119803 2013-08-14 10:30:47 -0700 [Windows] html5test.com Crashes WebKit (JSC Stacktrace) 2013-11-18 10:33:38 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 119812 1 bfulgham webkit-unassigned bfulgham chris_curtis compnerd elima mark.lam msaboff oliver webkit-bug-importer oldest_to_newest 917172 0 bfulgham 2013-08-14 10:30:47 -0700 Visiting the website http://html5test.com using WinLauncher on Windows crashes with the following stacktrace: In release we crash as follows: > JavaScriptCore.dll!JSC::JSCell::methodTable() Line 157 C++ JavaScriptCore.dll!JSC::errorDescriptionForValue(JSC::ExecState * exec, JSC::JSValue v) Line 110 + 0x8 bytes C++ JavaScriptCore.dll!JSC::createError(JSC::ExecState * exec, JSC::JSObject * (JSC::ExecState *, const WTF::String &)* errorFactory, JSC::JSValue value, const WTF::String & message) Line 115 + 0x24 bytes C++ JavaScriptCore.dll!JSC::createNotAnObjectError(JSC::ExecState * exec, JSC::JSValue value) Line 139 + 0x28 bytes C++ JavaScriptCore.dll!JSC::JSValue::synthesizePrototype(JSC::ExecState * exec) Line 111 + 0xe bytes C++ JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName, JSC::PropertySlot & slot) Line 637 C++ JavaScriptCore.dll!JSC::getByVal(JSC::ExecState * callFrame, JSC::JSValue baseValue, JSC::JSValue subscript, JSC::ReturnAddressPtr returnAddress) Line 1544 + 0x2b bytes C++ JavaScriptCore.dll!cti_op_get_by_val_generic(void * * args) Line 1605 C++ 0b8307d0() JavaScriptCore.dll!JSC::JITCode::execute(JSC::JSStack * stack, JSC::ExecState * callFrame, JSC::VM * vm) Line 46 + 0x20 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj) Line 851 + 0x2d bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException) Line 85 C++ WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception) Line 74 + 0x1b bytes C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld * world) Line 142 + 0x34 bytes C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode) Line 158 + 0x40 bytes C++ WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 316 + 0x16 bytes C++ WebKit.dll!WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner> * timer) Line 121 + 0x2a5 bytes C++ WebKit.dll!WebCore::Timer<WebCore::Settings>::fired() Line 114 + 0xb bytes C++ WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 132 C++ WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 111 C++ user32.dll!_InternalCallWinProc@20() + 0x23 bytes user32.dll!_UserCallWinProcCheckWow@36() + 0xbd bytes user32.dll!_DispatchMessageWorker@8() + 0xf8 bytes user32.dll!_DispatchMessageW@4() + 0x10 bytes CoreFoundation.dll!__CFRunLoopRun(__CFRunLoop * rl, __CFRunLoopMode * rlm, double seconds, unsigned char stopAfterHandle, __CFRunLoopMode * previousMode) Line 42292 C++ CoreFoundation.dll!CFRunLoopRunSpecific(__CFRunLoop * rl, const __CFString * modeName, double seconds, unsigned char returnAfterSourceHandled) Line 42413 + 0x12 bytes C++ CoreFoundation.dll!CFRunLoopRun() Line 42440 + 0x1d bytes C++ WinLauncher.dll!dllLauncherEntryPoint(HINSTANCE__ * __formal, HINSTANCE__ * __formal, HINSTANCE__ * __formal, int nCmdShow) Line 456 C++ WinLauncher.exe!004018b8() [Frames below may be incorrect and/or missing, no symbols loaded for WinLauncher.exe] msvcr100.dll!_free() + 0x1c bytes msvcr100.dll!__wsetenvp() + 0xa2 bytes msvcr100.dll!___wgetmainargs() + 0x53 bytes WinLauncher.exe!004024c9() WinLauncher.exe!00402636() kernel32.dll!@BaseThreadInitThunk@12() + 0xe bytes ntdll.dll!___RtlUserThreadStart@8() + 0x27 bytes ntdll.dll!__RtlUserThreadStart@8() + 0x1b bytes In debug we hit this assert: > WTF.dll!WTFCrash() Line 342 C++ JavaScriptCore.dll!JSC::JSValue::synthesizePrototype(JSC::ExecState * exec) Line 110 + 0x3a bytes C++ JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName, JSC::PropertySlot & slot) Line 636 + 0xc bytes C++ JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName) Line 625 + 0x18 bytes C++ JavaScriptCore.dll!JSC::getByVal(JSC::ExecState * callFrame, JSC::JSValue baseValue, JSC::JSValue subscript, JSC::ReturnAddressPtr returnAddress) Line 1544 + 0x1c bytes C++ JavaScriptCore.dll!cti_op_get_by_val_generic(void * * args) Line 1604 + 0x21 bytes C++ JavaScriptCore.dll!@cti_handle_watchdog_timer@4() + 0xef bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::JSStack * stack, JSC::ExecState * callFrame, JSC::VM * vm) Line 46 + 0x1e bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj) Line 851 + 0x36 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException) Line 85 C++ WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception) Line 74 + 0x1e bytes C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld * world) Line 142 + 0x23 bytes C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode) Line 158 + 0x16 bytes C++ WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 316 + 0x17 bytes C++ WebKit.dll!WebCore::ScriptElement::execute(WebCore::CachedScript * cachedScript) Line 337 + 0x15 bytes C++ WebKit.dll!WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner> * timer) Line 122 C++ WebKit.dll!WebCore::Timer<WebCore::PingLoader>::fired() Line 114 + 0x19 bytes C++ WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 132 C++ WebKit.dll!WebCore::ThreadTimers::sharedTimerFired() Line 106 C++ WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 99 + 0x6 bytes C++ user32.dll!_InternalCallWinProc@20() + 0x23 bytes user32.dll!_UserCallWinProcCheckWow@36() + 0xbd bytes user32.dll!_DispatchMessageWorker@8() + 0xf8 bytes user32.dll!_DispatchMessageW@4() + 0x10 bytes CoreFoundation.dll!__CFRunLoopRun(__CFRunLoop * rl, __CFRunLoopMode * rlm, double seconds, unsigned char stopAfterHandle, __CFRunLoopMode * previousMode) Line 42292 C++ CoreFoundation.dll!CFRunLoopRunSpecific(__CFRunLoop * rl, const __CFString * modeName, double seconds, unsigned char returnAfterSourceHandled) Line 42413 + 0x12 bytes C++ CoreFoundation.dll!CFRunLoopRun() Line 42440 + 0x1d bytes C++ WinLauncher.dll!dllLauncherEntryPoint(HINSTANCE__ * __formal, HINSTANCE__ * __formal, HINSTANCE__ * __formal, int nCmdShow) Line 456 C++ WinLauncher.exe!004012ca() [Frames below may be incorrect and/or missing, no symbols loaded for WinLauncher.exe] ntdll.dll!_RtlpHeapAddListEntry@24() + 0xc16 bytes ntdll.dll!@RtlpFreeHeap@16() + 0x20c bytes 917173 1 webkit-bug-importer 2013-08-14 10:31:21 -0700 <rdar://problem/14736881> 919351 2 compnerd 2013-08-20 23:35:31 -0700 Reproduces with WebKit(GTK+) 2.1.4 on Linux. 928740 3 elima 2013-09-13 03:15:58 -0700 I get similar stacktrace 100% of the times while browsing http://2012.beercamp.com on ARM Linux, with WebKitGTK 2.1.4: #0 0xb5dab09c in JSC::errorDescriptionForValue(JSC::ExecState*, JSC::JSValue) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #1 0xb5dab5ae in JSC::createError(JSC::ExecState*, JSC::JSObject* (*)(JSC::ExecState*, WTF::String const&), JSC::JSValue, WTF::String const&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #2 0xb5dab668 in JSC::createNotAnObjectError(JSC::ExecState*, JSC::JSValue) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #3 0xb5df72f8 in JSC::JSValue::synthesizePrototype(JSC::ExecState*) const () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #4 0xb5c8a316 in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #5 0xb5d1f500 in JSC::getByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::ReturnAddressPtr) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #6 0xb5d22bbc in JITStubThunked_op_get_by_val_generic () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #7 0xb5d1ef28 in cti_op_get_by_val_generic () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #8 0xa872f8a0 in ?? () #9 0xa872f8a0 in ?? () Sorry about the missing symbols, have not managed to get a build with full symbols yet. 951673 4 bfulgham 2013-11-18 10:33:38 -0800 This crash was corrected by other JSC work.