27764 2009-07-28 06:40:25 -0700 Application using webkit crashes opn debug compilation 2010-10-28 06:11:38 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC Linux RESOLVED WORKSFORME P2 Normal --- 0 luka.napotnik webkit-unassigned ossy xan.lopez oldest_to_newest 135179 0 luka.napotnik 2009-07-28 06:40:25 -0700 I've compiled webkit with the following configure flags: --prefix=/usr --enable-debug --disable-optimizations. git sha1 is 3f36fc466ba6817716310998f3dcef96161068bd While the Gtk+ program that uses webkit worked if compiling without the --enable-debug and --disable-optimizations flags, it now crashes, producing the following backtrace when tryinig to visit google.com: Program received signal SIGSEGV, Segmentation fault. 0x00007f2d6a1b43cc in JSC::JIT::compileGetByIdSlowCase (this=0x7fff73dfe400, resultVReg=1, baseVReg=-16, ident=0x2e32b48, iter=@0x7fff73dfe1c0, propertyAccessInstructionIndex=8, isMethodCheck=false) at JavaScriptCore/jit/JITPropertyAccess.cpp:335 335 ASSERT(differenceBetween(coldPathBegin, call) == patchOffsetGetByIdSlowCaseCall); (gdb) bt #0 0x00007f2d6a1b43cc in JSC::JIT::compileGetByIdSlowCase (this=0x7fff73dfe400, resultVReg=1, baseVReg=-16, ident=0x2e32b48, iter=@0x7fff73dfe1c0, propertyAccessInstructionIndex=8, isMethodCheck=false) at JavaScriptCore/jit/JITPropertyAccess.cpp:335 #1 0x00007f2d6a1b4486 in JSC::JIT::emitSlow_op_get_by_id (this=0x7fff73dfe400, currentInstruction=0x2e343c0, iter=@0x7fff73dfe1c0) at JavaScriptCore/jit/JITPropertyAccess.cpp:313 #2 0x00007f2d6a1a02c7 in JSC::JIT::privateCompileSlowCases (this=0x7fff73dfe400) at JavaScriptCore/jit/JIT.cpp:350 #3 0x00007f2d6a1a22b9 in JSC::JIT::privateCompile (this=0x7fff73dfe400) at JavaScriptCore/jit/JIT.cpp:425 #4 0x00007f2d6a1e1821 in JSC::JIT::compile (globalData=0x2dfd410, codeBlock=0x2e15ac0) at ./JavaScriptCore/jit/JIT.h:339 #5 0x00007f2d6a266783 in JSC::ProgramNode::generateJITCode (this=0x2e15710, scopeChainNode=0x2e00640) at JavaScriptCore/parser/Nodes.cpp:1908 #6 0x00007f2d6a1f4f68 in JSC::ProgramNode::jitCode (this=0x2e15710, scopeChain=0x2e00640) at ./JavaScriptCore/parser/Nodes.h:1487 #7 0x00007f2d6a1e5c54 in JSC::Interpreter::execute (this=0x2dffcc0, programNode=0x2e15710, callFrame=0x2e00388, scopeChain=0x2e00640, thisObj=0x7f2d5bac0000, exception=0x7fff73dfe810) at JavaScriptCore/interpreter/Interpreter.cpp:630 #8 0x00007f2d6a296667 in JSC::evaluate (exec=0x2e00388, scopeChain=@0x2e00340, source=@0x7fff73dfee58, thisValue={m_ptr = 0x7f2d5bac0000}) at JavaScriptCore/runtime/Completion.cpp:67 #9 0x00007f2d6a343b89 in WebCore::ScriptController::evaluate (this=0x1918948, sourceCode=@0x7fff73dfee50) at WebCore/bindings/js/ScriptController.cpp:114 #10 0x00007f2d6a60fcf6 in WebCore::FrameLoader::executeScript (this=0x1918540, sourceCode=@0x7fff73dfee50) at WebCore/loader/FrameLoader.cpp:765 #11 0x00007f2d6a598f0a in WebCore::HTMLTokenizer::scriptExecution (this=0x194a3d0, sourceCode=@0x7fff73dfee50, state={static EntityShift = 4, m_bits = 0}) at WebCore/html/HTMLTokenizer.cpp:561 #12 0x00007f2d6a599bd1 in WebCore::HTMLTokenizer::scriptHandler (this=0x194a3d0, state={static EntityShift = 4, m_bits = 0}) at WebCore/html/HTMLTokenizer.cpp:503 #13 0x00007f2d6a59a36c in WebCore::HTMLTokenizer::parseNonHTMLText (this=0x194a3d0, src=@0x194ae70, state={static EntityShift = 4, m_bits = 128}) at WebCore/html/HTMLTokenizer.cpp:350 #14 0x00007f2d6a59d30f in WebCore::HTMLTokenizer::write (this=0x194a3d0, str=@0x7fff73dff110, appendData=true) at WebCore/html/HTMLTokenizer.cpp:1690 #15 0x00007f2d6a60eda5 in WebCore::FrameLoader::write (this=0x1918540, str=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., len=3040, flush=false) at WebCore/loader/FrameLoader.cpp:1020 #16 0x00007f2d6a60eed9 in WebCore::FrameLoader::addData (this=0x1918540, bytes=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:1780 #17 0x00007f2d6a166127 in WebKit::FrameLoaderClient::committedLoad (this=0x1916a40, loader=0x2dbf400, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:141 #18 0x00007f2d6a6060a6 in WebCore::FrameLoader::committedLoad (this=0x1918540, loader=0x2dbf400, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:3610 #19 0x00007f2d6a5f0bb7 in WebCore::DocumentLoader::commitLoad (this=0x2dbf400, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/DocumentLoader.cpp:361 #20 0x00007f2d6a5f0c10 in WebCore::DocumentLoader::receivedData (this=0x2dbf400, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/DocumentLoader.cpp:373 ---Type <return> to continue, or q <return> to quit--- #21 0x00007f2d6a609a5d in WebCore::FrameLoader::receivedData (this=0x1918540, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:2432 #22 0x00007f2d6a61faae in WebCore::MainResourceLoader::addData (this=0x2dc3c10, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:148 #23 0x00007f2d6a626f2a in WebCore::ResourceLoader::didReceiveData (this=0x2dc3c10, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0, allAtOnce=false) at WebCore/loader/ResourceLoader.cpp:257 #24 0x00007f2d6a61eb7c in WebCore::MainResourceLoader::didReceiveData (this=0x2dc3c10, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0, allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:360 #25 0x00007f2d6a626335 in WebCore::ResourceLoader::didReceiveData (this=0x2dc3c10, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0) at WebCore/loader/ResourceLoader.cpp:411 #26 0x00007f2d6aa13d3d in gotChunkCallback (msg=0x2dc28e0, chunk=0x2dd2040, data=0x2dbe320) at WebCore/platform/network/soup/ResourceHandleSoup.cpp:303 135514 1 luka.napotnik 2009-07-29 00:53:51 -0700 Here is the values of local variables in JSC::JIT::compileGetByIdSlowCase() (gdb) info locals coldPathBegin = {m_label = {m_offset = 3223, m_used = false}} stubCall = {m_jit = 0x7fff92e50220, m_stub = 0x7fea89215045, m_returnType = JSC::JITStubCall::Value, m_argumentIndex = 3} call = {m_jmp = {m_offset = 3261}, m_flags = JSC::AbstractMacroAssembler<JSC::X86Assembler>::Call::Linkable} __PRETTY_FUNCTION__ = "void JSC::JIT::compileGetByIdSlowCase(int, int, JSC::Identifier*, JSC::SlowCaseEntry*&, unsigned int, bool)" 135535 2 luka.napotnik 2009-07-29 02:27:44 -0700 I think the currentInstruction is messed up in JIT::emitSlow_op_get_by_id(). The baseVReg variable is 4294967280. This function is called by JSC::JIT::privateCompileSlowCases() 224926 3 ossy 2010-05-12 14:57:27 -0700 Is this bug still valid or can we close it? 301022 4 xan.lopez 2010-10-28 06:11:38 -0700 Works fine here. Please reopen if you can still reproduce with ToT.