Bug 16204 - Heap corruption in JS on ARM
Summary: Heap corruption in JS on ARM
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Other OS X 10.4
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-30 04:39 PST by David Carson
Modified: 2010-03-04 01:57 PST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Carson 2007-11-30 04:39:24 PST 
If I build everything with -O2, I will get the crash when loading
cnn.com or nytimes.com  in either of the following two places.

1. line 529 of object.h inherits(..), which is called from nodes.cpp
line 899. We are using rev 27453.

2. line 637 of string_object.cpp. See following for the stack trace.

When it crashes, the vptr of the JSObject, baseObj/thisObj in 1) and
res in 2), is 0x0.

Here is memory map for case 1)

(gdb) p *baseObj
$2 = {<KJS::JSCell> = {<KJS::JSValue> = {<WTFNoncopyable::Noncopyable>
= {<No data fields>}, _vptr.JSValue = 0x0}, <No data fields>},
 _prop = {<WTFNoncopyable::Noncopyable> = {<No data fields>},
m_singleEntryKey = 0xfffffe20, m_u = {singleEntryValue = 0x0,
     table = 0x0}, m_singleEntryAttributes = 0, m_getterSetterFlag =
false, m_usingTable = false}, _proto = 0x42e359e0}
(gdb) x/8w baseObj
0x42e403c0:     0x00000000      0xfffffe20      0x00000000      0x00000000
0x42e403d0:     0x42e359e0      0x42e42120      0x00000000      0x00000000


Here is stack trace for case 2)

[Switching to Thread 566]
0xaa2bb53c in KJS::StringProtoFunc::callAsFunction (this=<value
optimized out>, exec=0x107ff01c, thisObj=<value optimized out>,
args=<value optimized out>)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/string_object.cpp:637
637               res->put(exec, i, jsString(u.substr(p0, pos-p0)));
Current language:  auto; currently c++
(gdb) bt
#0  0xaa2bb53c in KJS::StringProtoFunc::callAsFunction (this=<value
optimized out>, exec=0x107ff01c, thisObj=<value optimized out>,
   args=<value optimized out>) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/string_object.cpp:637
#1  0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x43394440, args=@0xaa38d888)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#2  0xaa2c8a80 in KJS::FunctionCallDotNode::evaluate (this=0x7b9530,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:899
#3  0xaa2c4b1a in KJS::AssignResolveNode::evaluate (this=0x7b9548,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2295
#4  0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7b9560,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#5  0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#6  0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#7  0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#8  0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395be0,
exec=0x107ff334, thisObj=<value optimized out>, args=@0x107ff0cc)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#9  0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#10 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x7cb140, exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#11 0xaa2c8974 in KJS::FunctionCallDotNode::evaluate (this=0x7cb190,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:874
#12 0xaa2c4b1a in KJS::AssignResolveNode::evaluate (this=0x7cb1a8,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2295
#13 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7cb1c0,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#14 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#15 0xaa2c3024 in KJS::IfNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2754
#16 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#17 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#18 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#19 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395ba0,
exec=0x107ff594, thisObj=<value optimized out>, args=@0x107ff3e4)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#20 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#21 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x780e38, exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#22 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x780e50,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#23 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#24 0xaa2c3024 in KJS::IfNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2754
#25 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#26 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#27 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#28 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395e80,
exec=0x107ff7ac, thisObj=<value optimized out>, args=@0x107ff644)
---Type <return> to continue, or q <return> to quit---
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#29 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#30 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x780a80, exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#31 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x780a98,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#32 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#33 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#34 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#35 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395ec0,
exec=0x107ffa50, thisObj=<value optimized out>, args=@0x107ff85c)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#36 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
   at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#37 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x7d0cf8, exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#38 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7d0d10,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#39 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#40 0xaa2bedb0 in KJS::TryNode::execute (this=0x7d0ed8,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3405
#41 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#42 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x107ffa50,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#43 0xaa2ce844 in KJS::Interpreter::evaluate (this=0x1d2ac0,
sourceURL=@0x0, startingLineNumber=<value optimized out>,
code=0xafe0e25c,
   codeLength=7978448, thisV=0xc0000000) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/interpreter.cpp:379
#44 0xaa04c0fa in WebCore::KJSProxy::evaluate (this=0x1c7068,
filename=<value optimized out>, baseLine=0, str=@0x107ffbe8)
   at libs/WebKitLib/WebKit/WebCore/bindings/js/kjs_proxy.cpp:87
#45 0xaa15004a in WebCore::FrameLoader::executeScript (this=0x188e68,
URL=@0x107ffbec, baseLine=0, script=@0x107ffbe8)
   at libs/WebKitLib/WebKit/WebCore/loader/FrameLoader.cpp:762
#46 0xaa12fb22 in WebCore::HTMLTokenizer::scriptExecution
(this=0x216c00, str=@0x107ffc50, state={static EntityShift = 4, m_bits
= 4194304},
   scriptURL=<value optimized out>, baseLine=0) at
libs/WebKitLib/WebKit/WebCore/html/HTMLTokenizer.cpp:552
#47 0xaa131040 in WebCore::HTMLTokenizer::notifyFinished
(this=0x216c00, res=<value optimized out>)
   at libs/WebKitLib/WebKit/WebCore/html/HTMLTokenizer.cpp:1784
#48 0xaa13a36a in WebCore::CachedScript::checkNotify (this=0x5fc080)
at libs/WebKitLib/WebKit/WebCore/loader/CachedScript.cpp:93
#49 0xaa13a4b0 in WebCore::CachedScript::data (this=0x5fc080,
data=<value optimized out>, allDataReceived=<value optimized out>)
   at libs/WebKitLib/WebKit/WebCore/loader/CachedScript.cpp:83
#50 0xaa16303a in WebCore::Loader::didFinishLoading (this=0x187704,
loader=0x415748) at
libs/WebKitLib/WebKit/WebCore/loader/loader.cpp:119
#51 0xaa157304 in WebCore::SubresourceLoader::didFinishLoading
(this=0x415748) at
libs/WebKitLib/WebKit/WebCore/loader/SubresourceLoader.cpp:193
#52 0xaa155ce2 in WebCore::ResourceLoader::didFinishLoading
(this=0x1bca) at
libs/WebKitLib/WebKit/WebCore/loader/ResourceLoader.cpp:361
#53 0xaa1ae024 in android_webcore_resourceloader_nativeFinished
(env=<value optimized out>, obj=<value optimized out>)
---Type <return> to continue, or q <return> to quit---
   at libs/WebKitLib/WebKit/WebCore/platform/android/jni/android_webcore_resource_loader.cpp:259
#54 0xad00a3e8 in invoke () at dalvik/vm/arch/arm/CallEABI.S:221
Comment 1 David Carson 2007-11-30 04:44:25 PST 
Building with -O0 the problem does not exist

A theory is it is caused by the new GC in collector.cpp. By switching back to the previous version of collector.cpp/h, it doesn't crash anymore.
Comment 2 Geoffrey Garen 2007-11-30 11:27:15 PST 
Dave,

What previous version of collector.h/.cpp are you talking about? Do you have a specific revision at which this crash was introduced?
Comment 3 Grace Kloba 2007-11-30 13:51:53 PST 
In JSValue *FunctionCallDotNode::evaluate(ExecState *exec), if I add gcProtect(baseVal) in the beginning and gcUnprotect(baseVal) in the end like following, the problem goes away as baseVal will not be GC before the return of the function. 

  JSValue *baseVal = base->evaluate(exec);
  KJS_CHECKEXCEPTIONVALUE
  gcProtect(baseVal);

....

  gcUnprotect(baseVal);
  return func->call(exec, thisObj, argList);

This is similar to the bug http://bugs.webkit.org/show_bug.cgi?id=12535. But I don't think GC is triggered in toObject() as baseObj->getPropertySlot() is still ok. But right before func->call() is called, GC happens and baseObj is bad.

The crash is easy to reproduce with revision 27453. But I can't get it happen with July/07's code.
Comment 4 Alexey Proskuryakov 2009-08-21 15:03:22 PDT 
Is this still an issue?
Comment 5 Grace Kloba 2009-08-21 18:03:34 PDT 
Not sure. Feel free to close it.
Comment 6 Oliver Hunt 2010-03-04 01:57:21 PST 
Closing as invalid as we don't really have away to say "this crash is in code that hasn't existed in years"