18369 2008-04-08 13:23:45 -0700 Crash during sunspider date-format-tofte 2008-04-10 13:06:26 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC Linux RESOLVED DUPLICATE 18367 P2 Major --- 0 mh+webkit webkit-unassigned oldest_to_newest 76636 0 mh+webkit 2008-04-08 13:23:45 -0700 I spotted a crash during sunspider string-unpack-code test (http://webkit.org/perf/sunspider-0.9/date-format-tofte.html) on amd64 (not tested anywhere else), confirmed on r31722. The full backtrace is as follows: [Thread debugging using libthread_db enabled] [New Thread 0x2b1458c8bec0 (LWP 3910)] 0x00002b144f5caea5 in waitpid () from /lib/libpthread.so.0 #0 0x00002b144f5caea5 in waitpid () from /lib/libpthread.so.0 #1 0x00002b14503894f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 #2 0x00002b1450389808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 #3 0x00002b14596054b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so #4 <signal handler called> #5 0x00002b144f1a7a4a in KJS::PropertyMap::insert () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #6 0x00002b144f1ae25c in KJS::PropertyMap::createTable () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #7 0x00002b144f1b8764 in KJS::PropertyMap::put () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #8 0x00002b144f1fa5c8 in KJS::FunctionBodyNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #9 0x00002b144f1fa94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #10 0x00002b144f1d0e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #11 0x00002b144f1e4ae3 in KJS::FunctionCallDotNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #12 0x00002b144f1dbe2e in KJS::AssignLocalVarNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #13 0x00002b144f1d8d8e in KJS::VarStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #14 0x00002b144f1a746a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #15 0x00002b144f1d89b9 in KJS::ForNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #16 0x00002b144f1a746a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #17 0x00002b144f1fa2c0 in KJS::ProgramNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #18 0x00002b144f1fb9c3 in KJS::Interpreter::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #19 0x00002b144ee9e7b3 in WebCore::KJSProxy::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #20 0x00002b144f02d8f1 in WebCore::FrameLoader::executeScript () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #21 0x00002b144eff65c9 in WebCore::HTMLTokenizer::scriptExecution () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #22 0x00002b144eff7685 in WebCore::HTMLTokenizer::scriptHandler () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #23 0x00002b144eff84e2 in WebCore::HTMLTokenizer::parseSpecial () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #24 0x00002b144effa3e2 in WebCore::HTMLTokenizer::parseTag () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #25 0x00002b144effb20f in WebCore::HTMLTokenizer::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #26 0x00002b144effb715 in WebCore::HTMLTokenizer::notifyFinished () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #27 0x00002b144f00b60c in WebCore::CachedScript::checkNotify () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #28 0x00002b144f00b942 in WebCore::CachedScript::data () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #29 0x00002b144f03bd7c in WebCore::Loader::Host::didFinishLoading () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #30 0x00002b144f047213 in WebCore::SubresourceLoader::didFinishLoading () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #31 0x00002b144f15ef24 in WebCore::ResourceHandleManager::downloadTimerCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #32 0x00002b144f0b9493 in WebCore::TimerBase::fireTimers () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #33 0x00002b144f0b954b in WebCore::TimerBase::sharedTimerFired () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #34 0x00002b144edddba2 in WebCore::timeout_cb () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #35 0x00002b14503560b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #36 0x00002b1450359356 in ?? () from /usr/lib/libglib-2.0.so.0 #37 0x00002b1450359617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #38 0x00002b144fc66b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 #39 0x0000000000401eab in main () 76637 1 mh+webkit 2008-04-08 13:37:54 -0700 FWIW, building without -O2 leads to a webkit that doesn't crash 76640 2 mh+webkit 2008-04-08 13:45:23 -0700 Better backtrace: Thread 1 (Thread 0x2aaccdc4cec0 (LWP 31369)): #0 0x00002aacc458bea5 in waitpid () from /lib/libpthread.so.0 No symbol table info available. #1 0x00002aacc534a4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #2 0x00002aacc534a808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #3 0x00002aacce5c64b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so No symbol table info available. #4 <signal handler called> No symbol table info available. #5 KJS::PropertyMap::insert (this=0x2aaccfc8fe88, entry=@0x7fffe7099cf0) at JavaScriptCore/kjs/ustring.h:101 i = <value optimized out> entryIndex = <value optimized out> #6 0x00002aacc416f25c in KJS::PropertyMap::createTable (this=0x2aaccfc8fe88) at JavaScriptCore/kjs/property_map.cpp:513 oldSingleEntryValue = (class KJS::JSValue *) 0x0 #7 0x00002aacc4179764 in KJS::PropertyMap::put (this=0x2aaccfc8fe88, name=@0x7fffe7099cf0, value=0x2aaccfb4fe80, attributes=8, checkReadOnly=false) at JavaScriptCore/kjs/property_map.cpp:366 rep = (KJS::UString::Rep *) 0x2aacceec3f00 i = <value optimized out> k = <value optimized out> foundDeletedElement = <value optimized out> deletedElementIndex = <value optimized out> entryIndex = <value optimized out> #8 0x00002aacc41bb5c8 in KJS::FunctionBodyNode::execute (this=0x2aaccef196c0, exec=0x7fffe7099dd0) at JavaScriptCore/kjs/nodes.cpp:4938 No locals. #9 0x00002aacc41bb94f in KJS::FunctionImp::callAsFunction (this=0x2aaccfb41740, exec=0x7fffe709a170, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2aaccfb40000, m_exception = 0x0, m_propertyNames = 0x2aacceec6dc0, m_emptyList = 0x2aacc456bbe0, m_callingExec = 0x7fffe709a170, m_scopeNode = 0x2aaccef196c0, m_function = 0x2aaccfb41740, m_arguments = 0x7fffe7099ee0, m_activation = 0x2aaccfc8fa40, m_localStorage = 0x2aaccfc0a480, m_scopeChain = {_node = 0x2aaccfbfd870}, m_inlineScopeChainNode = { next = 0x0, object = 0x0, refCount = 1}, m_variableObject = 0x2aaccfc8fa40, m_thisValue = 0x2aaccfb41800, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode, m_completionType = 10924, m_breakOrContinueTarget = 0x2aacc41873fa}, <No data fields>} result = <value optimized out> #10 0x00002aacc4191e49 in KJS::JSObject::call (this=0x2aaccfc8fe88, exec=0x2aaccfc17dc0, thisObj=0xffffffffffffffeb, args=@0x2aaccfc17eec) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0xffffffffffffffeb depth = 1 #11 0x00002aacc41a5ae3 in KJS::FunctionCallDotNode::evaluate (this=0x2aaccef1b848, exec=0x7fffe709a170) at JavaScriptCore/kjs/nodes.cpp:1500 No locals. #12 0x00002aacc419ce2e in KJS::AssignLocalVarNode::evaluate (this=0x2aaccef1b820, exec=0x7fffe7099cf0) at JavaScriptCore/kjs/nodes.cpp:3559 v = <value optimized out> #13 0x00002aacc4199d8e in KJS::VarStatementNode::execute (this=0x2aaccef1b7f8, exec=0x7fffe7099cf0) at JavaScriptCore/kjs/nodes.cpp:4014 No locals. #14 0x00002aacc416846a in KJS::BlockNode::execute (this=0x2aaccef1f6c8, exec=0x7fffe709a170) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #15 0x00002aacc41999b9 in KJS::ForNode::execute (this=0x2aaccee2c4c8, exec=0x7fffe709a170) at JavaScriptCore/kjs/nodes.cpp:4164 b = <value optimized out> statementValue = (class KJS::JSValue *) 0x2aaccfb50620 value = (class KJS::JSValue *) 0x2aaccfb50620 #16 0x00002aacc416846a in KJS::BlockNode::execute (this=0x2aaccef19480, exec=0x7fffe709a170) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #17 0x00002aacc41bb2c0 in KJS::ProgramNode::execute (this=0x2aaccef19480, exec=0x7fffe709a170) at JavaScriptCore/kjs/nodes.cpp:4883 No locals. #18 0x00002aacc41bc9c3 in KJS::Interpreter::evaluate (exec=0x2aacceec5c38, sourceURL=@0x7fffe709a3a0, startingLineNumber=36, code=0x2aacceee8000, codeLength=<value optimized out>, thisV=0x0) at JavaScriptCore/kjs/interpreter.cpp:103 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2aaccfb40000, m_exception = 0x0, m_propertyNames = 0x2aacceec6dc0, m_emptyList = 0x2aacc456bbe0, m_callingExec = 0x0, m_scopeNode = 0x2aaccef19480, m_function = 0x0, m_arguments = 0x0, m_activation = 0x0, m_localStorage = 0x2aacceec5a00, m_scopeChain = {_node = 0x2aaccef1d270}, m_inlineScopeChainNode = {next = 0x0, object = 0x0, refCount = 1}, m_variableObject = 0x2aaccfb40000, m_thisValue = 0x2aaccfb40000, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 1, m_switchDepth = 0, m_codeType = KJS::GlobalCode, m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2aacc416ed93}, <No data fields>} value = <value optimized out> globalObject = (class KJS::JSGlobalObject *) 0x2aaccfb40000 sourceId = 2 errLine = -1 errMsg = {m_rep = {m_ptr = 0x2aacc4543f40}} thisObj = <value optimized out> #19 0x00002aacc3e5f7b3 in WebCore::KJSProxy::evaluate (this=0x2aaccee66828, filename=@0x7fffe709a660, baseLine=36, str=<value optimized out>) at WebCore/bindings/js/kjs_proxy.cpp:86 exec = (class KJS::ExecState *) 0x2aacceec5c38 comp = {m_type = 3876168596, m_value = 0x2aacc416ebda} #20 0x00002aacc3fee8f1 in WebCore::FrameLoader::executeScript (this=0x2aaccee29400, url=@0x7fffe709a660, baseLine=36, script=@0x7fffe709a890) at WebCore/loader/FrameLoader.cpp:783 scriptProxy = <value optimized out> wasRunningScript = false result = <value optimized out> #21 0x00002aacc3fb75c9 in WebCore::HTMLTokenizer::scriptExecution (this=0x2aaccee89400, str=@0x7fffe709a890, state={static EntityShift = <optimized out>, m_bits = 0}, scriptURL=<value optimized out>, baseLine=36) at WebCore/html/HTMLTokenizer.cpp:540 url = {m_impl = {m_ptr = 0x2aaccee668a0}} savedPrependingSrc = (WebCore::SegmentedString *) 0x7fffe709a7a0 prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}}, m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0, m_capacity = 0}, <No data fields>}}, m_composite = false} #22 0x00002aacc3fb8685 in WebCore::HTMLTokenizer::scriptHandler (this=0x2aaccee89400, state={static EntityShift = <optimized out>, m_bits = 4294967275}) at WebCore/html/HTMLTokenizer.cpp:480 doScriptExec = true followingFrameset = false cs = (class WebCore::CachedScript *) 0x0 scriptCode = {m_impl = {m_ptr = 0x2aacceec0858}} savedPrependingSrc = (WebCore::SegmentedString *) 0x0 prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}}, m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0, m_capacity = 0}, <No data fields>}}, m_composite = false} #23 0x00002aacc3fb94e2 in WebCore::HTMLTokenizer::parseSpecial (this=0x2aaccee89400, src=@0x2aaccee89e28, state={static EntityShift = <optimized out>, m_bits = 3876166896}) at WebCore/html/HTMLTokenizer.cpp:330 ch = 15 #24 0x00002aacc3fbb3e2 in WebCore::HTMLTokenizer::parseTag (this=0x2aaccee89400, src=@0x2aaccee89e28, state={static EntityShift = <optimized out>, m_bits = 4294967275}) at WebCore/html/HTMLTokenizer.cpp:1546 isSelfClosingScript = false beginTag = true cBufferPos = 0 lastIsSlash = false #25 0x00002aacc3fbc20f in WebCore::HTMLTokenizer::write (this=0x2aaccee89400, str=<value optimized out>, appendData=<value optimized out>) at WebCore/html/HTMLTokenizer.cpp:1727 cc = <value optimized out> source = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 943, m_current = 0x2aacceea741a, m_string = {m_impl = {m_ptr = 0x2aaccee41de0}}, m_doNotExcludeLineNumbers = true}, m_currentChar = 0x2aacceea741a, m_substrings = {m_start = 0, m_end = 3, m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2aacceea3000, m_capacity = 16}, <No data fields>}}, m_composite = true} wasInWrite = false processedCount = 3 startTime = 1207687430.971595 frame = (class WebCore::Frame *) 0x2aaccee2a228 state = {static EntityShift = <optimized out>, m_bits = 4294967275} #26 0x00002aacc3fbc715 in WebCore::HTMLTokenizer::notifyFinished (this=0x2aaccee89400) at WebCore/html/HTMLTokenizer.cpp:2008 rest = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 943, m_current = 0x2aacceea741a, m_string = {m_impl = {m_ptr = 0x2aaccee41de0}}, m_doNotExcludeLineNumbers = true}, m_currentChar = 0x2aacceea741a, m_substrings = {m_start = 0, m_end = 3, m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2aacceea3200, m_capacity = 16}, <No data fields>}}, m_composite = true} cs = (class WebCore::CachedScript *) 0x2aaccee6bdc0 scriptSource = {m_impl = {m_ptr = 0x2aacceec00f0}} cachedScriptUrl = {m_impl = {m_ptr = 0x2aaccee66e10}} #27 0x00002aacc3fcc60c in WebCore::CachedScript::checkNotify (this=0x2aaccee6bdc0) at WebCore/loader/CachedScript.cpp:95 c = (class WebCore::CachedResourceClient *) 0xffffffffffffffeb w = {m_clientSet = @0x2aaccee6bdc8, m_clientVector = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<WebCore::CachedResourceClient*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2aaccee28478, m_capacity = 1}, <No data fields>}}, m_index = 1} #28 0x00002aacc3fcc942 in WebCore::CachedScript::data (this=0x2aaccee6bdc0, data=<value optimized out>, allDataReceived=<value optimized out>) at WebCore/loader/CachedScript.cpp:85 No locals. #29 0x00002aacc3ffcd7c in WebCore::Loader::Host::didFinishLoading (this=0x2aaccee2fc60, loader=0x2aacceeaaa00) at WebCore/loader/loader.cpp:268 request = (class WebCore::Request *) 0x2aacceea9540 docLoader = (class WebCore::DocLoader *) 0x2aaccee2fea0 resource = (class WebCore::CachedResource *) 0x2aaccee6bdc0 #30 0x00002aacc4008213 in WebCore::SubresourceLoader::didFinishLoading (this=0x2aacceeaaa00) at WebCore/loader/SubresourceLoader.cpp:193 No locals. #31 0x00002aacc411ff24 in WebCore::ResourceHandleManager::downloadTimerCallback (this=0x2aaccee9ed80, timer=<value optimized out>) at WebCore/platform/network/curl/ResourceHandleManager.cpp:340 msg = (CURLMsg *) 0x8aae00 handle = <value optimized out> job = (class WebCore::ResourceHandle *) 0x7fffe7099cf0 messagesInQueue = 0 d = <value optimized out> fdread = {fds_bits = {384, 0 <repeats 15 times>}} fdwrite = {fds_bits = {0 <repeats 16 times>}} fdexcep = {fds_bits = {0 <repeats 16 times>}} maxfd = 8 timeout = {tv_sec = 0, tv_usec = 5000} rc = <value optimized out> runningHandles = 0 started = <value optimized out> #32 0x00002aacc407a493 in WebCore::TimerBase::fireTimers (fireTime=1207687430.9692769, firingTimers=@0x7fffe709b200) at WebCore/platform/Timer.cpp:347 timer = (class WebCore::TimerBase *) 0x2aaccee9ed80 interval = <value optimized out> i = 0 #33 0x00002aacc407a54b in WebCore::TimerBase::sharedTimerFired () at WebCore/platform/Timer.cpp:368 fireTime = 1207687430.9692769 firingTimers = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<WebCore::TimerBase*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2aaccee59380, m_capacity = 16}, <No data fields>}} firingTimersSet = {m_impl = {static m_minTableSize = <optimized out>, static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x2aaccee33600, m_tableSize = 64, m_tableSizeMask = 63, m_keyCount = 0, m_deletedCount = 1}} #34 0x00002aacc3d9eba2 in timeout_cb () at WebCore/platform/gtk/SharedTimerGtk.cpp:48 No locals. #35 0x00002aacc53177db in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #36 0x00002aacc53170b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #37 0x00002aacc531a356 in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #38 0x00002aacc531a617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #39 0x00002aacc4c27b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 tmp_list = (GList *) 0x62a8b0 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x661280 loop = (GMainLoop *) 0x884460 #40 0x0000000000401eab in main (argc=2, argv=0x7fffe709b548) at WebKitTools/GtkLauncher/main.c:200 vbox = (GtkWidget *) 0x62a8b0 uri = <value optimized out> 76708 3 mh+webkit 2008-04-09 04:39:47 -0700 FWIW, this one still occurs when building with -O1 -fno-defer-pop -fno-delayed-branch -fno-guess-branch-probability -fno-cprop-registers -fno-if-conversion -fno-if-conversion2 -fno-tree-ccp -fno-tree-dce -fno-tree-dominator-opts -fno-tree-dse -fno-tree-ter -fno-tree-lrs -fno-tree-sra -fno-tree-copyrename -fno-tree-fre -fno-tree-ch -fno-unit-at-a-time -fno-merge-constants while bugs 18366 to 18368 don't. (See http://bugs.webkit.org/show_bug.cgi?id=18366#c3) 76709 4 mh+webkit 2008-04-09 05:05:08 -0700 This also happens with the Qt port. 76730 5 mh+webkit 2008-04-09 09:16:09 -0700 I bisected this to be a regression introduced in r30040 76740 6 mh+webkit 2008-04-09 10:21:06 -0700 It doesn't happen on x86 77186 7 mh+webkit 2008-04-10 13:06:26 -0700 *** This bug has been marked as a duplicate of 18367 ***