034f0ab4 WebCore::FrameLoader::dispatchDocumentElementAvailable()
20  0x1035c3955 WebCore::HTMLConstructionSite::dispatchDocumentElementAvailableIfNeeded()
21  0x1035c3a8c WebCore::HTMLConstructionSite::insertHTMLHtmlStartTagBeforeHTML(WebCore::AtomicHTMLToken&)
22  0x10368725e WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&)
23  0x103686f19 WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&)
24  0x103686da4 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&)
25  0x103686cdc WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&)
26  0x1035e17b9 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
27  0x1035e1268 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
28  0x1035e22cf WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&)
29  0x10322637d WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, unsigned long)
30  0x1032b2b9d WebCore::DocumentWriter::addData(char const*, unsigned long)
31  0x10329259e WebCore::DocumentLoader::commitData(char const*, unsigned long)

Expected result:
3. WebKit does not crash.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list