Bug 18366
Summary: | Crash during sunspider 3d-raytracing test | ||
---|---|---|---|
Product: | WebKit | Reporter: | Mike Hommey <mh+webkit> |
Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Major | ||
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | PC | ||
OS: | Linux |
Mike Hommey
I spotted a crash during sunspider 3d-raytracing test on amd64 (not tested anywhere else), confirmed on r31722.
I bisected and found this crash has been happening first with r30492, and confirmed that reverting this commit on top of r31722 solves the issue (to reveal another one, but that's another story)
The full backtrace is as follows (unfortunately, for some reason I don't understand, building with -g ends up creating a binary that doesn't crash):
0x00002b08b977bea5 in waitpid () from /lib/libpthread.so.0
#0 0x00002b08b977bea5 in waitpid () from /lib/libpthread.so.0
#1 0x00002b08ba53a4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0
#2 0x00002b08ba53a808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0
#3 0x00002b08c37b64b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
#4 <signal handler called>
#5 0x00002b08b9391a3e in KJS::ElementNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#6 0x00002b08b9391ab0 in KJS::ArrayNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#7 0x00002b08b938929d in KJS::ReturnNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#8 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#9 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#10 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#11 0x00002b08b9394910 in KJS::ScopedVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#12 0x00002b08b939051e in KJS::ArgumentListNode::evaluateList () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#13 0x00002b08b93948f2 in KJS::ScopedVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#14 0x00002b08b938ce2e in KJS::AssignLocalVarNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#15 0x00002b08b9389d8e in KJS::VarStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#16 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#17 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#18 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#19 0x00002b08b9395ae3 in KJS::FunctionCallDotNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#20 0x00002b08b938ce2e in KJS::AssignLocalVarNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#21 0x00002b08b9389d8e in KJS::VarStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#22 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#23 0x00002b08b93899b9 in KJS::ForNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#24 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#25 0x00002b08b93899b9 in KJS::ForNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#26 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#27 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#28 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#29 0x00002b08b9394910 in KJS::ScopedVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#30 0x00002b08b9389dee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#31 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#32 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#33 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#34 0x00002b08b9395ae3 in KJS::FunctionCallDotNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#35 0x00002b08b9389dee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#36 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#37 0x00002b08b93ab94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#38 0x00002b08b9381e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#39 0x00002b08b93951ea in KJS::LocalVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#40 0x00002b08b939051e in KJS::ArgumentListNode::evaluateList () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#41 0x00002b08b93951cc in KJS::LocalVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#42 0x00002b08b938bcc3 in KJS::AssignResolveNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#43 0x00002b08b9389dee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#44 0x00002b08b935846a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#45 0x00002b08b93ab2c0 in KJS::ProgramNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#46 0x00002b08b93ac9c3 in KJS::Interpreter::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#47 0x00002b08b904f7b3 in WebCore::KJSProxy::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#48 0x00002b08b91de8f1 in WebCore::FrameLoader::executeScript () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#49 0x00002b08b91a75c9 in WebCore::HTMLTokenizer::scriptExecution () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#50 0x00002b08b91a8685 in WebCore::HTMLTokenizer::scriptHandler () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#51 0x00002b08b91a94e2 in WebCore::HTMLTokenizer::parseSpecial () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#52 0x00002b08b91ac09c in WebCore::HTMLTokenizer::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#53 0x00002b08b91ccb17 in WebCore::FrameLoader::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#54 0x00002b08b91bef59 in WebCore::DocumentLoader::commitLoad () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#55 0x00002b08b91f4313 in WebCore::ResourceLoader::didReceiveData () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#56 0x00002b08b91ef256 in WebCore::MainResourceLoader::didReceiveData () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#57 0x00002b08b930e477 in WebCore::writeCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#58 0x00002b08bc81d6a8 in ?? () from /usr/lib/libcurl-gnutls.so.4
#59 0x00002b08bc832b5e in ?? () from /usr/lib/libcurl-gnutls.so.4
#60 0x00002b08bc82f71d in ?? () from /usr/lib/libcurl-gnutls.so.4
#61 0x00002b08bc834b1c in ?? () from /usr/lib/libcurl-gnutls.so.4
#62 0x00002b08bc83548b in curl_multi_perform () from /usr/lib/libcurl-gnutls.so.4
#63 0x00002b08b930fea0 in WebCore::ResourceHandleManager::downloadTimerCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#64 0x00002b08b926a493 in WebCore::TimerBase::fireTimers () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#65 0x00002b08b926a54b in WebCore::TimerBase::sharedTimerFired () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#66 0x00002b08b8f8eba2 in WebCore::timeout_cb () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1
#67 0x00002b08ba5070b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#68 0x00002b08ba50a356 in ?? () from /usr/lib/libglib-2.0.so.0
#69 0x00002b08ba50a617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#70 0x00002b08b9e17b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163
#71 0x0000000000401eab in main ()
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Mike Hommey
FWIW, building without -O2 leads to a webkit that doesn't crash
Mike Hommey
Interestingly, http://webkit.org/perf/sunspider-0.9/3d-raytrace.html alone doesn't crash, and gtklauncher outputs:
console message: http://webkit.org/perf/sunspider-0.9/sunspider-record-result.js @29: TypeError: Value undefined (result of expression parent.recordResult) is not object.
Anyways, starting with http://webkit.org/perf/sunspider-0.9/sunspider-driver.html, it does crash with the following (now useful) backtrace:
Thread 1 (Thread 0x2b5186b1dec0 (LWP 31811)):
#0 0x00002b517d45cea5 in waitpid () from /lib/libpthread.so.0
No symbol table info available.
#1 0x00002b517e21b4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#2 0x00002b517e21b808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#3 0x00002b51874974b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
No symbol table info available.
#4 <signal handler called>
No symbol table info available.
#5 0x00002b517d072a3e in KJS::ElementNode::evaluate (this=0x2b5188b25618, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:792
val = (class KJS::JSValue *) 0x2b5188a2ee60
n = (class KJS::ElementNode *) 0x2b5188b25618
array = (class KJS::JSObject *) 0x2b5188a19d00
length = 0
#6 0x00002b517d072ab0 in KJS::ArrayNode::evaluate (this=0x2b5188b5aac0, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:812
array = <value optimized out>
length = <value optimized out>
#7 0x00002b517d06a29d in KJS::ReturnNode::execute (this=0x2b5188b25780, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:4359
v = <value optimized out>
#8 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188b44d80, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#9 0x00002b517d08c94f in KJS::FunctionImp::callAsFunction (this=0x2b5188a1e480, exec=0x7fff2e1c6a30, thisObj=<value optimized out>, args=<value optimized out>)
at JavaScriptCore/kjs/function.cpp:77
newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0,
m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x7fff2e1c6a30, m_scopeNode = 0x2b5188b44d80, m_function = 0x2b5188a1e480,
m_arguments = 0x7fff2e1c6660, m_activation = 0x2b5187d314e8, m_localStorage = 0x2b5187d31518, m_scopeChain = {_node = 0x7fff2e1c65b8}, m_inlineScopeChainNode = {
next = 0x2b5187db2e58, object = 0x2b5187d314e8, refCount = 2}, m_variableObject = 0x2b5187d314e8, m_thisValue = 0x2b5188a127c0,
m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode,
m_completionType = 32767, m_breakOrContinueTarget = 0x7fff2e1c6660}, <No data fields>}
result = <value optimized out>
#10 0x00002b517d062e49 in KJS::JSObject::call (this=0x2b5188a19d00, exec=0x0, thisObj=0x0, args=@0x2b5188a2ee60) at JavaScriptCore/kjs/object.cpp:96
ret = (class KJS::JSValue *) 0x0
depth = 4
#11 0x00002b517d075910 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b5187df2f60, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:1322
No locals.
#12 0x00002b517d07151e in KJS::ArgumentListNode::evaluateList (this=0x2b5188b24d40, exec=0x7fff2e1c6a30, list=@0x7fff2e1c6750) at JavaScriptCore/kjs/nodes.cpp:1011
n = (class KJS::ArgumentListNode *) 0x2b5188b24f80
#13 0x00002b517d0758f2 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b5187df2f90, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.h:695
No locals.
#14 0x00002b517d07151e in KJS::ArgumentListNode::evaluateList (this=0x2b5188b24620, exec=0x7fff2e1c6a30, list=@0x7fff2e1c6840) at JavaScriptCore/kjs/nodes.cpp:1011
n = (class KJS::ArgumentListNode *) 0x2b5188b24620
#15 0x00002b517d0758f2 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b5187df2fc0, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.h:695
No locals.
#16 0x00002b517d06de2e in KJS::AssignLocalVarNode::evaluate (this=0x2b5188b4a1e0, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3559
v = <value optimized out>
#17 0x00002b517d06ad8e in KJS::VarStatementNode::execute (this=0x2b5188b4a208, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:4014
No locals.
#18 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188b927a8, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#19 0x00002b517d06a9b9 in KJS::ForNode::execute (this=0x2b5187cfdca8, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:4164
b = <value optimized out>
statementValue = (class KJS::JSValue *) 0x2b5188a19e00
value = (class KJS::JSValue *) 0x2b5188a19e00
#20 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188b92770, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#21 0x00002b517d06a9b9 in KJS::ForNode::execute (this=0x2b5187cfd240, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:4164
b = <value optimized out>
statementValue = (class KJS::JSValue *) 0x7fff2e1c6a30
value = (class KJS::JSValue *) 0x0
#22 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188ba7480, exec=0x7fff2e1c6a30) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#23 0x00002b517d08c94f in KJS::FunctionImp::callAsFunction (this=0x2b5188a1e080, exec=0x7fff2e1c6c40, thisObj=<value optimized out>, args=<value optimized out>)
at JavaScriptCore/kjs/function.cpp:77
newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0,
m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x7fff2e1c6c40, m_scopeNode = 0x2b5188ba7480, m_function = 0x2b5188a1e080,
m_arguments = 0x7fff2e1c6b30, m_activation = 0x2b5187d31278, m_localStorage = 0x2b5187d312a8, m_scopeChain = {_node = 0x7fff2e1c6a88}, m_inlineScopeChainNode = {
next = 0x2b5187db2e58, object = 0x2b5187d31278, refCount = 2}, m_variableObject = 0x2b5187d31278, m_thisValue = 0x2b5188a127c0,
m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 2, m_switchDepth = 0, m_codeType = KJS::FunctionCode,
m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b517d08bc22}, <No data fields>}
result = <value optimized out>
#24 0x00002b517d062e49 in KJS::JSObject::call (this=0x2b5188a19d00, exec=0x0, thisObj=0x0, args=@0x2b5188a2ee60) at JavaScriptCore/kjs/object.cpp:96
ret = (class KJS::JSValue *) 0x0
depth = 4
#25 0x00002b517d075910 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b5187df2600, exec=0x7fff2e1c6c40) at JavaScriptCore/kjs/nodes.cpp:1322
No locals.
#26 0x00002b517d06adee in KJS::ExprStatementNode::execute (this=0x2b5188b46cd0, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3998
value = (class KJS::JSValue *) 0x0
#27 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188ba7240, exec=0x7fff2e1c6c40) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#28 0x00002b517d08c94f in KJS::FunctionImp::callAsFunction (this=0x2b5188a1da00, exec=0x7fff2e1c6e90, thisObj=<value optimized out>, args=<value optimized out>)
at JavaScriptCore/kjs/function.cpp:77
newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0,
m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x7fff2e1c6e90, m_scopeNode = 0x2b5188ba7240, m_function = 0x2b5188a1da00,
m_arguments = 0x7fff2e1c6d50, m_activation = 0x2b5187d31008, m_localStorage = 0x2b5187d31038, m_scopeChain = {_node = 0x7fff2e1c6c98}, m_inlineScopeChainNode = {
next = 0x2b5187db2e58, object = 0x2b5187d31008, refCount = 2}, m_variableObject = 0x2b5187d31008, m_thisValue = 0x2b5188a13540,
m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode,
m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b5188a13540}, <No data fields>}
result = <value optimized out>
#29 0x00002b517d062e49 in KJS::JSObject::call (this=0x2b5188a19d00, exec=0x0, thisObj=0x0, args=@0x2b5188a2ee60) at JavaScriptCore/kjs/object.cpp:96
ret = (class KJS::JSValue *) 0x0
depth = 4
#30 0x00002b517d076ae3 in KJS::FunctionCallDotNode::evaluate (this=0x2b5188beb140, exec=0x7fff2e1c6e90) at JavaScriptCore/kjs/nodes.cpp:1500
No locals.
#31 0x00002b517d06adee in KJS::ExprStatementNode::execute (this=0x2b5188beb118, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3998
value = (class KJS::JSValue *) 0x0
#32 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188bedd80, exec=0x7fff2e1c6e90) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#33 0x00002b517d08c94f in KJS::FunctionImp::callAsFunction (this=0x2b5188a1e000, exec=0x7fff2e1c72d0, thisObj=<value optimized out>, args=<value optimized out>)
at JavaScriptCore/kjs/function.cpp:77
newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0,
m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x7fff2e1c72d0, m_scopeNode = 0x2b5188bedd80, m_function = 0x2b5188a1e000,
m_arguments = 0x7fff2e1c6f90, m_activation = 0x2b5188a14540, m_localStorage = 0x2b5188bf0b40, m_scopeChain = {_node = 0x2b5188b78750}, m_inlineScopeChainNode = {
next = 0x0, object = 0x0, refCount = 1}, m_variableObject = 0x2b5188a14540, m_thisValue = 0x2b5188a127c0,
m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode,
m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b5188b78750}, <No data fields>}
result = <value optimized out>
#34 0x00002b517d062e49 in KJS::JSObject::call (this=0x2b5188a19d00, exec=0x0, thisObj=0x0, args=@0x2b5188a2ee60) at JavaScriptCore/kjs/object.cpp:96
ret = (class KJS::JSValue *) 0x0
depth = 4
#35 0x00002b517d0761ea in KJS::LocalVarFunctionCallNode::evaluate (this=0x2b5187df2ba0, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.cpp:1269
No locals.
#36 0x00002b517d07151e in KJS::ArgumentListNode::evaluateList (this=0x2b5188bec0a0, exec=0x7fff2e1c72d0, list=@0x7fff2e1c7080) at JavaScriptCore/kjs/nodes.cpp:1011
n = (class KJS::ArgumentListNode *) 0x2b5188bec0a0
#37 0x00002b517d0761cc in KJS::LocalVarFunctionCallNode::evaluate (this=0x2b5187df2bd0, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.h:695
No locals.
#38 0x00002b517d06ccc3 in KJS::AssignResolveNode::evaluate (this=0x2b5188beb618, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.cpp:3654
slot = {m_getValue = 0x2b5188a1e0c0, m_slotBase = 0x2b5188b46e10, m_data = {getterFunc = 0x2b5188a1da00, valueSlot = 0x2b5188a1da00, staticEntry = 0x2b5188a1da00,
index = 2292308480, numericFunc = 0x2b5188a1da00}}
base = (class KJS::JSObject *) 0x2b5188a127c0
v = <value optimized out>
#39 0x00002b517d06adee in KJS::ExprStatementNode::execute (this=0x2b5188beb5f0, exec=0x7fff2e1c6560) at JavaScriptCore/kjs/nodes.cpp:3998
value = (class KJS::JSValue *) 0x0
#40 0x00002b517d03946a in KJS::BlockNode::execute (this=0x2b5188bed900, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.cpp:3951
No locals.
#41 0x00002b517d08c2c0 in KJS::ProgramNode::execute (this=0x2b5188bed900, exec=0x7fff2e1c72d0) at JavaScriptCore/kjs/nodes.cpp:4883
No locals.
#42 0x00002b517d08d9c3 in KJS::Interpreter::evaluate (exec=0x2b5187d7d238, sourceURL=@0x7fff2e1c7500, startingLineNumber=441, code=0x2b5188b02000,
codeLength=<value optimized out>, thisV=0x0) at JavaScriptCore/kjs/interpreter.cpp:103
newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b5188a127c0, m_exception = 0x0,
m_propertyNames = 0x2b5187d7edc0, m_emptyList = 0x2b517d43cbe0, m_callingExec = 0x0, m_scopeNode = 0x2b5188bed900, m_function = 0x0, m_arguments = 0x0,
m_activation = 0x0, m_localStorage = 0x2b5187d7d000, m_scopeChain = {_node = 0x2b5187db2e58}, m_inlineScopeChainNode = {next = 0x0, object = 0x0, refCount = 1},
m_variableObject = 0x2b5188a127c0, m_thisValue = 0x2b5188a127c0, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0,
m_switchDepth = 0, m_codeType = KJS::GlobalCode, m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b517d03fd93}, <No data fields>}
value = <value optimized out>
globalObject = (class KJS::JSGlobalObject *) 0x2b5188a127c0
sourceId = 9
errLine = -1
errMsg = {m_rep = {m_ptr = 0x2b517d414f40}}
thisObj = <value optimized out>
#43 0x00002b517cd307b3 in WebCore::KJSProxy::evaluate (this=0x2b5187d86f30, filename=@0x7fff2e1c77c0, baseLine=441, str=<value optimized out>)
at WebCore/bindings/js/kjs_proxy.cpp:86
exec = (class KJS::ExecState *) 0x2b5187d7d238
comp = {m_type = 773616884, m_value = 0x2b517d03fbda}
#44 0x00002b517cebf8f1 in WebCore::FrameLoader::executeScript (this=0x2b5187d8f400, url=@0x7fff2e1c77c0, baseLine=441, script=@0x7fff2e1c79f0)
at WebCore/loader/FrameLoader.cpp:783
scriptProxy = <value optimized out>
wasRunningScript = false
result = <value optimized out>
#45 0x00002b517ce885c9 in WebCore::HTMLTokenizer::scriptExecution (this=0x2b5187d5a400, str=@0x7fff2e1c79f0, state={static EntityShift = <optimized out>, m_bits = 0},
scriptURL=<value optimized out>, baseLine=441) at WebCore/html/HTMLTokenizer.cpp:540
url = {m_impl = {m_ptr = 0x2b5187db2b40}}
savedPrependingSrc = (WebCore::SegmentedString *) 0x7fff2e1c7900
prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}},
m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0,
m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0,
m_capacity = 0}, <No data fields>}}, m_composite = false}
#46 0x00002b517ce89685 in WebCore::HTMLTokenizer::scriptHandler (this=0x2b5187d5a400, state={static EntityShift = <optimized out>, m_bits = 0})
at WebCore/html/HTMLTokenizer.cpp:480
doScriptExec = true
followingFrameset = false
cs = (class WebCore::CachedScript *) 0x0
scriptCode = {m_impl = {m_ptr = 0x2b5188b783d8}}
savedPrependingSrc = (WebCore::SegmentedString *) 0x0
prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}},
m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0,
m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0,
m_capacity = 0}, <No data fields>}}, m_composite = false}
#47 0x00002b517ce8a4e2 in WebCore::HTMLTokenizer::parseSpecial (this=0x2b5187d5a400, src=@0x2b5187d5ae28, state={static EntityShift = <optimized out>, m_bits = 773612896})
at WebCore/html/HTMLTokenizer.cpp:330
ch = 6740
#48 0x00002b517ce8d09c in WebCore::HTMLTokenizer::write (this=0x2b5187d5a400, str=<value optimized out>, appendData=<value optimized out>)
at WebCore/html/HTMLTokenizer.cpp:1669
cc = <value optimized out>
source = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 1237, m_current = 0x2b5187d70a00, m_string = {m_impl = {m_ptr = 0x2b5188b78480}},
m_doNotExcludeLineNumbers = true}, m_currentChar = 0x2b5187d70a00, m_substrings = {m_start = 0, m_end = 0,
m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2b5187cf9d70,
m_capacity = 0}, <No data fields>}}, m_composite = false}
wasInWrite = false
processedCount = 1
startTime = 1207687808.954571
frame = (class WebCore::Frame *) 0x2b5187d86330
state = {static EntityShift = <optimized out>, m_bits = 0}
#49 0x00002b517ceadb17 in WebCore::FrameLoader::write (this=0x2b5187d8f400,
str=0x89e3d8 " return pixels;\n}\n\nfunction arrayToCanvasCommands(pixels)\n{\n var s = '<canvas id=\"renderCanvas\" width=\"30px\" height=\"30px\"></canvas><scr' + 'ipt>\\nvar pixels = [';\n var size = 30;\n for (var "..., len=<value optimized out>, flush=false) at WebCore/loader/FrameLoader.cpp:1029
tokenizer = (WebCore::Tokenizer *) 0x2b5187d5a400
decoded = {m_impl = {m_ptr = 0x2b5188b78480}}
#50 0x00002b517ce9ff59 in WebCore::DocumentLoader::commitLoad (this=0x2b5187d19600,
data=0x89e3d8 " return pixels;\n}\n\nfunction arrayToCanvasCommands(pixels)\n{\n var s = '<canvas id=\"renderCanvas\" width=\"30px\" height=\"30px\"></canvas><scr' + 'ipt>\\nvar pixels = [';\n var size = 30;\n for (var "..., length=1237) at WebCore/loader/DocumentLoader.cpp:328
frameLoader = (WebCore::FrameLoader *) 0x0
#51 0x00002b517ced5313 in WebCore::ResourceLoader::didReceiveData (this=0x2b5188a19d00,
data=0x89e3d8 " return pixels;\n}\n\nfunction arrayToCanvasCommands(pixels)\n{\n var s = '<canvas id=\"renderCanvas\" width=\"30px\" height=\"30px\"></canvas><scr' + 'ipt>\\nvar pixels = [';\n var size = 30;\n for (var "..., length=1237, lengthReceived=0, allAtOnce=96) at WebCore/loader/ResourceLoader.cpp:234
No locals.
#52 0x00002b517ced0256 in WebCore::MainResourceLoader::didReceiveData (this=0x2b5188b67800, data=0x7fff2e1c6560 "À'¡\210Q+", length=0, lengthReceived=47629184724576,
allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:296
No locals.
#53 0x00002b517cfef477 in writeCallback (ptr=0x89e3d8, size=<value optimized out>, nmemb=<value optimized out>, data=<value optimized out>)
at WebCore/platform/network/curl/ResourceHandleManager.cpp:126
job = (class WebCore::ResourceHandle *) 0x2b5187d9c430
d = (class WebCore::ResourceHandleInternal *) 0x2b5187de4000
totalSize = 1237
h = (CURL *) 0x89dcc0
httpCode = 200
err = <value optimized out>
#54 0x00002b51804fe6a8 in ?? () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#55 0x00002b5180513b5e in ?? () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#56 0x00002b518051071d in ?? () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#57 0x00002b5180515b1c in ?? () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#58 0x00002b518051648b in curl_multi_perform () from /usr/lib/libcurl-gnutls.so.4
No symbol table info available.
#59 0x00002b517cff0ea0 in WebCore::ResourceHandleManager::downloadTimerCallback (this=0x2b5187d6fd80, timer=<value optimized out>)
at WebCore/platform/network/curl/ResourceHandleManager.cpp:308
fdread = {fds_bits = {64, 0 <repeats 15 times>}}
fdwrite = {fds_bits = {0 <repeats 16 times>}}
fdexcep = {fds_bits = {0 <repeats 16 times>}}
maxfd = 6
timeout = {tv_sec = 0, tv_usec = 5000}
rc = 1
runningHandles = 0
started = <value optimized out>
#60 0x00002b517cf4b493 in WebCore::TimerBase::fireTimers (fireTime=1207687808.954479, firingTimers=@0x7fff2e1c8330) at WebCore/platform/Timer.cpp:347
timer = (class WebCore::TimerBase *) 0x2b5187d6fd80
interval = <value optimized out>
i = 0
#61 0x00002b517cf4b54b in WebCore::TimerBase::sharedTimerFired () at WebCore/platform/Timer.cpp:368
fireTime = 1207687808.954479
firingTimers = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<WebCore::TimerBase*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>},
m_buffer = 0x2b5188b4fc80, m_capacity = 16}, <No data fields>}}
firingTimersSet = {m_impl = {static m_minTableSize = <optimized out>, static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>,
m_table = 0x2b5187d04600, m_tableSize = 64, m_tableSizeMask = 63, m_keyCount = 0, m_deletedCount = 1}}
#62 0x00002b517cc6fba2 in timeout_cb () at WebCore/platform/gtk/SharedTimerGtk.cpp:48
No locals.
#63 0x00002b517e1e87db in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#64 0x00002b517e1e80b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#65 0x00002b517e1eb356 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#66 0x00002b517e1eb617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#67 0x00002b517daf8b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163
tmp_list = (GList *) 0x62a8b0
functions = (GList *) 0x0
init = (GtkInitFunction *) 0x661280
loop = (GMainLoop *) 0x87f5d0
#68 0x0000000000401eab in main (argc=2, argv=0x7fff2e1c8678) at WebKitTools/GtkLauncher/main.c:200
vbox = (GtkWidget *) 0x62a8b0
uri = <value optimized out>
Mike Hommey
FWIW, and this applies to bugs 18367, 18368 and 18369, too, the crash happens when building with -O1, with -O2, but NOT when building with -O0 or -fdefer-pop -fdelayed-branch -fguess-branch-probability -fcprop-registers -fif-conversion -fif-conversion2 -ftree-ccp -ftree-dce -ftree-dominator-opts -ftree-dse -ftree-ter -ftree-lrs -ftree-sra -ftree-copyrename -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants, which is listed in gcc's man as being the flags -O1 turn on.
Note that a -O1 build is significantly faster on the tests that pass than a build with all these flags, so obviously, gcc does much more than what it claims.
Mike Hommey
This *doesn't* happen with the Qt port.
Mike Hommey
It doesn't happen on x86
Mike Hommey
*** This bug has been marked as a duplicate of 18367 ***