In a bizarre case of digital food poisoning, I experienced a series of mysterious, persistent, reproducible crashes with Safari 3.2.1 this morning, traceable to a bad Google cookie.
Google has a nifty query suggestion feature that is turned on by default on its homepage search box. Whenever I typed in a phrase query (e.g. +"query suggestion" +"Google features") with the suggestion feature turned on, the browser crashed with a SIGSEGV around 30% of the time.
Excerpt from the crash log:
Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000001bdca240 Crashed Thread: 0 Thread 0 Crashed: 0 ??? 0x16619e75 0 + 375496309 1 com.apple.WebCore 0x94325ea0 WebCore::AutoTableLayout::fullRecalc() + 704 2 com.apple.WebCore 0x9432581a WebCore::AutoTableLayout::calcPrefWidths(int&, int&) + 26 3 com.apple.WebCore 0x943252b8 WebCore::RenderTable::calcPrefWidths() + 56 4 com.apple.WebCore 0x9431c04b WebCore::RenderBox::minPrefWidth() const + 27 5 com.apple.WebCore 0x9432507c WebCore::RenderTable::calcWidth() + 124 6 com.apple.WebCore 0x943241a8 WebCore::RenderTable::layout() + 392 ...
SyntaxError: Invalid regular expression: nothing to repeat
http://www.google.com/extern_js/f/CgJlbhICdXMrMAc4AiwrMAo4EywrMA44AywrMBg4Ayw/nMD0sKnpeG0.js (line 21)
for every letter that I type into the search box. During this time, no query suggestion is made.
- I have never used an InputManager or “plug-in” to Safari
- The same crash does NOT happen under a fresh new user account created for diagnostic purposes
- Clearing the browser cache, temp files, hidden cache files ( getconf DARWIN_USER_CACHE_DIR ), etc. did not help.
- Deleting Safari preferences did not help.
Some combination of a bad cookie and bad regexes appears to have triggered a crash bug in this version of WebKit / WebCore. You wouldn’t think a bad cookie could take down a browser. But apparently it does.
I dearly hope this is not a potential buffer overflow or other security problem within WebKit.