Bug 16204
| Summary: | Heap corruption in JS on ARM | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | David Carson <dacarson> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | ddkilzer, gyuyoung, klobag, mjs, oliver |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Other | ||
| OS: | OS X 10.4 | ||
David Carson
If I build everything with -O2, I will get the crash when loading
cnn.com or nytimes.com in either of the following two places.
1. line 529 of object.h inherits(..), which is called from nodes.cpp
line 899. We are using rev 27453.
2. line 637 of string_object.cpp. See following for the stack trace.
When it crashes, the vptr of the JSObject, baseObj/thisObj in 1) and
res in 2), is 0x0.
Here is memory map for case 1)
(gdb) p *baseObj
$2 = {<KJS::JSCell> = {<KJS::JSValue> = {<WTFNoncopyable::Noncopyable>
= {<No data fields>}, _vptr.JSValue = 0x0}, <No data fields>},
_prop = {<WTFNoncopyable::Noncopyable> = {<No data fields>},
m_singleEntryKey = 0xfffffe20, m_u = {singleEntryValue = 0x0,
table = 0x0}, m_singleEntryAttributes = 0, m_getterSetterFlag =
false, m_usingTable = false}, _proto = 0x42e359e0}
(gdb) x/8w baseObj
0x42e403c0: 0x00000000 0xfffffe20 0x00000000 0x00000000
0x42e403d0: 0x42e359e0 0x42e42120 0x00000000 0x00000000
Here is stack trace for case 2)
[Switching to Thread 566]
0xaa2bb53c in KJS::StringProtoFunc::callAsFunction (this=<value
optimized out>, exec=0x107ff01c, thisObj=<value optimized out>,
args=<value optimized out>)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/string_object.cpp:637
637 res->put(exec, i, jsString(u.substr(p0, pos-p0)));
Current language: auto; currently c++
(gdb) bt
#0 0xaa2bb53c in KJS::StringProtoFunc::callAsFunction (this=<value
optimized out>, exec=0x107ff01c, thisObj=<value optimized out>,
args=<value optimized out>) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/string_object.cpp:637
#1 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x43394440, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#2 0xaa2c8a80 in KJS::FunctionCallDotNode::evaluate (this=0x7b9530,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:899
#3 0xaa2c4b1a in KJS::AssignResolveNode::evaluate (this=0x7b9548,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2295
#4 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7b9560,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#5 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#6 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#7 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#8 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395be0,
exec=0x107ff334, thisObj=<value optimized out>, args=@0x107ff0cc)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#9 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#10 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x7cb140, exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#11 0xaa2c8974 in KJS::FunctionCallDotNode::evaluate (this=0x7cb190,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:874
#12 0xaa2c4b1a in KJS::AssignResolveNode::evaluate (this=0x7cb1a8,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2295
#13 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7cb1c0,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#14 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#15 0xaa2c3024 in KJS::IfNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2754
#16 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#17 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#18 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#19 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395ba0,
exec=0x107ff594, thisObj=<value optimized out>, args=@0x107ff3e4)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#20 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#21 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x780e38, exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#22 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x780e50,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#23 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#24 0xaa2c3024 in KJS::IfNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2754
#25 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#26 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#27 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#28 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395e80,
exec=0x107ff7ac, thisObj=<value optimized out>, args=@0x107ff644)
---Type <return> to continue, or q <return> to quit---
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#29 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#30 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x780a80, exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#31 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x780a98,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#32 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#33 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#34 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#35 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395ec0,
exec=0x107ffa50, thisObj=<value optimized out>, args=@0x107ff85c)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#36 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#37 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x7d0cf8, exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#38 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7d0d10,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#39 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#40 0xaa2bedb0 in KJS::TryNode::execute (this=0x7d0ed8,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3405
#41 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#42 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x107ffa50,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#43 0xaa2ce844 in KJS::Interpreter::evaluate (this=0x1d2ac0,
sourceURL=@0x0, startingLineNumber=<value optimized out>,
code=0xafe0e25c,
codeLength=7978448, thisV=0xc0000000) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/interpreter.cpp:379
#44 0xaa04c0fa in WebCore::KJSProxy::evaluate (this=0x1c7068,
filename=<value optimized out>, baseLine=0, str=@0x107ffbe8)
at libs/WebKitLib/WebKit/WebCore/bindings/js/kjs_proxy.cpp:87
#45 0xaa15004a in WebCore::FrameLoader::executeScript (this=0x188e68,
URL=@0x107ffbec, baseLine=0, script=@0x107ffbe8)
at libs/WebKitLib/WebKit/WebCore/loader/FrameLoader.cpp:762
#46 0xaa12fb22 in WebCore::HTMLTokenizer::scriptExecution
(this=0x216c00, str=@0x107ffc50, state={static EntityShift = 4, m_bits
= 4194304},
scriptURL=<value optimized out>, baseLine=0) at
libs/WebKitLib/WebKit/WebCore/html/HTMLTokenizer.cpp:552
#47 0xaa131040 in WebCore::HTMLTokenizer::notifyFinished
(this=0x216c00, res=<value optimized out>)
at libs/WebKitLib/WebKit/WebCore/html/HTMLTokenizer.cpp:1784
#48 0xaa13a36a in WebCore::CachedScript::checkNotify (this=0x5fc080)
at libs/WebKitLib/WebKit/WebCore/loader/CachedScript.cpp:93
#49 0xaa13a4b0 in WebCore::CachedScript::data (this=0x5fc080,
data=<value optimized out>, allDataReceived=<value optimized out>)
at libs/WebKitLib/WebKit/WebCore/loader/CachedScript.cpp:83
#50 0xaa16303a in WebCore::Loader::didFinishLoading (this=0x187704,
loader=0x415748) at
libs/WebKitLib/WebKit/WebCore/loader/loader.cpp:119
#51 0xaa157304 in WebCore::SubresourceLoader::didFinishLoading
(this=0x415748) at
libs/WebKitLib/WebKit/WebCore/loader/SubresourceLoader.cpp:193
#52 0xaa155ce2 in WebCore::ResourceLoader::didFinishLoading
(this=0x1bca) at
libs/WebKitLib/WebKit/WebCore/loader/ResourceLoader.cpp:361
#53 0xaa1ae024 in android_webcore_resourceloader_nativeFinished
(env=<value optimized out>, obj=<value optimized out>)
---Type <return> to continue, or q <return> to quit---
at libs/WebKitLib/WebKit/WebCore/platform/android/jni/android_webcore_resource_loader.cpp:259
#54 0xad00a3e8 in invoke () at dalvik/vm/arch/arm/CallEABI.S:221
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
David Carson
Building with -O0 the problem does not exist
A theory is it is caused by the new GC in collector.cpp. By switching back to the previous version of collector.cpp/h, it doesn't crash anymore.
Geoffrey Garen
Dave,
What previous version of collector.h/.cpp are you talking about? Do you have a specific revision at which this crash was introduced?
Grace Kloba
In JSValue *FunctionCallDotNode::evaluate(ExecState *exec), if I add gcProtect(baseVal) in the beginning and gcUnprotect(baseVal) in the end like following, the problem goes away as baseVal will not be GC before the return of the function.
JSValue *baseVal = base->evaluate(exec);
KJS_CHECKEXCEPTIONVALUE
gcProtect(baseVal);
....
gcUnprotect(baseVal);
return func->call(exec, thisObj, argList);
This is similar to the bug http://bugs.webkit.org/show_bug.cgi?id=12535. But I don't think GC is triggered in toObject() as baseObj->getPropertySlot() is still ok. But right before func->call() is called, GC happens and baseObj is bad.
The crash is easy to reproduce with revision 27453. But I can't get it happen with July/07's code.
Alexey Proskuryakov
Is this still an issue?
Grace Kloba
Not sure. Feel free to close it.
Oliver Hunt
Closing as invalid as we don't really have away to say "this crash is in code that hasn't existed in years"