Bug 122678

Summary: [GTK] [Stable] Crashes inside JavaScriptCore with SIGTRAP on various websites
Product: WebKit Reporter: Sebastian Dröge (slomo) <slomo>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: changseok, gustavo, svillar, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Sebastian Dröge (slomo) 2013-10-11 14:22:05 PDT 
Hi,

webkitgtk 2.2.0 from Debian/experimental crashes on various websites inside JavaScriptCore somewhere. It's always reproducible on these for example:
https://assets.mozillalabs.com/Graphics/Wallpapers/Mozilla-is-my-Dinosaur/
http://www.amnesty.org

But it also happens on Twitter every now and then and others too. Below is the backtrace with Midori (using the WK1 API), but it also happens with epiphany (using the WK2 API) where it then just kills the web process.

Backtraces are different depending on the website but always somehow related to JavaScriptCore and having lots of unknown addresses on the callstack.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007fffa56d5a14 in ?? ()
(gdb) thread apply all bt

Thread 16 (Thread 0x7fff65ffb700 (LWP 1168)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x00007ffff79116f5 in g_cond_wait_until (cond=cond@entry=0x7fff90007608, 
    mutex=mutex@entry=0x7fff90007600, end_time=end_time@entry=51383921248)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread-posix.c:876
#2  0x00007ffff78a7c51 in g_async_queue_pop_intern_unlocked (
    queue=0x7fff90007600, wait=wait@entry=1, end_time=51383921248)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:424
#3  0x00007ffff78a8218 in g_async_queue_timeout_pop_unlocked (
    queue=<optimized out>, timeout=timeout@entry=500000)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:572
#4  0x00007ffff78f6a78 in g_thread_pool_wait_for_new_task (pool=0x7fff90005700)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:264
#5  g_thread_pool_thread_proxy (data=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:298
#6  0x00007ffff78f60e5 in g_thread_proxy (data=0x5555563cd800)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#7  0x00007ffff235ae0e in start_thread (arg=0x7fff65ffb700)
    at pthread_create.c:311
#8  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
---Type <return> to continue, or q <return> to quit---

Thread 15 (Thread 0x7fff667fc700 (LWP 1167)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x00007ffff79116f5 in g_cond_wait_until (cond=cond@entry=0x7fff90007608, 
    mutex=mutex@entry=0x7fff90007600, end_time=end_time@entry=51383753519)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread-posix.c:876
#2  0x00007ffff78a7c51 in g_async_queue_pop_intern_unlocked (
    queue=0x7fff90007600, wait=wait@entry=1, end_time=51383753519)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:424
#3  0x00007ffff78a8218 in g_async_queue_timeout_pop_unlocked (
    queue=<optimized out>, timeout=timeout@entry=500000)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:572
#4  0x00007ffff78f6a78 in g_thread_pool_wait_for_new_task (pool=0x7fff90005700)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:264
#5  g_thread_pool_thread_proxy (data=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:298
#6  0x00007ffff78f60e5 in g_thread_proxy (data=0x5555559d5cf0)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#7  0x00007ffff235ae0e in start_thread (arg=0x7fff667fc700)
    at pthread_create.c:311
#8  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
---Type <return> to continue, or q <return> to quit---

Thread 14 (Thread 0x7fff66ffd700 (LWP 1166)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x00007ffff79116f5 in g_cond_wait_until (cond=cond@entry=0x7fff90007608, 
    mutex=mutex@entry=0x7fff90007600, end_time=end_time@entry=51383921523)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread-posix.c:876
#2  0x00007ffff78a7c51 in g_async_queue_pop_intern_unlocked (
    queue=0x7fff90007600, wait=wait@entry=1, end_time=51383921523)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:424
#3  0x00007ffff78a8218 in g_async_queue_timeout_pop_unlocked (
    queue=<optimized out>, timeout=timeout@entry=500000)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:572
#4  0x00007ffff78f6a78 in g_thread_pool_wait_for_new_task (pool=0x7fff90005700)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:264
#5  g_thread_pool_thread_proxy (data=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:298
#6  0x00007ffff78f60e5 in g_thread_proxy (data=0x5555559d5ca0)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#7  0x00007ffff235ae0e in start_thread (arg=0x7fff66ffd700)
    at pthread_create.c:311
#8  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
---Type <return> to continue, or q <return> to quit---

Thread 13 (Thread 0x7fff677fe700 (LWP 1165)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x00007ffff79116f5 in g_cond_wait_until (cond=cond@entry=0x7fff90007608, 
    mutex=mutex@entry=0x7fff90007600, end_time=end_time@entry=51383807233)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread-posix.c:876
#2  0x00007ffff78a7c51 in g_async_queue_pop_intern_unlocked (
    queue=0x7fff90007600, wait=wait@entry=1, end_time=51383807233)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:424
#3  0x00007ffff78a8218 in g_async_queue_timeout_pop_unlocked (
    queue=<optimized out>, timeout=timeout@entry=500000)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:572
#4  0x00007ffff78f6a78 in g_thread_pool_wait_for_new_task (pool=0x7fff90005700)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:264
#5  g_thread_pool_thread_proxy (data=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:298
#6  0x00007ffff78f60e5 in g_thread_proxy (data=0x5555559d5c50)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#7  0x00007ffff235ae0e in start_thread (arg=0x7fff677fe700)
    at pthread_create.c:311
#8  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
---Type <return> to continue, or q <return> to quit---

Thread 12 (Thread 0x7fff67fff700 (LWP 1164)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x00007ffff79116f5 in g_cond_wait_until (cond=cond@entry=0x7fff90007608, 
    mutex=mutex@entry=0x7fff90007600, end_time=end_time@entry=51383633576)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread-posix.c:876
#2  0x00007ffff78a7c51 in g_async_queue_pop_intern_unlocked (
    queue=0x7fff90007600, wait=wait@entry=1, end_time=51383633576)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:424
#3  0x00007ffff78a8218 in g_async_queue_timeout_pop_unlocked (
    queue=<optimized out>, timeout=timeout@entry=500000)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:572
#4  0x00007ffff78f6a78 in g_thread_pool_wait_for_new_task (pool=0x7fff90005700)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:264
#5  g_thread_pool_thread_proxy (data=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:298
#6  0x00007ffff78f60e5 in g_thread_proxy (data=0x5555559d5c00)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#7  0x00007ffff235ae0e in start_thread (arg=0x7fff67fff700)
    at pthread_create.c:311
#8  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
---Type <return> to continue, or q <return> to quit---

Thread 11 (Thread 0x7fff7caa8700 (LWP 1163)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x00007ffff79116f5 in g_cond_wait_until (cond=cond@entry=0x7fff90007608, 
    mutex=mutex@entry=0x7fff90007600, end_time=end_time@entry=51383920780)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread-posix.c:876
#2  0x00007ffff78a7c51 in g_async_queue_pop_intern_unlocked (
    queue=0x7fff90007600, wait=wait@entry=1, end_time=51383920780)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:424
#3  0x00007ffff78a8218 in g_async_queue_timeout_pop_unlocked (
    queue=<optimized out>, timeout=timeout@entry=500000)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:572
#4  0x00007ffff78f6a78 in g_thread_pool_wait_for_new_task (pool=0x7fff90005700)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:264
#5  g_thread_pool_thread_proxy (data=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:298
#6  0x00007ffff78f60e5 in g_thread_proxy (data=0x5555563daf70)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#7  0x00007ffff235ae0e in start_thread (arg=0x7fff7caa8700)
    at pthread_create.c:311
#8  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
---Type <return> to continue, or q <return> to quit---

Thread 10 (Thread 0x7fff7e30b700 (LWP 1162)):
#0  pthread_cond_wait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007ffff30f27d3 in JSC::GCThread::waitForNextPhase (
    this=this@entry=0x555555c4dc80)
    at ../Source/JavaScriptCore/heap/GCThread.cpp:81
#2  0x00007ffff30f2860 in JSC::GCThread::gcThreadMain (this=0x555555c4dc80)
    at ../Source/JavaScriptCore/heap/GCThread.cpp:99
#3  0x00007ffff3323bd1 in WTF::wtfThreadEntryPoint (param=0x7ffff7e5c510)
    at ../Source/WTF/wtf/ThreadingPthreads.cpp:195
#4  0x00007ffff235ae0e in start_thread (arg=0x7fff7e30b700)
    at pthread_create.c:311
#5  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 9 (Thread 0x7fff7eb0c700 (LWP 1161)):
#0  pthread_cond_wait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007ffff30f27d3 in JSC::GCThread::waitForNextPhase (
    this=this@entry=0x555555c4d9f0)
    at ../Source/JavaScriptCore/heap/GCThread.cpp:81
#2  0x00007ffff30f2860 in JSC::GCThread::gcThreadMain (this=0x555555c4d9f0)
---Type <return> to continue, or q <return> to quit---
    at ../Source/JavaScriptCore/heap/GCThread.cpp:99
#3  0x00007ffff3323bd1 in WTF::wtfThreadEntryPoint (param=0x7ffff7e5c530)
    at ../Source/WTF/wtf/ThreadingPthreads.cpp:195
#4  0x00007ffff235ae0e in start_thread (arg=0x7fff7eb0c700)
    at pthread_create.c:311
#5  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 8 (Thread 0x7fff7f30d700 (LWP 1160)):
#0  pthread_cond_wait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007ffff30f27d3 in JSC::GCThread::waitForNextPhase (
    this=this@entry=0x555555b95310)
    at ../Source/JavaScriptCore/heap/GCThread.cpp:81
#2  0x00007ffff30f2860 in JSC::GCThread::gcThreadMain (this=0x555555b95310)
    at ../Source/JavaScriptCore/heap/GCThread.cpp:99
#3  0x00007ffff3323bd1 in WTF::wtfThreadEntryPoint (param=0x7ffff7e5c550)
    at ../Source/WTF/wtf/ThreadingPthreads.cpp:195
#4  0x00007ffff235ae0e in start_thread (arg=0x7fff7f30d700)
    at pthread_create.c:311
#5  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

---Type <return> to continue, or q <return> to quit---
Thread 7 (Thread 0x7fff7fb0e700 (LWP 1159)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x00007ffff3323fcc in WTF::ThreadCondition::timedWait (
    this=this@entry=0x7ffff7ec0230, mutex=..., absoluteTime=<optimized out>)
    at ../Source/WTF/wtf/ThreadingPthreads.cpp:399
#2  0x00007ffff30f176b in JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock (this=this@entry=0x7ffff7ec0058, relative=<optimized out>)
    at ../Source/JavaScriptCore/heap/BlockAllocator.cpp:100
#3  0x00007ffff30f17a7 in JSC::BlockAllocator::waitForRelativeTime (
    this=0x7ffff7ec0058, relative=<optimized out>)
    at ../Source/JavaScriptCore/heap/BlockAllocator.cpp:110
#4  0x00007ffff30f182a in JSC::BlockAllocator::blockFreeingThreadMain (
    this=0x7ffff7ec0058)
    at ../Source/JavaScriptCore/heap/BlockAllocator.cpp:124
#5  0x00007ffff3323bd1 in WTF::wtfThreadEntryPoint (param=0x7ffff7e5c1b0)
    at ../Source/WTF/wtf/ThreadingPthreads.cpp:195
#6  0x00007ffff235ae0e in start_thread (arg=0x7fff7fb0e700)
    at pthread_create.c:311
#7  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 6 (Thread 0x7fff9613f700 (LWP 1158)):
---Type <return> to continue, or q <return> to quit---
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x00007ffff79116f5 in g_cond_wait_until (cond=cond@entry=0x7fff90007608, 
    mutex=mutex@entry=0x7fff90007600, end_time=end_time@entry=51383806622)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread-posix.c:876
#2  0x00007ffff78a7c51 in g_async_queue_pop_intern_unlocked (
    queue=0x7fff90007600, wait=wait@entry=1, end_time=51383806622)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:424
#3  0x00007ffff78a8218 in g_async_queue_timeout_pop_unlocked (
    queue=<optimized out>, timeout=timeout@entry=500000)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gasyncqueue.c:572
#4  0x00007ffff78f6a78 in g_thread_pool_wait_for_new_task (pool=0x7fff90005700)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:264
#5  g_thread_pool_thread_proxy (data=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthreadpool.c:298
#6  0x00007ffff78f60e5 in g_thread_proxy (data=0x7fff90003370)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#7  0x00007ffff235ae0e in start_thread (arg=0x7fff9613f700)
    at pthread_create.c:311
#8  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 5 (Thread 0x7fff9789d700 (LWP 1156)):
---Type <return> to continue, or q <return> to quit---
#0  0x00007ffff208424d in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ffff78d1694 in g_main_context_poll (priority=2147483647, n_fds=1, 
    fds=0x7fff880010c0, timeout=-1, context=0x5555559add70)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gmain.c:4006
#2  g_main_context_iterate (context=context@entry=0x5555559add70, 
    block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gmain.c:3707
#3  0x00007ffff78d179c in g_main_context_iteration (context=0x5555559add70, 
    may_block=1) at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gmain.c:3773
#4  0x00007fff978a4a1d in ?? ()
   from /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so
#5  0x00007ffff78f60e5 in g_thread_proxy (data=0x5555558d5050)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#6  0x00007ffff235ae0e in start_thread (arg=0x7fff9789d700)
    at pthread_create.c:311
#7  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 4 (Thread 0x7fff984af700 (LWP 1155)):
#0  0x00007ffff208424d in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ffff78d1694 in g_main_context_poll (priority=2147483647, n_fds=3, 
    fds=0x7fff900010e0, timeout=-1, context=0x555555998bd0)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gmain.c:4006
---Type <return> to continue, or q <return> to quit---
#2  g_main_context_iterate (context=0x555555998bd0, block=block@entry=1, 
    dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gmain.c:3707
#3  0x00007ffff78d1afa in g_main_loop_run (loop=0x555555998b60)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gmain.c:3906
#4  0x00007ffff67fb9d6 in gdbus_shared_thread_func (user_data=0x555555998ba0)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./gio/gdbusprivate.c:278
#5  0x00007ffff78f60e5 in g_thread_proxy (data=0x5555558d50a0)
    at /build/glib2.0-m8PF51/glib2.0-2.38.0/./glib/gthread.c:798
#6  0x00007ffff235ae0e in start_thread (arg=0x7fff984af700)
    at pthread_create.c:311
#7  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 3 (Thread 0x7fffa564f700 (LWP 1154)):
#0  pthread_cond_wait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007ffff4060afb in WebCore::IconDatabase::syncThreadMainLoop (
    this=0x7ffff7e5fc00) at ../Source/WebCore/loader/icon/IconDatabase.cpp:1454
#2  0x00007ffff4061a8d in WebCore::IconDatabase::iconDatabaseSyncThread (
    this=0x7ffff7e5fc00) at ../Source/WebCore/loader/icon/IconDatabase.cpp:1054
#3  0x00007ffff3323bd1 in WTF::wtfThreadEntryPoint (param=0x7ffff7e5c1e0)
    at ../Source/WTF/wtf/ThreadingPthreads.cpp:195
---Type <return> to continue, or q <return> to quit---
#4  0x00007ffff235ae0e in start_thread (arg=0x7fffa564f700)
    at pthread_create.c:311
#5  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 2 (Thread 0x7fffe5e52700 (LWP 1152)):
#0  pthread_cond_wait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007ffff330c26d in WTF::TCMalloc_PageHeap::scavengerThread (
    this=0x7ffff3606740 <WTF::pageheap_memory>)
    at ../Source/WTF/wtf/FastMalloc.cpp:2884
#2  0x00007ffff330c299 in WTF::TCMalloc_PageHeap::runScavengerThread (
    context=<optimized out>) at ../Source/WTF/wtf/FastMalloc.cpp:2052
#3  0x00007ffff235ae0e in start_thread (arg=0x7fffe5e52700)
    at pthread_create.c:311
#4  0x00007ffff208f9ed in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 1 (Thread 0x7ffff7f93a00 (LWP 1147)):
#0  0x00007fffa56d5a14 in ?? ()
#1  0x00007fff655a2ed8 in ?? ()
#2  0x0000000000000009 in ?? ()
#3  0x00007fff00000001 in ?? ()
---Type <return> to continue, or q <return> to quit---
#4  0x00007fff7c2894d0 in ?? ()
#5  0x00007fff00000000 in ?? ()
#6  0x00007fff6549ace0 in ?? ()
#7  0x00007fff653f7000 in ?? ()
#8  0x00007ffff3105fc5 in JSC::Interpreter::prepareForRepeatCall (
    this=0x7fff7d70b660, functionExecutable=0xffff000000000000, 
    callFrame=0x200, function=0x7fff7d70b668, 
    argumentCountIncludingThis=32767, scope=0x7fffffffd670)
    at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:1052

#9  0x00007ffff31238ca in JSC::JITCode::execute (
    this=this@entry=0x7fff652b7a40, stack=0x7fff652b7a48, 
    stack@entry=0x7ffff7e70eb8, callFrame=0x7fff7d70b368, 
    vm=vm@entry=0x7ffff7ec0000) at ../Source/JavaScriptCore/jit/JITCode.cpp:46
#10 0x00007ffff3106665 in JSC::Interpreter::execute (this=0x7ffff7e70ea0, 
    closure=...) at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:1107
#11 0x00007ffff31fb98a in call (this=0x7fffffffd640)
    at ../Source/JavaScriptCore/interpreter/CachedCall.h:51
#12 JSC::arrayProtoFuncForEach (exec=0x7fff7d70b318)
    at ../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1045
#13 0x00007fffa56510e5 in ?? ()
#14 0xffff000000000002 in ?? ()
#15 0x00007fffa5668dff in ?? ()
#16 0x00007fff7c119770 in ?? ()
---Type <return> to continue, or q <return> to quit---
#17 0x00007fff7d4d4970 in ?? ()
#18 0x00007fff65552df8 in ?? ()
#19 0x00007fffa4094ac0 in ?? ()
#20 0x00007fffa56a385e in ?? ()
#21 0x00007ffff234d640 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#22 0x0000000000000008 in ?? ()
#23 0x00007fffffffffff in ?? ()
#24 0x00000000ffffffff in ?? ()
#25 0x00007fffa5651900 in ?? ()
#26 0x00007ffff7e70eb8 in ?? ()
#27 0x00007fff7d70b2b8 in ?? ()
#28 0x0000000000000000 in ?? ()
Comment 1 Sebastian Dröge (slomo) 2013-12-10 00:27:35 PST 
Still similar crashes happen all over the place with webkitgtk 2.2.3


Program received signal SIGSEGV, Segmentation fault.
0x00007f8bbca1cbeb in ?? ()
(gdb) bt
#0  0x00007f8bbca1cbeb in ?? ()
#1  0xff00007f8c13927f in ?? ()
#2  0x0000000000000002 in ?? ()
#3  0x00007f8b48ba5db0 in ?? ()
#4  0x00007f8b48ba5db0 in ?? ()
#5  0x6c894ce789480000 in ?? ()
#6  0x0047d445c7415824 in ?? ()
#7  0x00007f8b4c21df10 in ?? ()
#8  0x00007f8c139dfe9d in get (this=0x7fffb75cd2f0)
    at ../Source/WTF/wtf/ThreadSpecific.h:148
#9  operator WTF::WTFThreadData* (this=0x7fffb75cd2f0)
    at ../Source/WTF/wtf/ThreadSpecific.h:257
#10 operator* (this=0x7fffb75cd2f0) at ../Source/WTF/wtf/ThreadSpecific.h:277
#11 wtfThreadData () at ../Source/WTF/wtf/WTFThreadData.h:145
#12 JSC::Interpreter::prepareForRepeatCall (this=0xffff000000000000, 
    functionExecutable=0x7f8bb805ee00, callFrame=0x200, 
    function=<optimized out>, argumentCountIncludingThis=<optimized out>, 
    scope=0x7fffb75cd470)
    at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:952
#13 0x00007f8c139fbcea in JSC::JITCode::execute (
    this=this@entry=0x7f8b785fa2a0, stack=0x7f8b785fa2a8, 
    stack@entry=0x7f8c01e78378, callFrame=0x7f8bb805ed08, 
    vm=vm@entry=0x7f8c000f5000) at ../Source/JavaScriptCore/jit/JITCode.cpp:46
---Type <return> to continue, or q <return> to quit---
#14 0x00007f8c139e06d5 in JSC::Interpreter::execute (this=0x7f8c01e78360, 
    closure=...) at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:1024
#15 0x00007f8c13ad4c12 in call (this=0x7fffb75cd440)
    at ../Source/JavaScriptCore/interpreter/CachedCall.h:51
#16 JSC::arrayProtoFuncForEach (exec=0x7f8bb805ecb8)
    at ../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1045
#17 0x00007f8bbbfff0e5 in ?? ()
#18 0x00007fffb75cd600 in ?? ()
#19 0x00007f8bbc773c8c in ?? ()
#20 0x588b480000000084 in ?? ()
#21 0x00007f8b4c818370 in ?? ()
#22 0x00007f8b48ba5d38 in ?? ()
#23 0x00007f8b4c99c490 in ?? ()
#24 0x00007f8b6b22dc00 in ?? ()
#25 0x00007f8c13b3f133 in memcpy (__src=<optimized out>, 
    __dest=<optimized out>, __len=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#26 growPropertyStorage (newPropertyCapacity=<optimized out>, 
    indexingPayloadSizeInBytes=18446462598732840960, hasIndexingHeader=false, 
    oldPropertyCapacity=<optimized out>, preCapacity=18446462598732840962, 
    vm=..., this=0x7f8bb805ec58, intendedOwner=<optimized out>)
    at ../Source/JavaScriptCore/runtime/ButterflyInlines.h:89
#27 growPropertyStorage (newPropertyCapacity=<optimized out>, 
---Type <return> to continue, or q <return> to quit---
    oldPropertyCapacity=<optimized out>, structure=<optimized out>, 
    intendedOwner=<optimized out>, vm=..., this=0x7f8bb805ec58)
    at ../Source/JavaScriptCore/runtime/ButterflyInlines.h:100
#28 JSC::JSObject::growOutOfLineStorage (this=<optimized out>, vm=..., 
    oldSize=<optimized out>, newSize=<optimized out>)
    at ../Source/JavaScriptCore/runtime/JSObject.cpp:2379
#29 0x00007f8bb805ec58 in ?? ()
#30 0x00007f8b51824ca0 in ?? ()
#31 0x00007f8bb805ec58 in ?? ()
#32 0x00007f8c01e78378 in ?? ()
#33 0x00007f8c139fbcea in JSC::JITCode::execute (
    this=this@entry=0x7f8c000f5000, stack=0x0, stack@entry=0x7f8c01e78378, 
    callFrame=0x0, vm=0x7f8bb805ec58, vm@entry=0x7f8c000f5000)
    at ../Source/JavaScriptCore/jit/JITCode.cpp:46
#34 0x00007f8c139e06d5 in JSC::Interpreter::execute (this=0x7f8c01e78360, 
    closure=...) at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:1024
#35 0x00007f8c13ad4c12 in call (this=0x7fffb75cd750)
    at ../Source/JavaScriptCore/interpreter/CachedCall.h:51
#36 JSC::arrayProtoFuncForEach (exec=0x7f8bb805ec08)
    at ../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1045
#37 0x00007f8bbbfff0e5 in ?? ()
#38 0xffff000000000002 in ?? ()
#39 0x00007f8c13a471e1 in llint_op_call ()
---Type <return> to continue, or q <return> to quit---
   from /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-3.0.so.0
#40 0x00007f8c13edf4e0 in ?? ()
   from /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-3.0.so.0
#41 0x0000000000000002 in ?? ()
#42 0x00007f8b593c85c0 in ?? ()
#43 0x00007f8b0000000c in ?? ()
#44 0x00007f8bbc6492c1 in ?? ()
#45 0x00007f8b985f56f0 in ?? ()
#46 0x00007fffb75cd9e0 in ?? ()
#47 0x00007f8c13b8f9a7 in execute (length=<optimized out>, 
    start=<optimized out>, input=<optimized out>, this=0x7f8bb805ec38)
    at ../Source/JavaScriptCore/yarr/YarrJIT.h:101
#48 JSC::RegExp::match (this=0x7f8bb805ec08, vm=..., s=..., startOffset=512)
    at ../Source/JavaScriptCore/runtime/RegExp.cpp:456
#49 0x00007f8b53027730 in ?? ()
#50 0x00007fffb75cda30 in ?? ()
#51 0x00007f8b6ae166c0 in ?? ()
#52 0x00007f8bb805ea00 in ?? ()
#53 0x00007fffb75cda10 in ?? ()
#54 0x00007f8b68fd34a0 in ?? ()

#55 0x00007f8c13adc3ea in JSC::call (exec=exec@entry=0x7f8b593c85d0, 
    functionObject=..., functionObject@entry=..., callType=<optimized out>, 
    callData=..., thisValue=..., args=...)
---Type <return> to continue, or q <return> to quit---
    at ../Source/JavaScriptCore/runtime/CallData.cpp:39
#56 0x00007f8c13b19979 in JSC::boundFunctionCall (exec=0x7f8b593c85d0)
    at ../Source/JavaScriptCore/runtime/JSBoundFunction.cpp:54
#57 0x00007f8bbbfff0e5 in ?? ()
#58 0x0000000000000007 in ?? ()
#59 0x00007f8bbc649493 in ?? ()
#60 0x00007f8b52c79070 in ?? ()
#61 0x000000000000000a in ?? ()
#62 0x00007f8b593c85d0 in ?? ()
#63 0x00007f8b0000000c in ?? ()
#64 0x00007f8bbc6492c1 in ?? ()
#65 0x00007f8b4bba6b90 in ?? ()
#66 0x0000000000000067 in ?? ()
#67 0x00007f8bb805e660 in ?? ()
#68 0x00007f8bb805e660 in ?? ()
#69 0x00007f8bbbfff920 in ?? ()
#70 0x00007f8c01e78378 in ?? ()
#71 0x00007f8bb805e938 in ?? ()
#72 0x0000000000000000 in ?? ()
(gdb) 
(gdb) 
(gdb) quit
A debugging session is active.
Comment 2 Zan Dobersek 2013-12-10 01:58:22 PST 
Crashing on ToT as well.
Comment 3 Sebastian Dröge (slomo) 2014-12-07 10:53:04 PST 
Was fixed at some point, works now with 2.6.2 from Debian for me