18366 – Crash during sunspider 3d-raytracing test

Bug 18366 - Crash during sunspider 3d-raytracing test

Summary: Crash during sunspider 3d-raytracing test

Status:	RESOLVED DUPLICATE of bug 18367

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Linux

Importance:	P2 Major
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-04-08 12:33 PDT by Mike Hommey
Modified:	2008-04-10 13:07 PDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike Hommey 2008-04-08 12:33:43 PDT

I spotted a crash during sunspider 3d-raytracing test on amd64 (not tested anywhere else), confirmed on r31722.

I bisected and found this crash has been happening first with r30492, and confirmed that reverting this commit on top of r31722 solves the issue (to reveal another one, but that's another story)

The full backtrace is as follows (unfortunately, for some reason I don't understand, building with -g ends up creating a binary that doesn't crash):
0x00002b08b977bea5 in waitpid () from /lib/libpthread.so.0
#0  0x00002b08b977bea5 in waitpid () from /lib/libpthread.so.0
#1  0x00002b08ba53a4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0
#2  0x00002b08ba53a808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0
#3  0x00002b08c37b64b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
#4  <signal handler called>
#5  0x00002b08b9391a3e in KJS::ElementNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#6  0x00002b08b9391ab0 in KJS::ArrayNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#7  0x00002b08b938929d in KJS::ReturnNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#8  0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#9  0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#10 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#11 0x00002b08b9394910 in KJS::ScopedVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#12 0x00002b08b939051e in KJS::ArgumentListNode::evaluateList () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#13 0x00002b08b93948f2 in KJS::ScopedVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#14 0x00002b08b938ce2e in KJS::AssignLocalVarNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#15 0x00002b08b9389d8e in KJS::VarStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#16 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#17 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#18 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#19 0x00002b08b9395ae3 in KJS::FunctionCallDotNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#20 0x00002b08b938ce2e in KJS::AssignLocalVarNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#21 0x00002b08b9389d8e in KJS::VarStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#22 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#23 0x00002b08b93899b9 in KJS::ForNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#24 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#25 0x00002b08b93899b9 in KJS::ForNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#26 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#27 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#28 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#29 0x00002b08b9394910 in KJS::ScopedVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#30 0x00002b08b9389dee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#31 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#32 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#33 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#34 0x00002b08b9395ae3 in KJS::FunctionCallDotNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#35 0x00002b08b9389dee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#36 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#37 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#38 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#39 0x00002b08b93951ea in KJS::LocalVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#40 0x00002b08b939051e in KJS::ArgumentListNode::evaluateList () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#41 0x00002b08b93951cc in KJS::LocalVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#42 0x00002b08b938bcc3 in KJS::AssignResolveNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#43 0x00002b08b9389dee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#44 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#45 0x00002b08b93ab2c0 in KJS::ProgramNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#46 0x00002b08b93ac9c3 in KJS::Interpreter::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#47 0x00002b08b904f7b3 in WebCore::KJSProxy::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#48 0x00002b08b91de8f1 in WebCore::FrameLoader::executeScript () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#49 0x00002b08b91a75c9 in WebCore::HTMLTokenizer::scriptExecution () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#50 0x00002b08b91a8685 in WebCore::HTMLTokenizer::scriptHandler () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#51 0x00002b08b91a94e2 in WebCore::HTMLTokenizer::parseSpecial () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#52 0x00002b08b91ac09c in WebCore::HTMLTokenizer::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#53 0x00002b08b91ccb17 in WebCore::FrameLoader::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#54 0x00002b08b91bef59 in WebCore::DocumentLoader::commitLoad () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#55 0x00002b08b91f4313 in WebCore::ResourceLoader::didReceiveData () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#56 0x00002b08b91ef256 in WebCore::MainResourceLoader::didReceiveData () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#57 0x00002b08b930e477 in WebCore::writeCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#58 0x00002b08bc81d6a8 in ?? () from /usr/lib/libcurl-gnutls.so.4
#59 0x00002b08bc832b5e in ?? () from /usr/lib/libcurl-gnutls.so.4
#60 0x00002b08bc82f71d in ?? () from /usr/lib/libcurl-gnutls.so.4
#61 0x00002b08bc834b1c in ?? () from /usr/lib/libcurl-gnutls.so.4
#62 0x00002b08bc83548b in curl_multi_perform () from /usr/lib/libcurl-gnutls.so.4
#63 0x00002b08b930fea0 in WebCore::ResourceHandleManager::downloadTimerCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#64 0x00002b08b926a493 in WebCore::TimerBase::fireTimers () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#65 0x00002b08b926a54b in WebCore::TimerBase::sharedTimerFired () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#66 0x00002b08b8f8eba2 in WebCore::timeout_cb () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#67 0x00002b08ba5070b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#68 0x00002b08ba50a356 in ?? () from /usr/lib/libglib-2.0.so.0
#69 0x00002b08ba50a617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#70 0x00002b08b9e17b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163
#71 0x0000000000401eab in main ()

Comment 1 Mike Hommey 2008-04-08 13:09:01 PDT

FWIW, building without -O2 leads to a webkit that doesn't crash

Comment 2 Mike Hommey 2008-04-08 13:52:04 PDT

Interestingly, http://webkit.org/perf/sunspider-0.9/3d-raytrace.html alone doesn't crash, and gtklauncher outputs:
console message: http://webkit.org/perf/sunspider-0.9/sunspider-record-result.js @29: TypeError: Value undefined (result of expression parent.recordResult) is not object.

Anyways, starting with http://webkit.org/perf/sunspider-0.9/sunspider-driver.html, it does crash with the following (now useful) backtrace:
Thread 1 (Thread 0x2b5186b1dec0 (LWP 31811)):
#0  0x00002b517d45cea5 in waitpid () from /lib/libpthread.so.0
No symbol table info available.
#1  0x00002b517e21b4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#2  0x00002b517e21b808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#3  0x00002b51874974b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
No symbol table info available.
#4  <signal handler called>
No symbol table info available.
#5  0x00002b517d072a3e in KJS::ElementNode::evaluate (this=0x2b5188b25618, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:792
	val = (class KJS::JSValue *) 0x2b5188a2ee60
	n = (class KJS::ElementNode *) 0x2b5188b25618
	array = (class KJS::JSObject *) 0x2b5188a19d00
	length = 0
#6  0x00002b517d072ab0 in KJS::ArrayNode::evaluate (this=0x2b5188b5aac0, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:812
	array = <value optimized out>
	length = <value optimized out>
#7  0x00002b517d06a29d in KJS::ReturnNode::execute (this=0x2b5188b25780, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:4359
	v = <value optimized out>
#8  0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188b44d80, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#9  0x00002b517d08c94f in KJS::FunctionImp::callAsFunction (this=0x2b5188a1e480, exec=0x7fff2e1c6a30, thisObj=<value optimized out>, args=<value optimized out>)
    at JavaScriptCore/kjs/function.cpp:77
	newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0, 
    m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x7fff2e1c6a30, m_scopeNode = 0x2b5188b44d80, m_function = 0x2b5188a1e480, 
    m_arguments = 0x7fff2e1c6660, m_activation = 0x2b5187d314e8, m_localStorage = 0x2b5187d31518, m_scopeChain = {_node = 0x7fff2e1c65b8}, m_inlineScopeChainNode = {
      next = 0x2b5187db2e58, object = 0x2b5187d314e8, refCount = 2}, m_variableObject = 0x2b5187d314e8, m_thisValue = 0x2b5188a127c0, 
    m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode, 
    m_completionType = 32767, m_breakOrContinueTarget = 0x7fff2e1c6660}, <No data fields>}
	result = <value optimized out>
#10 0x00002b517d062e49 in KJS::JSObject::call (this=0x2b5188a19d00, exec=0x0, thisObj=0x0, args=@0x2b5188a2ee60) at JavaScriptCore/kjs/object.cpp:96
	ret = (class KJS::JSValue *) 0x0
	depth = 4
#11 0x00002b517d075910 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b5187df2f60, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:1322
No locals.
#12 0x00002b517d07151e in KJS::ArgumentListNode::evaluateList (this=0x2b5188b24d40, exec=0x7fff2e1c6a30, list=@0x7fff2e1c6750) at JavaScriptCore/kjs/nodes.cpp:1011
	n = (class KJS::ArgumentListNode *) 0x2b5188b24f80
#13 0x00002b517d0758f2 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b5187df2f90, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.h:695
No locals.
#14 0x00002b517d07151e in KJS::ArgumentListNode::evaluateList (this=0x2b5188b24620, exec=0x7fff2e1c6a30, list=@0x7fff2e1c6840) at JavaScriptCore/kjs/nodes.cpp:1011
	n = (class KJS::ArgumentListNode *) 0x2b5188b24620
#15 0x00002b517d0758f2 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b5187df2fc0, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.h:695
No locals.
#16 0x00002b517d06de2e in KJS::AssignLocalVarNode::evaluate (this=0x2b5188b4a1e0, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3559
	v = <value optimized out>
#17 0x00002b517d06ad8e in KJS::VarStatementNode::execute (this=0x2b5188b4a208, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:4014
No locals.
#18 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188b927a8, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#19 0x00002b517d06a9b9 in KJS::ForNode::execute (this=0x2b5187cfdca8, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:4164
	b = <value optimized out>
	statementValue = (class KJS::JSValue *) 0x2b5188a19e00
	value = (class KJS::JSValue *) 0x2b5188a19e00
#20 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188b92770, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#21 0x00002b517d06a9b9 in KJS::ForNode::execute (this=0x2b5187cfd240, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:4164
	b = <value optimized out>
	statementValue = (class KJS::JSValue *) 0x7fff2e1c6a30
	value = (class KJS::JSValue *) 0x0
#22 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188ba7480, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#23 0x00002b517d08c94f in KJS::FunctionImp::callAsFunction (this=0x2b5188a1e080, exec=0x7fff2e1c6c40, thisObj=<value optimized out>, args=<value optimized out>)
    at JavaScriptCore/kjs/function.cpp:77
	newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0, 
    m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x7fff2e1c6c40, m_scopeNode = 0x2b5188ba7480, m_function = 0x2b5188a1e080, 
    m_arguments = 0x7fff2e1c6b30, m_activation = 0x2b5187d31278, m_localStorage = 0x2b5187d312a8, m_scopeChain = {_node = 0x7fff2e1c6a88}, m_inlineScopeChainNode = {
      next = 0x2b5187db2e58, object = 0x2b5187d31278, refCount = 2}, m_variableObject = 0x2b5187d31278, m_thisValue = 0x2b5188a127c0, 
    m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 2, m_switchDepth = 0, m_codeType = KJS::FunctionCode, 
    m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b517d08bc22}, <No data fields>}
	result = <value optimized out>
#24 0x00002b517d062e49 in KJS::JSObject::call (this=0x2b5188a19d00, exec=0x0, thisObj=0x0, args=@0x2b5188a2ee60) at JavaScriptCore/kjs/object.cpp:96
	ret = (class KJS::JSValue *) 0x0
	depth = 4
#25 0x00002b517d075910 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b5187df2600, exec=0x7fff2e1c6c40) at JavaScriptCore/kjs/nodes.cpp:1322
No locals.
#26 0x00002b517d06adee in KJS::ExprStatementNode::execute (this=0x2b5188b46cd0, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3998
	value = (class KJS::JSValue *) 0x0
#27 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188ba7240, exec=0x7fff2e1c6c40) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#28 0x00002b517d08c94f in KJS::FunctionImp::callAsFunction (this=0x2b5188a1da00, exec=0x7fff2e1c6e90, thisObj=<value optimized out>, args=<value optimized out>)
    at JavaScriptCore/kjs/function.cpp:77
	newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0, 
    m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x7fff2e1c6e90, m_scopeNode = 0x2b5188ba7240, m_function = 0x2b5188a1da00, 
    m_arguments = 0x7fff2e1c6d50, m_activation = 0x2b5187d31008, m_localStorage = 0x2b5187d31038, m_scopeChain = {_node = 0x7fff2e1c6c98}, m_inlineScopeChainNode = {
      next = 0x2b5187db2e58, object = 0x2b5187d31008, refCount = 2}, m_variableObject = 0x2b5187d31008, m_thisValue = 0x2b5188a13540, 
    m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode, 
    m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b5188a13540}, <No data fields>}
	result = <value optimized out>
#29 0x00002b517d062e49 in KJS::JSObject::call (this=0x2b5188a19d00, exec=0x0, thisObj=0x0, args=@0x2b5188a2ee60) at JavaScriptCore/kjs/object.cpp:96
	ret = (class KJS::JSValue *) 0x0
	depth = 4
#30 0x00002b517d076ae3 in KJS::FunctionCallDotNode::evaluate (this=0x2b5188beb140, exec=0x7fff2e1c6e90) at JavaScriptCore/kjs/nodes.cpp:1500
No locals.
#31 0x00002b517d06adee in KJS::ExprStatementNode::execute (this=0x2b5188beb118, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3998
	value = (class KJS::JSValue *) 0x0
#32 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188bedd80, exec=0x7fff2e1c6e90) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#33 0x00002b517d08c94f in KJS::FunctionImp::callAsFunction (this=0x2b5188a1e000, exec=0x7fff2e1c72d0, thisObj=<value optimized out>, args=<value optimized out>)
    at JavaScriptCore/kjs/function.cpp:77
	newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0, 
    m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x7fff2e1c72d0, m_scopeNode = 0x2b5188bedd80, m_function = 0x2b5188a1e000, 
    m_arguments = 0x7fff2e1c6f90, m_activation = 0x2b5188a14540, m_localStorage = 0x2b5188bf0b40, m_scopeChain = {_node = 0x2b5188b78750}, m_inlineScopeChainNode = {
      next = 0x0, object = 0x0, refCount = 1}, m_variableObject = 0x2b5188a14540, m_thisValue = 0x2b5188a127c0, 
    m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode, 
    m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b5188b78750}, <No data fields>}
	result = <value optimized out>
#34 0x00002b517d062e49 in KJS::JSObject::call (this=0x2b5188a19d00, exec=0x0, thisObj=0x0, args=@0x2b5188a2ee60) at JavaScriptCore/kjs/object.cpp:96
	ret = (class KJS::JSValue *) 0x0
	depth = 4
#35 0x00002b517d0761ea in KJS::LocalVarFunctionCallNode::evaluate (this=0x2b5187df2ba0, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.cpp:1269
No locals.
#36 0x00002b517d07151e in KJS::ArgumentListNode::evaluateList (this=0x2b5188bec0a0, exec=0x7fff2e1c72d0, list=@0x7fff2e1c7080) at JavaScriptCore/kjs/nodes.cpp:1011
	n = (class KJS::ArgumentListNode *) 0x2b5188bec0a0
#37 0x00002b517d0761cc in KJS::LocalVarFunctionCallNode::evaluate (this=0x2b5187df2bd0, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.h:695
No locals.
#38 0x00002b517d06ccc3 in KJS::AssignResolveNode::evaluate (this=0x2b5188beb618, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.cpp:3654
	slot = {m_getValue = 0x2b5188a1e0c0, m_slotBase = 0x2b5188b46e10, m_data = {getterFunc = 0x2b5188a1da00, valueSlot = 0x2b5188a1da00, staticEntry = 0x2b5188a1da00, 
    index = 2292308480, numericFunc = 0x2b5188a1da00}}
	base = (class KJS::JSObject *) 0x2b5188a127c0
	v = <value optimized out>
#39 0x00002b517d06adee in KJS::ExprStatementNode::execute (this=0x2b5188beb5f0, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3998
	value = (class KJS::JSValue *) 0x0
#40 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188bed900, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#41 0x00002b517d08c2c0 in KJS::ProgramNode::execute (this=0x2b5188bed900, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.cpp:4883
No locals.
#42 0x00002b517d08d9c3 in KJS::Interpreter::evaluate (exec=0x2b5187d7d238, sourceURL=@0x7fff2e1c7500, startingLineNumber=441, code=0x2b5188b02000, 
    codeLength=<value optimized out>, thisV=0x0) at JavaScriptCore/kjs/interpreter.cpp:103
	newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0, 
    m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x0, m_scopeNode = 0x2b5188bed900, m_function = 0x0, m_arguments = 0x0, 
    m_activation = 0x0, m_localStorage = 0x2b5187d7d000, m_scopeChain = {_node = 0x2b5187db2e58}, m_inlineScopeChainNode = {next = 0x0, object = 0x0, refCount = 1}, 
    m_variableObject = 0x2b5188a127c0, m_thisValue = 0x2b5188a127c0, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, 
    m_switchDepth = 0, m_codeType = KJS::GlobalCode, m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b517d03fd93}, <No data fields>}
	value = <value optimized out>
	globalObject = (class KJS::JSGlobalObject *) 0x2b5188a127c0
	sourceId = 9
	errLine = -1
	errMsg = {m_rep = {m_ptr = 0x2b517d414f40}}
	thisObj = <value optimized out>
#43 0x00002b517cd307b3 in WebCore::KJSProxy::evaluate (this=0x2b5187d86f30, filename=@0x7fff2e1c77c0, baseLine=441, str=<value optimized out>)
    at WebCore/bindings/js/kjs_proxy.cpp:86
	exec = (class KJS::ExecState *) 0x2b5187d7d238
	comp = {m_type = 773616884, m_value = 0x2b517d03fbda}
#44 0x00002b517cebf8f1 in WebCore::FrameLoader::executeScript (this=0x2b5187d8f400, url=@0x7fff2e1c77c0, baseLine=441, script=@0x7fff2e1c79f0)
    at WebCore/loader/FrameLoader.cpp:783
	scriptProxy = <value optimized out>
	wasRunningScript = false
	result = <value optimized out>
#45 0x00002b517ce885c9 in WebCore::HTMLTokenizer::scriptExecution (this=0x2b5187d5a400, str=@0x7fff2e1c79f0, state={static EntityShift = <optimized out>, m_bits = 0}, 
    scriptURL=<value optimized out>, baseLine=441) at WebCore/html/HTMLTokenizer.cpp:540
	url = {m_impl = {m_ptr = 0x2b5187db2b40}}
	savedPrependingSrc = (WebCore::SegmentedString *) 0x7fff2e1c7900
	prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}}, 
    m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0, 
    m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0, 
        m_capacity = 0}, <No data fields>}}, m_composite = false}
#46 0x00002b517ce89685 in WebCore::HTMLTokenizer::scriptHandler (this=0x2b5187d5a400, state={static EntityShift = <optimized out>, m_bits = 0})
    at WebCore/html/HTMLTokenizer.cpp:480
	doScriptExec = true
	followingFrameset = false
	cs = (class WebCore::CachedScript *) 0x0
	scriptCode = {m_impl = {m_ptr = 0x2b5188b783d8}}
	savedPrependingSrc = (WebCore::SegmentedString *) 0x0
	prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}}, 
    m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0, 
    m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0, 
        m_capacity = 0}, <No data fields>}}, m_composite = false}
#47 0x00002b517ce8a4e2 in WebCore::HTMLTokenizer::parseSpecial (this=0x2b5187d5a400, src=@0x2b5187d5ae28, state={static EntityShift = <optimized out>, m_bits = 773612896})
    at WebCore/html/HTMLTokenizer.cpp:330
	ch = 6740
#48 0x00002b517ce8d09c in WebCore::HTMLTokenizer::write (this=0x2b5187d5a400, str=<value optimized out>, appendData=<value optimized out>)
    at WebCore/html/HTMLTokenizer.cpp:1669
	cc = <value optimized out>
	source = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 1237, m_current = 0x2b5187d70a00, m_string = {m_impl = {m_ptr = 0x2b5188b78480}}, 
    m_doNotExcludeLineNumbers = true}, m_currentChar = 0x2b5187d70a00, m_substrings = {m_start = 0, m_end = 0, 
    m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2b5187cf9d70, 
        m_capacity = 0}, <No data fields>}}, m_composite = false}
	wasInWrite = false
	processedCount = 1
	startTime = 1207687808.954571
	frame = (class WebCore::Frame *) 0x2b5187d86330
	state = {static EntityShift = <optimized out>, m_bits = 0}
#49 0x00002b517ceadb17 in WebCore::FrameLoader::write (this=0x2b5187d8f400, 
    str=0x89e3d8 "  return pixels;\n}\n\nfunction arrayToCanvasCommands(pixels)\n{\n    var s = '<canvas id=\"renderCanvas\" width=\"30px\" height=\"30px\"></canvas><scr' + 'ipt>\\nvar pixels = [';\n    var size = 30;\n    for (var "..., len=<value optimized out>, flush=false) at WebCore/loader/FrameLoader.cpp:1029
	tokenizer = (WebCore::Tokenizer *) 0x2b5187d5a400
	decoded = {m_impl = {m_ptr = 0x2b5188b78480}}
#50 0x00002b517ce9ff59 in WebCore::DocumentLoader::commitLoad (this=0x2b5187d19600, 
    data=0x89e3d8 "  return pixels;\n}\n\nfunction arrayToCanvasCommands(pixels)\n{\n    var s = '<canvas id=\"renderCanvas\" width=\"30px\" height=\"30px\"></canvas><scr' + 'ipt>\\nvar pixels = [';\n    var size = 30;\n    for (var "..., length=1237) at WebCore/loader/DocumentLoader.cpp:328
	frameLoader = (WebCore::FrameLoader *) 0x0
#51 0x00002b517ced5313 in WebCore::ResourceLoader::didReceiveData (this=0x2b5188a19d00, 
    data=0x89e3d8 "  return pixels;\n}\n\nfunction arrayToCanvasCommands(pixels)\n{\n    var s = '<canvas id=\"renderCanvas\" width=\"30px\" height=\"30px\"></canvas><scr' + 'ipt>\\nvar pixels = [';\n    var size = 30;\n    for (var "..., length=1237, lengthReceived=0, allAtOnce=96) at WebCore/loader/ResourceLoader.cpp:234
No locals.
#52 0x00002b517ced0256 in WebCore::MainResourceLoader::didReceiveData (this=0x2b5188b67800, data=0x7fff2e1c6560 "À'¡\210Q+", length=0, lengthReceived=47629184724576, 
    allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:296
No locals.
#53 0x00002b517cfef477 in writeCallback (ptr=0x89e3d8, size=<value optimized out>, nmemb=<value optimized out>, data=<value optimized out>)
    at WebCore/platform/network/curl/ResourceHandleManager.cpp:126
	job = (class WebCore::ResourceHandle *) 0x2b5187d9c430
	d = (class WebCore::ResourceHandleInternal *) 0x2b5187de4000
	totalSize = 1237
	h = (CURL *) 0x89dcc0
	httpCode = 200
	err = <value optimized out>
#54 0x00002b51804fe6a8 in ?? () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#55 0x00002b5180513b5e in ?? () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#56 0x00002b518051071d in ?? () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#57 0x00002b5180515b1c in ?? () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#58 0x00002b518051648b in curl_multi_perform () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#59 0x00002b517cff0ea0 in WebCore::ResourceHandleManager::downloadTimerCallback (this=0x2b5187d6fd80, timer=<value optimized out>)
    at WebCore/platform/network/curl/ResourceHandleManager.cpp:308
	fdread = {fds_bits = {64, 0 <repeats 15 times>}}
	fdwrite = {fds_bits = {0 <repeats 16 times>}}
	fdexcep = {fds_bits = {0 <repeats 16 times>}}
	maxfd = 6
	timeout = {tv_sec = 0, tv_usec = 5000}
	rc = 1
	runningHandles = 0
	started = <value optimized out>
#60 0x00002b517cf4b493 in WebCore::TimerBase::fireTimers (fireTime=1207687808.954479, firingTimers=@0x7fff2e1c8330) at WebCore/platform/Timer.cpp:347
	timer = (class WebCore::TimerBase *) 0x2b5187d6fd80
	interval = <value optimized out>
	i = 0
#61 0x00002b517cf4b54b in WebCore::TimerBase::sharedTimerFired () at WebCore/platform/Timer.cpp:368
	fireTime = 1207687808.954479
	firingTimers = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<WebCore::TimerBase*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, 
      m_buffer = 0x2b5188b4fc80, m_capacity = 16}, <No data fields>}}
	firingTimersSet = {m_impl = {static m_minTableSize = <optimized out>, static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, 
    m_table = 0x2b5187d04600, m_tableSize = 64, m_tableSizeMask = 63, m_keyCount = 0, m_deletedCount = 1}}
#62 0x00002b517cc6fba2 in timeout_cb () at WebCore/platform/gtk/SharedTimerGtk.cpp:48
No locals.
#63 0x00002b517e1e87db in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#64 0x00002b517e1e80b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#65 0x00002b517e1eb356 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#66 0x00002b517e1eb617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#67 0x00002b517daf8b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163
	tmp_list = (GList *) 0x62a8b0
	functions = (GList *) 0x0
	init = (GtkInitFunction *) 0x661280
	loop = (GMainLoop *) 0x87f5d0
#68 0x0000000000401eab in main (argc=2, argv=0x7fff2e1c8678) at WebKitTools/GtkLauncher/main.c:200
	vbox = (GtkWidget *) 0x62a8b0
	uri = <value optimized out>

Comment 3 Mike Hommey 2008-04-09 03:50:42 PDT

FWIW, and this applies to bugs 18367, 18368 and 18369, too, the crash happens when building with -O1, with -O2, but NOT when building with -O0 or -fdefer-pop -fdelayed-branch -fguess-branch-probability -fcprop-registers -fif-conversion -fif-conversion2 -ftree-ccp -ftree-dce -ftree-dominator-opts -ftree-dse -ftree-ter -ftree-lrs -ftree-sra -ftree-copyrename -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants, which is listed in gcc's man as being the flags -O1 turn on.

Note that a -O1 build is significantly faster on the tests that pass than a build with all these flags, so obviously, gcc does much more than what it claims.

Comment 4 Mike Hommey 2008-04-09 05:08:20 PDT

This *doesn't* happen with the Qt port.

Comment 5 Mike Hommey 2008-04-09 10:21:24 PDT

It doesn't happen on x86

Comment 6 Mike Hommey 2008-04-10 13:07:13 PDT


*** This bug has been marked as a duplicate of 18367 ***