18368 2008-04-08 13:13:55 -0700 Crash during sunspider string-unpack-code 2008-04-10 13:06:53 -0700 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) PC Linux RESOLVED DUPLICATE 18367 P2 Major --- 0 mh+webkit webkit-unassigned mrowe oldest_to_newest 76634 0 mh+webkit 2008-04-08 13:13:55 -0700 I spotted a crash during sunspider string-unpack-code test (http://webkit.org/perf/sunspider-0.9/string-unpack-code.html) on amd64 (not tested anywhere else), confirmed on r31722. I bisected and found this crash has been happening first with r29470. The full backtrace is as follows: [Thread debugging using libthread_db enabled] [New Thread 0x2b04e1a8cec0 (LWP 3167)] 0x00002b04d83cbea5 in waitpid () from /lib/libpthread.so.0 #0 0x00002b04d83cbea5 in waitpid () from /lib/libpthread.so.0 #1 0x00002b04d918a4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 #2 0x00002b04d918a808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 #3 0x00002b04e24064b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so #4 <signal handler called> #5 0x00002b04d7ff707f in KJS::stringProtoFuncSplit () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #6 0x00002b04d7fd1e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #7 0x00002b04d7fe5ae3 in KJS::FunctionCallDotNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #8 0x00002b04d7fe051e in KJS::ArgumentListNode::evaluateList () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #9 0x00002b04d7fe0b37 in KJS::FunctionCallValueNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #10 0x00002b04d7fdce2e in KJS::AssignLocalVarNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #11 0x00002b04d7fd9d8e in KJS::VarStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #12 0x00002b04d7fa846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #13 0x00002b04d7fd99b9 in KJS::ForNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #14 0x00002b04d7fa846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #15 0x00002b04d7ffb2c0 in KJS::ProgramNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #16 0x00002b04d7ffc9c3 in KJS::Interpreter::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #17 0x00002b04d7c9f7b3 in WebCore::KJSProxy::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #18 0x00002b04d7e2e8f1 in WebCore::FrameLoader::executeScript () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #19 0x00002b04d7df75c9 in WebCore::HTMLTokenizer::scriptExecution () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #20 0x00002b04d7df8685 in WebCore::HTMLTokenizer::scriptHandler () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #21 0x00002b04d7df94e2 in WebCore::HTMLTokenizer::parseSpecial () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #22 0x00002b04d7dfc09c in WebCore::HTMLTokenizer::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #23 0x00002b04d7e1cb17 in WebCore::FrameLoader::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #24 0x00002b04d7e0ef59 in WebCore::DocumentLoader::commitLoad () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #25 0x00002b04d7e44313 in WebCore::ResourceLoader::didReceiveData () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #26 0x00002b04d7e3f256 in WebCore::MainResourceLoader::didReceiveData () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #27 0x00002b04d7f5e477 in WebCore::writeCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #28 0x00002b04db46d6a8 in ?? () from /usr/lib/libcurl-gnutls.so.4 #29 0x00002b04db482b5e in ?? () from /usr/lib/libcurl-gnutls.so.4 #30 0x00002b04db47f71d in ?? () from /usr/lib/libcurl-gnutls.so.4 #31 0x00002b04db484b1c in ?? () from /usr/lib/libcurl-gnutls.so.4 #32 0x00002b04db48548b in curl_multi_perform () from /usr/lib/libcurl-gnutls.so.4 #33 0x00002b04d7f5fea0 in WebCore::ResourceHandleManager::downloadTimerCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #34 0x00002b04d7eba493 in WebCore::TimerBase::fireTimers () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #35 0x00002b04d7eba54b in WebCore::TimerBase::sharedTimerFired () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #36 0x00002b04d7bdeba2 in WebCore::timeout_cb () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #37 0x00002b04d91570b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #38 0x00002b04d915a356 in ?? () from /usr/lib/libglib-2.0.so.0 #39 0x00002b04d915a617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #40 0x00002b04d8a67b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 #41 0x0000000000401eab in main () 76635 1 mh+webkit 2008-04-08 13:21:55 -0700 FWIW, building without -O2 leads to a webkit that doesn't crash 76641 2 mh+webkit 2008-04-08 13:46:45 -0700 Better backtrace: Thread 1 (Thread 0x2adcdf01bec0 (LWP 31465)): #0 0x00002adcd595aea5 in waitpid () from /lib/libpthread.so.0 No symbol table info available. #1 0x00002adcd67194f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #2 0x00002adcd6719808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #3 0x00002adcdf9954b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so No symbol table info available. #4 <signal handler called> No symbol table info available. #5 0x00002adcd558607f in KJS::stringProtoFuncSplit (exec=0x7fffd5ccbe00, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/string_object.cpp:684 u2 = {m_rep = {m_ptr = 0x2adce02a9fc0}} s = {m_rep = {m_ptr = 0x2adce02b4a40}} a0 = (class KJS::JSValue *) 0x2adcd558cca0 a1 = <value optimized out> constructor = <value optimized out> res = (class KJS::JSObject *) 0x2adce13998c0 u = {m_rep = {m_ptr = 0x2adce02a9000}} pos = 4412 i = 611 p0 = 4406 limit = 4294967295 #6 0x00002adcd5560e49 in KJS::JSObject::call (this=0x7fffd5ccb990, exec=0x2adce0284a7a, thisObj=0x1136, args=@0x6) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 1 #7 0x00002adcd5574ae3 in KJS::FunctionCallDotNode::evaluate (this=0x2adce0f59d20, exec=0x7fffd5ccbe00) at JavaScriptCore/kjs/nodes.cpp:1500 No locals. #8 0x00002adcd556f51e in KJS::ArgumentListNode::evaluateList (this=0x2adce02b4b00, exec=0x7fffd5ccbe00, list=@0x7fffd5ccbba0) at JavaScriptCore/kjs/nodes.cpp:1011 n = (class KJS::ArgumentListNode *) 0x2adce02b4a20 #9 0x00002adcd556fb37 in KJS::FunctionCallValueNode::evaluate (this=0x2adce02b49a0, exec=0x7fffd5ccbe00) at JavaScriptCore/kjs/nodes.h:695 v = (class KJS::JSValue *) 0x2adce1399a40 func = <value optimized out> argList = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_vector = {m_size = 3, m_buffer = {<WTF::VectorBufferBase<KJS::JSValue*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x7fffd5ccbbb8, m_capacity = 8}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "Р\2319см*\000\000ћ\000\000\000\000\000\000\000Ѓ\t\000\000\000\000\000\000\200\030ёрм*\000\000\003\000\000\000\000\000\000\000@\t%см*\000\000\0010Wем*\000\000@МЬеџ\177\000"}}, m_isInMarkSet = false} #10 0x00002adcd556be2e in KJS::AssignLocalVarNode::evaluate (this=0x2adce0f59cf8, exec=0x7fffd5ccb9f0) at JavaScriptCore/kjs/nodes.cpp:3559 v = <value optimized out> #11 0x00002adcd5568d8e in KJS::VarStatementNode::execute (this=0x2adce0f59cd0, exec=0x7fffd5ccb9f0) at JavaScriptCore/kjs/nodes.cpp:4014 No locals. #12 0x00002adcd553746a in KJS::BlockNode::execute (this=0x2adce0207d58, exec=0x7fffd5ccbe00) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #13 0x00002adcd55689b9 in KJS::ForNode::execute (this=0x2adce01fb510, exec=0x7fffd5ccbe00) at JavaScriptCore/kjs/nodes.cpp:4164 b = <value optimized out> statementValue = (class KJS::JSValue *) 0x7fffd5ccbe00 value = (class KJS::JSValue *) 0x0 #14 0x00002adcd553746a in KJS::BlockNode::execute (this=0x2adce10a8480, exec=0x7fffd5ccbe00) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #15 0x00002adcd558a2c0 in KJS::ProgramNode::execute (this=0x2adce10a8480, exec=0x7fffd5ccbe00) at JavaScriptCore/kjs/nodes.cpp:4883 No locals. #16 0x00002adcd558b9c3 in KJS::Interpreter::evaluate (exec=0x2adce0285738, sourceURL=@0x7fffd5ccc030, startingLineNumber=105, code=0x2adce1128000, codeLength=<value optimized out>, thisV=0x0) at JavaScriptCore/kjs/interpreter.cpp:103 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2adce0f10000, m_exception = 0x0, m_propertyNames = 0x2adce029edc0, m_emptyList = 0x2adcd593abe0, m_callingExec = 0x0, m_scopeNode = 0x2adce10a8480, m_function = 0x0, m_arguments = 0x0, m_activation = 0x0, m_localStorage = 0x2adce0285500, m_scopeChain = {_node = 0x2adce107d1b0}, m_inlineScopeChainNode = {next = 0x0, object = 0x0, refCount = 1}, m_variableObject = 0x2adce0f10000, m_thisValue = 0x2adce0f10000, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 1, m_switchDepth = 0, m_codeType = KJS::GlobalCode, m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2adcd553dd93}, <No data fields>} value = <value optimized out> globalObject = (class KJS::JSGlobalObject *) 0x2adce0f10000 sourceId = 2 errLine = -1 errMsg = {m_rep = {m_ptr = 0x2adcd5912f40}} thisObj = <value optimized out> #17 0x00002adcd522e7b3 in WebCore::KJSProxy::evaluate (this=0x2adce0235828, filename=@0x7fffd5ccc2f0, baseLine=105, str=<value optimized out>) at WebCore/bindings/js/kjs_proxy.cpp:86 exec = (class KJS::ExecState *) 0x2adce0285738 comp = {m_type = KJS::Break, m_value = 0x0} #18 0x00002adcd53bd8f1 in WebCore::FrameLoader::executeScript (this=0x2adce01f8400, url=@0x7fffd5ccc2f0, baseLine=105, script=@0x7fffd5ccc520) at WebCore/loader/FrameLoader.cpp:783 scriptProxy = <value optimized out> wasRunningScript = false result = <value optimized out> #19 0x00002adcd53865c9 in WebCore::HTMLTokenizer::scriptExecution (this=0x2adce0258400, str=@0x7fffd5ccc520, state={static EntityShift = <optimized out>, m_bits = 0}, scriptURL=<value optimized out>, baseLine=105) at WebCore/html/HTMLTokenizer.cpp:540 url = {m_impl = {m_ptr = 0x2adce02358a0}} savedPrependingSrc = (WebCore::SegmentedString *) 0x7fffd5ccc430 prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}}, m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0, m_capacity = 0}, <No data fields>}}, m_composite = false} #20 0x00002adcd5387685 in WebCore::HTMLTokenizer::scriptHandler (this=0x2adce0258400, state={static EntityShift = <optimized out>, m_bits = 4406}) at WebCore/html/HTMLTokenizer.cpp:480 doScriptExec = true followingFrameset = false cs = (class WebCore::CachedScript *) 0x0 scriptCode = {m_impl = {m_ptr = 0x2adce02957c8}} savedPrependingSrc = (WebCore::SegmentedString *) 0x0 prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}}, m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0, m_capacity = 0}, <No data fields>}}, m_composite = false} #21 0x00002adcd53884e2 in WebCore::HTMLTokenizer::parseSpecial (this=0x2adce0258400, src=@0x2adce0258e28, state={static EntityShift = <optimized out>, m_bits = 3586963952}) at WebCore/html/HTMLTokenizer.cpp:330 ch = 4412 #22 0x00002adcd538b09c in WebCore::HTMLTokenizer::write (this=0x2adce0258400, str=<value optimized out>, appendData=<value optimized out>) at WebCore/html/HTMLTokenizer.cpp:1669 cc = <value optimized out> source = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 1555, m_current = 0x2adce02af100, m_string = {m_impl = {m_ptr = 0x2adce02957b0}}, m_doNotExcludeLineNumbers = true}, m_currentChar = 0x2adce02af100, m_substrings = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2adce01f7468, m_capacity = 0}, <No data fields>}}, m_composite = false} wasInWrite = false processedCount = 1 startTime = 1207687539.7916679 frame = (class WebCore::Frame *) 0x2adce01f9228 state = {static EntityShift = <optimized out>, m_bits = 4406} #23 0x00002adcd53abb17 in WebCore::FrameLoader::write (this=0x2adce01f8400, str=0x8892a6 "ult|charAt|_originalHeight|substring|Bottom|pairs|Function|add|collections|javascript|detect|findAll|entries|from|first|compact|keys|merge|present|toQueryString|getInputs|Msxml2|Microsoft|unregister|d"..., len=<value optimized out>, flush=false) at WebCore/loader/FrameLoader.cpp:1029 tokenizer = (WebCore::Tokenizer *) 0x2adce0258400 decoded = {m_impl = {m_ptr = 0x2adce02957b0}} #24 0x00002adcd539df59 in WebCore::DocumentLoader::commitLoad (this=0x2adce0218200, data=0x8892a6 "ult|charAt|_originalHeight|substring|Bottom|pairs|Function|add|collections|javascript|detect|findAll|entries|from|first|compact|keys|merge|present|toQueryString|getInputs|Msxml2|Microsoft|unregister|d"..., length=1555) at WebCore/loader/DocumentLoader.cpp:328 frameLoader = (WebCore::FrameLoader *) 0x0 #25 0x00002adcd53d3313 in WebCore::ResourceLoader::didReceiveData (this=0x7fffd5ccb990, data=0x8892a6 "ult|charAt|_originalHeight|substring|Bottom|pairs|Function|add|collections|javascript|detect|findAll|entries|from|first|compact|keys|merge|present|toQueryString|getInputs|Msxml2|Microsoft|unregister|d"..., length=1555, lengthReceived=0, allAtOnce=6) at WebCore/loader/ResourceLoader.cpp:234 No locals. #26 0x00002adcd53ce256 in WebCore::MainResourceLoader::didReceiveData (this=0x2adce026b400, data=0x7fffd5ccb9f0 "", length=4406, lengthReceived=6, allAtOnce=122) at WebCore/loader/MainResourceLoader.cpp:296 No locals. #27 0x00002adcd54ed477 in writeCallback (ptr=0x8892a6, size=<value optimized out>, nmemb=<value optimized out>, data=<value optimized out>) at WebCore/platform/network/curl/ResourceHandleManager.cpp:126 job = (class WebCore::ResourceHandle *) 0x2adce024c910 d = (class WebCore::ResourceHandleInternal *) 0x2adce024fc00 totalSize = 1555 h = (CURL *) 0x888000 httpCode = 200 err = <value optimized out> #28 0x00002adcd89fc6a8 in ?? () from /usr/lib/libcurl-gnutls.so.4 No symbol table info available. #29 0x00002adcd8a11b5e in ?? () from /usr/lib/libcurl-gnutls.so.4 No symbol table info available. #30 0x00002adcd8a0e71d in ?? () from /usr/lib/libcurl-gnutls.so.4 No symbol table info available. #31 0x00002adcd8a13b1c in ?? () from /usr/lib/libcurl-gnutls.so.4 No symbol table info available. #32 0x00002adcd8a1448b in curl_multi_perform () from /usr/lib/libcurl-gnutls.so.4 No symbol table info available. #33 0x00002adcd54eeea0 in WebCore::ResourceHandleManager::downloadTimerCallback (this=0x2adce026dd80, timer=<value optimized out>) at WebCore/platform/network/curl/ResourceHandleManager.cpp:308 fdread = {fds_bits = {64, 0 <repeats 15 times>}} fdwrite = {fds_bits = {0 <repeats 16 times>}} fdexcep = {fds_bits = {0 <repeats 16 times>}} maxfd = 6 timeout = {tv_sec = 0, tv_usec = 5000} rc = 1 runningHandles = 0 started = <value optimized out> #34 0x00002adcd5449493 in WebCore::TimerBase::fireTimers (fireTime=1207687539.7912109, firingTimers=@0x7fffd5ccce60) at WebCore/platform/Timer.cpp:347 timer = (class WebCore::TimerBase *) 0x2adce026dd80 interval = <value optimized out> i = 0 #35 0x00002adcd544954b in WebCore::TimerBase::sharedTimerFired () at WebCore/platform/Timer.cpp:368 fireTime = 1207687539.7912109 firingTimers = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<WebCore::TimerBase*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2adce0298d00, m_capacity = 16}, <No data fields>}} firingTimersSet = {m_impl = {static m_minTableSize = <optimized out>, static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x2adce0202600, m_tableSize = 64, m_tableSizeMask = 63, m_keyCount = 0, m_deletedCount = 1}} #36 0x00002adcd516dba2 in timeout_cb () at WebCore/platform/gtk/SharedTimerGtk.cpp:48 No locals. #37 0x00002adcd66e60b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #38 0x00002adcd66e9356 in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #39 0x00002adcd66e9617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #40 0x00002adcd5ff6b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 tmp_list = (GList *) 0x62a8b0 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x661280 loop = (GMainLoop *) 0x884460 #41 0x0000000000401eab in main (argc=2, argv=0x7fffd5ccd178) at WebKitTools/GtkLauncher/main.c:200 vbox = (GtkWidget *) 0x62a8b0 uri = <value optimized out> 76710 3 mh+webkit 2008-04-09 05:05:38 -0700 This *doesn't* happen with the Qt port. 76739 4 mh+webkit 2008-04-09 10:21:01 -0700 It doesn't happen on x86 77114 5 mrowe 2008-04-09 18:07:34 -0700 This is probably the same underlying problem as bug 18367. 77188 6 mh+webkit 2008-04-10 13:06:53 -0700 *** This bug has been marked as a duplicate of 18367 ***