[Webkit-unassigned] [Bug 125761] New: page crashes WebKit in CheckedArithmetic.h:overflowed()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Dec 15 18:36:31 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=125761
Summary: page crashes WebKit in
CheckedArithmetic.h:overflowed()
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore JavaScript
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: adam at yorba.org
I'm running WebKit 2.3.2 in Epiphany built from git master on Ubuntu 14.04.
Every time I visit this page, WebKitWebProcess crashes:
http://www.gaisma.com/en/location/somerville-massachusetts.html
The top of the stack trace looks like this:
#0 0x00007f6875e56c5c in WTFCrash () at ../Source/WTF/wtf/Assertions.cpp:341
#1 0x00007f6876d30c89 in overflowed () at ../Source/WTF/wtf/CheckedArithmetic.h:80
#2 at (i=11, this=0x7f67f3f37c90) at ../Source/WTF/wtf/Vector.h:584
#3 operator[] (i=11, this=0x7f67f3f37c90) at ../Source/WTF/wtf/Vector.h:604
#4 WebCore::AccessibilityMenuListPopup::didUpdateActiveOption (this=0x7f67f3f37c80,
optionIndex=optionIndex at entry=11) at ../Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp:138
#5 0x00007f6876d304cf in WebCore::AccessibilityMenuList::didUpdateActiveOption (this=0x7f67f3b846e0,
optionIndex=11) at ../Source/WebCore/accessibility/AccessibilityMenuList.cpp:118
#6 0x00007f6877423ae0 in WebCore::RenderMenuList::setTextFromOption (this=0x7f680439c6c0, optionIndex=11)
at ../Source/WebCore/rendering/RenderMenuList.cpp:232
#7 0x00007f68770b8623 in WebCore::HTMLSelectElement::selectOption (this=0x2f1e180,
optionIndex=<optimized out>, flags=1) at ../Source/WebCore/html/HTMLSelectElement.cpp:862
#8 0x00007f68770b879a in WebCore::HTMLSelectElement::setSelectedIndex (this=<optimized out>,
index=<optimized out>) at ../Source/WebCore/html/HTMLSelectElement.cpp:824
#9 0x00007f68776fd874 in WebCore::setJSHTMLSelectElementSelectedIndex (exec=0x7f6805ffbea8,
thisObject=<optimized out>, value=...) at DerivedSources/WebCore/JSHTMLSelectElement.cpp:475
#10 0x00007f68776ff35c in putEntry<WebCore::JSHTMLSelectElement> (shouldThrow=false, thisObj=0x7f681c01f7d0,
value=..., propertyName=..., entry=<optimized out>, exec=0x7f6805ffbea8)
at ../Source/JavaScriptCore/runtime/Lookup.h:301
#11 lookupPut<WebCore::JSHTMLSelectElement> (shouldThrow=false, thisObj=0x7f681c01f7d0, table=..., value=...,
propertyName=..., exec=0x7f6805ffbea8) at ../Source/JavaScriptCore/runtime/Lookup.h:319
#12 lookupPut<WebCore::JSHTMLSelectElement, WebCore::JSHTMLElement> (slot=..., thisObj=0x7f681c01f7d0,
table=..., value=..., propertyName=..., exec=0x7f6805ffbea8)
at ../Source/JavaScriptCore/runtime/Lookup.h:332
#13 WebCore::JSHTMLSelectElement::put (cell=0x7f681c01f7d0, exec=0x7f6805ffbea8, propertyName=..., value=...,
slot=...) at DerivedSources/WebCore/JSHTMLSelectElement.cpp:366
#14 0x00007f6875c62d85 in put (slot=..., value=..., propertyName=..., exec=0x7f6805ffbea8, this=0x7fff75349850)
at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703
#15 JSC::LLInt::llint_slow_path_put_by_id (exec=0x7f6805ffbea8, pc=0x7f67f3b988d0)
at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:584
#16 0x00007f6875c6cc3c in llint_op_put_by_id () from /usr/lib/libjavascriptcoregtk-3.0.so.0
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list