16204 2007-11-30 04:39:24 -0800 Heap corruption in JS on ARM 2010-03-04 01:57:21 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Other OS X 10.4 RESOLVED INVALID P2 Normal --- 1 dacarson webkit-unassigned ddkilzer gyuyoung klobag mjs oliver oldest_to_newest 62778 0 dacarson 2007-11-30 04:39:24 -0800 If I build everything with -O2, I will get the crash when loading cnn.com or nytimes.com in either of the following two places. 1. line 529 of object.h inherits(..), which is called from nodes.cpp line 899. We are using rev 27453. 2. line 637 of string_object.cpp. See following for the stack trace. When it crashes, the vptr of the JSObject, baseObj/thisObj in 1) and res in 2), is 0x0. Here is memory map for case 1) (gdb) p *baseObj $2 = {<KJS::JSCell> = {<KJS::JSValue> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, _vptr.JSValue = 0x0}, <No data fields>}, _prop = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_singleEntryKey = 0xfffffe20, m_u = {singleEntryValue = 0x0, table = 0x0}, m_singleEntryAttributes = 0, m_getterSetterFlag = false, m_usingTable = false}, _proto = 0x42e359e0} (gdb) x/8w baseObj 0x42e403c0: 0x00000000 0xfffffe20 0x00000000 0x00000000 0x42e403d0: 0x42e359e0 0x42e42120 0x00000000 0x00000000 Here is stack trace for case 2) [Switching to Thread 566] 0xaa2bb53c in KJS::StringProtoFunc::callAsFunction (this=<value optimized out>, exec=0x107ff01c, thisObj=<value optimized out>, args=<value optimized out>) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/string_object.cpp:637 637 res->put(exec, i, jsString(u.substr(p0, pos-p0))); Current language: auto; currently c++ (gdb) bt #0 0xaa2bb53c in KJS::StringProtoFunc::callAsFunction (this=<value optimized out>, exec=0x107ff01c, thisObj=<value optimized out>, args=<value optimized out>) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/string_object.cpp:637 #1 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c, thisObj=0x43394440, args=@0xaa38d888) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95 #2 0xaa2c8a80 in KJS::FunctionCallDotNode::evaluate (this=0x7b9530, exec=0x107ff01c) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:899 #3 0xaa2c4b1a in KJS::AssignResolveNode::evaluate (this=0x7b9548, exec=0x107ff01c) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2295 #4 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7b9560, exec=0x107ff01c) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718 #5 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>, exec=0x107ff01c) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653 #6 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4, exec=0x107ff01c) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612 #7 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized out>, exec=0x43394400) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252 #8 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395be0, exec=0x107ff334, thisObj=<value optimized out>, args=@0x107ff0cc) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93 #9 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c, thisObj=0x42d60000, args=@0xaa38d888) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95 #10 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate (this=0x7cb140, exec=0x107ff334) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767 #11 0xaa2c8974 in KJS::FunctionCallDotNode::evaluate (this=0x7cb190, exec=0x107ff334) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:874 #12 0xaa2c4b1a in KJS::AssignResolveNode::evaluate (this=0x7cb1a8, exec=0x107ff334) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2295 #13 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7cb1c0, exec=0x107ff334) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718 #14 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>, exec=0x107ff334) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653 #15 0xaa2c3024 in KJS::IfNode::execute (this=<value optimized out>, exec=0x107ff334) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2754 #16 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>, exec=0x107ff334) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653 #17 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4, exec=0x107ff334) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612 #18 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized out>, exec=0x43394400) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252 #19 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395ba0, exec=0x107ff594, thisObj=<value optimized out>, args=@0x107ff3e4) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93 #20 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c, thisObj=0x42d60000, args=@0xaa38d888) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95 #21 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate (this=0x780e38, exec=0x107ff594) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767 #22 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x780e50, exec=0x107ff594) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718 #23 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>, exec=0x107ff594) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653 #24 0xaa2c3024 in KJS::IfNode::execute (this=<value optimized out>, exec=0x107ff594) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2754 #25 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>, exec=0x107ff594) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653 #26 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4, exec=0x107ff594) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612 #27 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized out>, exec=0x43394400) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252 #28 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395e80, exec=0x107ff7ac, thisObj=<value optimized out>, args=@0x107ff644) ---Type <return> to continue, or q <return> to quit--- at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93 #29 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c, thisObj=0x42d60000, args=@0xaa38d888) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95 #30 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate (this=0x780a80, exec=0x107ff7ac) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767 #31 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x780a98, exec=0x107ff7ac) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718 #32 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>, exec=0x107ff7ac) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653 #33 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4, exec=0x107ff7ac) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612 #34 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized out>, exec=0x43394400) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252 #35 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395ec0, exec=0x107ffa50, thisObj=<value optimized out>, args=@0x107ff85c) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93 #36 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c, thisObj=0x42d60000, args=@0xaa38d888) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95 #37 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate (this=0x7d0cf8, exec=0x107ffa50) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767 #38 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7d0d10, exec=0x107ffa50) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718 #39 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>, exec=0x107ffa50) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653 #40 0xaa2bedb0 in KJS::TryNode::execute (this=0x7d0ed8, exec=0x107ffa50) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3405 #41 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>, exec=0x107ffa50) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653 #42 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x107ffa50, exec=0x107ffa50) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612 #43 0xaa2ce844 in KJS::Interpreter::evaluate (this=0x1d2ac0, sourceURL=@0x0, startingLineNumber=<value optimized out>, code=0xafe0e25c, codeLength=7978448, thisV=0xc0000000) at libs/WebKitLib/WebKit/JavaScriptCore/kjs/interpreter.cpp:379 #44 0xaa04c0fa in WebCore::KJSProxy::evaluate (this=0x1c7068, filename=<value optimized out>, baseLine=0, str=@0x107ffbe8) at libs/WebKitLib/WebKit/WebCore/bindings/js/kjs_proxy.cpp:87 #45 0xaa15004a in WebCore::FrameLoader::executeScript (this=0x188e68, URL=@0x107ffbec, baseLine=0, script=@0x107ffbe8) at libs/WebKitLib/WebKit/WebCore/loader/FrameLoader.cpp:762 #46 0xaa12fb22 in WebCore::HTMLTokenizer::scriptExecution (this=0x216c00, str=@0x107ffc50, state={static EntityShift = 4, m_bits = 4194304}, scriptURL=<value optimized out>, baseLine=0) at libs/WebKitLib/WebKit/WebCore/html/HTMLTokenizer.cpp:552 #47 0xaa131040 in WebCore::HTMLTokenizer::notifyFinished (this=0x216c00, res=<value optimized out>) at libs/WebKitLib/WebKit/WebCore/html/HTMLTokenizer.cpp:1784 #48 0xaa13a36a in WebCore::CachedScript::checkNotify (this=0x5fc080) at libs/WebKitLib/WebKit/WebCore/loader/CachedScript.cpp:93 #49 0xaa13a4b0 in WebCore::CachedScript::data (this=0x5fc080, data=<value optimized out>, allDataReceived=<value optimized out>) at libs/WebKitLib/WebKit/WebCore/loader/CachedScript.cpp:83 #50 0xaa16303a in WebCore::Loader::didFinishLoading (this=0x187704, loader=0x415748) at libs/WebKitLib/WebKit/WebCore/loader/loader.cpp:119 #51 0xaa157304 in WebCore::SubresourceLoader::didFinishLoading (this=0x415748) at libs/WebKitLib/WebKit/WebCore/loader/SubresourceLoader.cpp:193 #52 0xaa155ce2 in WebCore::ResourceLoader::didFinishLoading (this=0x1bca) at libs/WebKitLib/WebKit/WebCore/loader/ResourceLoader.cpp:361 #53 0xaa1ae024 in android_webcore_resourceloader_nativeFinished (env=<value optimized out>, obj=<value optimized out>) ---Type <return> to continue, or q <return> to quit--- at libs/WebKitLib/WebKit/WebCore/platform/android/jni/android_webcore_resource_loader.cpp:259 #54 0xad00a3e8 in invoke () at dalvik/vm/arch/arm/CallEABI.S:221 62781 1 dacarson 2007-11-30 04:44:25 -0800 Building with -O0 the problem does not exist A theory is it is caused by the new GC in collector.cpp. By switching back to the previous version of collector.cpp/h, it doesn't crash anymore. 62802 2 ggaren 2007-11-30 11:27:15 -0800 Dave, What previous version of collector.h/.cpp are you talking about? Do you have a specific revision at which this crash was introduced? 62817 3 klobag 2007-11-30 13:51:53 -0800 In JSValue *FunctionCallDotNode::evaluate(ExecState *exec), if I add gcProtect(baseVal) in the beginning and gcUnprotect(baseVal) in the end like following, the problem goes away as baseVal will not be GC before the return of the function. JSValue *baseVal = base->evaluate(exec); KJS_CHECKEXCEPTIONVALUE gcProtect(baseVal); .... gcUnprotect(baseVal); return func->call(exec, thisObj, argList); This is similar to the bug http://bugs.webkit.org/show_bug.cgi?id=12535. But I don't think GC is triggered in toObject() as baseObj->getPropertySlot() is still ok. But right before func->call() is called, GC happens and baseObj is bad. The crash is easy to reproduce with revision 27453. But I can't get it happen with July/07's code. 142006 4 ap 2009-08-21 15:03:22 -0700 Is this still an issue? 142085 5 klobag 2009-08-21 18:03:34 -0700 Not sure. Feel free to close it. 195956 6 oliver 2010-03-04 01:57:21 -0800 Closing as invalid as we don't really have away to say "this crash is in code that hasn't existed in years"