Bug 18108 - REGRESSION (r29508): Various KJS functions segfault on GTK build
Summary: REGRESSION (r29508): Various KJS functions segfault on GTK build
Status: RESOLVED DUPLICATE of bug 18367
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL: http://code.google.com/
Keywords: Gtk, Regression
: 17378 18185 18280 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-03-26 03:05 PDT by Jasper Bryant-Greene
Modified: 2008-04-13 18:48 PDT (History)
5 users (show)

See Also:


Attachments
valgrind log (734.94 KB, text/plain)
2008-04-09 01:36 PDT, Luca Bruno
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jasper Bryant-Greene 2008-03-26 03:05:37 PDT
http://code.google.com/ is an example of a page which displays the KJS crashes.

I have seen the following three functions segfault on the above page using a current GTK release build:

KJS::stringProtoFuncReplace
KJS::stringProtoFuncIndexOf
KJS::regExpProtoFuncTest

None of these segfaults can be reproduced with a debug build.

I'd be keen to hear from others who can reproduce this bug on GTK. We've managed to reproduce it on two systems here using both Juniper and GtkLauncher.
Comment 1 Jasper Bryant-Greene 2008-03-26 03:07:03 PDT
We've now seen KJS::PropertyMap::insert segfault too. Are the KJS sources generated at all? Perhaps the GTK+ autotools build system is not generating them correctly?
Comment 2 Michael Fincham 2008-03-26 03:13:18 PDT
CCing myself on this one, mostly out of interest.
Comment 3 Jasper Bryant-Greene 2008-03-26 15:54:18 PDT
I think the compiler is inlining something into the offending functions, so we probably only have a problem in one place.

Valgrind reports:

==13224== Conditional jump or move depends on uninitialised value(s)
==13224==    at 0x618C7BC: KJS::Collector::markStackObjectsConservatively(void*, void*) (collector.cpp:501)
==13224==    by 0x618D219: KJS::Collector::markCurrentThreadConservatively() (collector.cpp:548)
==13224==    by 0x6196888: KJS::Collector::collect() (collector.cpp:936)
==13224==    by 0x61EC824: void* KJS::Collector::heapAllocate<(KJS::Collector::HeapType)0>(unsigned long) (collector.cpp:245)
==13224==    by 0x5E81ABA: WebCore::createAnchorWrapper(KJS::ExecState*, WTF::PassRefPtr<WebCore::HTMLElement>) (JSHTMLElementWrapperFactory.cpp:236)
==13224==    by 0x5E82712: WebCore::createJSHTMLWrapper(KJS::ExecState*, WTF::PassRefPtr<WebCore::HTMLElement>) (JSHTMLElementWrapperFactory.cpp:269)
==13224==    by 0x5E86B95: WebCore::toJS(KJS::ExecState*, WebCore::Node*) (JSNodeCustom.cpp:177)
==13224==    by 0x5E0FF66: WebCore::jsDocumentPrototypeFunctionCreateElement(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (JSNode.h:72)
==13224==    by 0x61B4378: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.cpp:96)
==13224==    by 0x61C9A48: KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) (nodes.cpp:1500)
==13224==    by 0x61C98C3: KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) (nodes.cpp:1475)
==13224==    by 0x61BE2FD: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:3999)

I don't even pretend to understand the JSCore code fully, but Collector::markCurrentThreadConservatively seems to call Collector::markStackObjectsConservatively with a pointer-to-an-uninitialized-pointer as the first argument...
Comment 4 Jasper Bryant-Greene 2008-03-26 15:59:43 PDT
GDB backtrace for completeness:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fabce7e87c0 (LWP 13758)]
0x00007fabcd3cb715 in KJS::stringProtoFuncMatch (exec=0x7fffd681b320, thisObj=0x7fabc16e0000, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.h:510
510	    for (const ClassInfo *ci = classInfo(); ci; ci = ci->parentClass)
Current language:  auto; currently c++
(gdb) bt
#0  0x00007fabcd3cb715 in KJS::stringProtoFuncMatch (exec=0x7fffd681b320, thisObj=0x7fabc16e0000, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.h:510
#1  0x00007fabcd3ce379 in KJS::JSObject::call (this=0x7fabc16e0000, exec=0x7fffd681b320, thisObj=0x7fffd681b0b0, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.cpp:96
#2  0x00007fabcd3e3a49 in KJS::FunctionCallDotNode::evaluate (this=0x7fabc1b6b640, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.cpp:1500
#3  0x00007fabcd3de0ee in KJS::ArgumentListNode::evaluateList (this=0x7fabc1b6c3a0, exec=0x7fffd681b320, list=@0x7fffd681b1c0) at JavaScriptCore/kjs/nodes.cpp:1011
#4  0x00007fabcd3e26ec in KJS::ScopedVarFunctionCallNode::evaluate (this=0x7fabc1d1ddb0, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.h:695
#5  0x00007fabcd3d82fe in KJS::ExprStatementNode::execute (this=0x7fabc1b6b5f0, exec=0x7fabc16e0000) at JavaScriptCore/kjs/nodes.cpp:3999
#6  0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1d1e310, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.cpp:3952
#7  0x00007fabcd3d7ec9 in KJS::ForNode::execute (this=0x7fabc2438a20, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.cpp:4165
#8  0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1b646c0, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.cpp:3952
#9  0x00007fabcd3f733f in KJS::FunctionImp::callAsFunction (this=0x7fabce632b00, exec=0x7fffd681b6a0, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77
#10 0x00007fabcd3ce379 in KJS::JSObject::call (this=0x7fabc16e0000, exec=0x7fffd681b320, thisObj=0x7fffd681b0b0, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.cpp:96
#11 0x00007fabcd3ff55c in KJS::FunctionCallBracketNode::evaluate (this=0x7fabc1a43be0, exec=0x7fffd681b6a0) at JavaScriptCore/kjs/nodes.cpp:1451
#12 0x00007fabcd3db10e in KJS::AssignLocalVarNode::evaluate (this=0x7fabc1a43bb8, exec=0x7fabc16e0000) at JavaScriptCore/kjs/nodes.cpp:3559
#13 0x00007fabcd3d829e in KJS::VarStatementNode::execute (this=0x7fabc1a43b90, exec=0x7fabc16e0000) at JavaScriptCore/kjs/nodes.cpp:4015
#14 0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1a042d8, exec=0x7fffd681b6a0) at JavaScriptCore/kjs/nodes.cpp:3952
#15 0x00007fabcd3b85c8 in KJS::TryNode::execute (this=0x7fabc1a47400, exec=0x7fabc16e0000) at JavaScriptCore/kjs/nodes.cpp:4572
#16 0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1a041f8, exec=0x7fffd681b6a0) at JavaScriptCore/kjs/nodes.cpp:3952
#17 0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1a4bd80, exec=0x7fffd681b6a0) at JavaScriptCore/kjs/nodes.cpp:3952
#18 0x00007fabcd3f733f in KJS::FunctionImp::callAsFunction (this=0x7fabce631c80, exec=0x7fabc24c1c38, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77
#19 0x00007fabcd3ce379 in KJS::JSObject::call (this=0x7fabc16e0000, exec=0x7fffd681b320, thisObj=0x7fffd681b0b0, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.cpp:96
#20 0x00007fabcd0a9af9 in WebCore::ScheduledAction::execute (this=0x7fabc19d6320, window=0x7fabce630000) at WebCore/bindings/js/ScheduledAction.cpp:75
#21 0x00007fabcd092aa1 in WebCore::JSDOMWindowBase::timerFired (this=0x7fabce630000, timer=0x7fabc1b16ce8) at WebCore/bindings/js/JSDOMWindowBase.cpp:1398
#22 0x00007fabcd092b9c in WebCore::DOMWindowTimer::fired (this=0x7fabc16e0000) at WebCore/bindings/js/JSDOMWindowBase.cpp:1434
#23 0x00007fabcd2b5ca3 in WebCore::TimerBase::fireTimers (fireTime=1206572345.092078, firingTimers=@0x7fffd681ba00) at WebCore/platform/Timer.cpp:347
#24 0x00007fabcd2b5d5b in WebCore::TimerBase::sharedTimerFired () at WebCore/platform/Timer.cpp:368
#25 0x00007fabccfebb62 in timeout_cb () at WebCore/platform/gtk/SharedTimerGtk.cpp:48
#26 0x00007fabcafc594b in ?? () from /usr/lib/libglib-2.0.so.0
#27 0x00007fabcafc5222 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#28 0x00007fabcafc84d6 in ?? () from /usr/lib/libglib-2.0.so.0
#29 0x00007fabcafc8797 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#30 0x00007fabcc9ecee3 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#31 0x0000000000404416 in main ()
Comment 5 kappasolaris 2008-03-27 02:47:57 PDT
(11:46:42) jasperbg: physrules: would you mind indicating on http://bugs.webkit.org/show_bug.cgi?id=18108 that the issue does not occur on your compiler?

Doesn't crash for me on OpenSolaris b85, compiler: Sun Studio 12 (latest patches)
Comment 6 Luca Bruno 2008-04-04 12:48:18 PDT
I've gcc 4.1.2/amd64 and crashed. Another guy using 4.0/x86 and crashed. People using 4.2 doesn't experience crash. Would this mean it's a gcc < 4.2 bug maybe?
Comment 7 Kazuo Teramoto 2008-04-06 13:37:16 PDT
I got a segfault on KJS too, with x86_64 and using gcc 4.3, using a today snapshot from git, my bt:

   1.
      #0  0x00002b2cf65c8af4 in KJS::JSGlobalObject::getOwnPropertySlot ()
   2.
         from /usr/lib/libwebkit-1.0.so.1
   3.
      #1  0x00002b2cf622c02d in WebCore::JSDOMWindow::customGetOwnPropertySlot ()
   4.
         from /usr/lib/libwebkit-1.0.so.1
   5.
      #2  0x00002b2cf61ba8a9 in WebCore::JSDOMWindow::getOwnPropertySlot ()
   6.
         from /usr/lib/libwebkit-1.0.so.1
   7.
      #3  0x00002b2cf6579772 in KJS::ResolveNode::evaluate ()
   8.
         from /usr/lib/libwebkit-1.0.so.1
   9.
      #4  0x00002b2cf6594a38 in KJS::AssignDotNode::evaluate ()
  10.
         from /usr/lib/libwebkit-1.0.so.1
  11.
      #5  0x00002b2cf658b96e in KJS::ExprStatementNode::execute ()
  12.
         from /usr/lib/libwebkit-1.0.so.1
  13.
      #6  0x00002b2cf654c80d in KJS::BlockNode::execute ()
  14.
         from /usr/lib/libwebkit-1.0.so.1
  15.
      #7  0x00002b2cf65a74ba in KJS::ProgramNode::execute ()
  16.
         from /usr/lib/libwebkit-1.0.so.1
  17.
      #8  0x00002b2cf65a18f9 in KJS::Interpreter::evaluate ()
  18.
         from /usr/lib/libwebkit-1.0.so.1
  19.
      #9  0x00002b2cf6241491 in WebCore::KJSProxy::evaluate ()
  20.
         from /usr/lib/libwebkit-1.0.so.1
  21.
      #10 0x00002b2cf63d4388 in WebCore::FrameLoader::executeScript ()
  22.
         from /usr/lib/libwebkit-1.0.so.1
  23.
      #11 0x00002b2cf639fc15 in WebCore::HTMLTokenizer::scriptExecution ()
  24.
         from /usr/lib/libwebkit-1.0.so.1
  25.
      #12 0x00002b2cf63a2f69 in WebCore::HTMLTokenizer::scriptHandler ()
  26.
         from /usr/lib/libwebkit-1.0.so.1
  27.
      #13 0x00002b2cf63a3668 in WebCore::HTMLTokenizer::parseSpecial ()
  28.
         from /usr/lib/libwebkit-1.0.so.1
  29.
      #14 0x00002b2cf63a5370 in WebCore::HTMLTokenizer::parseTag ()
  30.
         from /usr/lib/libwebkit-1.0.so.1
  31.
      #15 0x00002b2cf63a5c07 in WebCore::HTMLTokenizer::write ()
  32.
         from /usr/lib/libwebkit-1.0.so.1
  33.
      #16 0x00002b2cf63c77e8 in WebCore::FrameLoader::write ()
  34.
         from /usr/lib/libwebkit-1.0.so.1
  35.
      #17 0x00002b2cf63bb689 in WebCore::DocumentLoader::commitLoad ()
  36.
         from /usr/lib/libwebkit-1.0.so.1
  37.
      #18 0x00002b2cf63ee2c3 in WebCore::ResourceLoader::didReceiveData ()
  38.
         from /usr/lib/libwebkit-1.0.so.1
  39.
      #19 0x00002b2cf63e6406 in WebCore::MainResourceLoader::didReceiveData ()
  40.
         from /usr/lib/libwebkit-1.0.so.1
  41.
      #20 0x00002b2cf650cbf3 in WebCore::writeCallback ()
  42.
         from /usr/lib/libwebkit-1.0.so.1
  43.
      #21 0x00002b2cf91e5e62 in Curl_client_write () from /usr/lib/libcurl.so.4
  44.
      #22 0x00002b2cf92002b8 in inflate_stream () from /usr/lib/libcurl.so.4
  45.
      #23 0x00002b2cf9200592 in Curl_unencode_gzip_write ()
  46.
         from /usr/lib/libcurl.so.4
  47.
      #24 0x00002b2cf91fab4c in Curl_readwrite () from /usr/lib/libcurl.so.4
  48.
      #25 0x00002b2cf91fe4fc in multi_runsingle () from /usr/lib/libcurl.so.4
  49.
      #26 0x00002b2cf91fed8b in curl_multi_perform () from /usr/lib/libcurl.so.4
  50.
      #27 0x00002b2cf650f65c in WebCore::ResourceHandleManager::downloadTimerCallback
  51.
          () from /usr/lib/libwebkit-1.0.so.1
  52.
      #28 0x00002b2cf64608f3 in WebCore::TimerBase::fireTimers ()
  53.
         from /usr/lib/libwebkit-1.0.so.1
  54.
      #29 0x00002b2cf64609ae in WebCore::TimerBase::sharedTimerFired ()
  55.
         from /usr/lib/libwebkit-1.0.so.1
  56.
      #30 0x00002b2cf6180922 in WebCore::timeout_cb ()
  57.
         from /usr/lib/libwebkit-1.0.so.1
  58.
      #31 0x00002b2cf833b6da in g_main_context_dispatch ()
  59.
         from /usr/lib/libglib-2.0.so.0
  60.
      #32 0x00002b2cf833edd0 in g_main_context_iterate ()
  61.
         from /usr/lib/libglib-2.0.so.0
  62.
      #33 0x00002b2cf833f29d in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
  63.
      #34 0x00002b2cf6aaf447 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
  64.
      #35 0x0000000000402160 in main ()
Comment 8 Luca Bruno 2008-04-07 05:12:15 PDT
It seems to me that every crash belong to UString usage (operator+, copying, etc.). The crash that shows this on top is the first here: http://bugs.webkit.org/show_bug.cgi?id=18280
I please anyone to duplicate these 2 bugs.
Comment 9 Luca Bruno 2008-04-08 02:48:57 PDT
*** Bug 17378 has been marked as a duplicate of this bug. ***
Comment 10 Luca Bruno 2008-04-08 02:50:06 PDT
*** Bug 18185 has been marked as a duplicate of this bug. ***
Comment 11 Luca Bruno 2008-04-08 02:50:35 PDT
*** Bug 18280 has been marked as a duplicate of this bug. ***
Comment 12 Luca Bruno 2008-04-08 05:07:12 PDT
Ok i found it with git bisect.

svn r29508
commit 5902380fbd1bfcd1c88459ca1714020c478009ea

It has been a very long time but no one did really care about the crash.
Comment 13 Luca Bruno 2008-04-09 01:36:14 PDT
Created attachment 20423 [details]
valgrind log

I'm currently working on that commit and run valgrind:

LD_LIBRARY_PATH=WebKitBuild/Release/lib/ G_SLICE=always-malloc G_DEBUG=gc-friendly valgrind --tool=memcheck --leak-check=full --leak-resolution=high --num-callers=20 WebKitBuild/Release/WebKitTools/GtkLauncher/GtkLauncher http://acid3.acidtests.org

Notice that using valgrind i don't experience the crash.
Comment 14 Mike Hommey 2008-04-10 13:09:48 PDT
Take a look at bug 18367, especially https://bugs.webkit.org/show_bug.cgi?id=18367#c12

It looks like to be the same root cause, and possible fix.
Comment 15 Mark Rowe (bdash) 2008-04-10 21:00:41 PDT
I'm pretty sure this is the same underlying issue as bug 18367.
Comment 16 Jan Alonzo 2008-04-13 18:48:16 PDT
Marking bug as duplicate of http://bugs.webkit.org/show_bug.cgi?id=18367.

Please reopen if this still happen or if you think it's not related to 18367. Thanks.

*** This bug has been marked as a duplicate of 18367 ***