Full Text Bug Listing

Mike Hommey

Reported 2008-04-08 12:38:52 PDT

I spotted a crash during celtic kane js speed 2007 test (http://celtickane.com/webdesign/jsspeed2007.php) on amd64 (not tested anywhere else), confirmed on r31722. I bisected and found this crash has been happening first with r29508. The full backtrace is as follows (I'll try again with a build with -g, in case I can get a better one): [Thread debugging using libthread_db enabled] [New Thread 0x2af40b7fdec0 (LWP 6838)] 0x00002af40213cea5 in waitpid () from /lib/libpthread.so.0 #0 0x00002af40213cea5 in waitpid () from /lib/libpthread.so.0 #1 0x00002af402efb4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 #2 0x00002af402efb808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 #3 0x00002af40c1774b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so #4 <signal handler called> #5 0x00002af401d658f0 in KJS::stringProtoFuncReplace () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #6 0x00002af401d42e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #7 0x00002af401d56ae3 in KJS::FunctionCallDotNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #8 0x00002af401d4de2e in KJS::AssignLocalVarNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #9 0x00002af401d4adee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #10 0x00002af401d1946a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #11 0x00002af401d4abe6 in KJS::DoWhileNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #12 0x00002af401d1946a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #13 0x00002af401d4a9b9 in KJS::ForNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #14 0x00002af401d1946a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #15 0x00002af401d6c94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #16 0x00002af401d42e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #17 0x00002af401d55910 in KJS::ScopedVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #18 0x00002af401d4de2e in KJS::AssignLocalVarNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #19 0x00002af401d4adee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #20 0x00002af401d1946a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #21 0x00002af401d6c94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #22 0x00002af401d42e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #23 0x00002af401d77c01 in KJS::NonLocalVarFunctionCallNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #24 0x00002af401d4adee in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #25 0x00002af401d1946a in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #26 0x00002af401d6c94f in KJS::FunctionImp::callAsFunction () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #27 0x00002af401d42e49 in KJS::JSObject::call () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #28 0x00002af401a0f6d2 in WebCore::JSAbstractEventListener::handleEvent () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #29 0x00002af401a892f5 in WebCore::EventTarget::handleLocalEvents () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #30 0x00002af401a890d7 in WebCore::EventTarget::dispatchGenericEvent () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #31 0x00002af401a8a7b3 in WebCore::EventTargetNode::dispatchEvent () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #32 0x00002af401a8aada in WebCore::EventTargetNode::dispatchMouseEvent () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #33 0x00002af401a8b168 in WebCore::EventTargetNode::dispatchMouseEvent () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #34 0x00002af401bdcaa2 in WebCore::EventHandler::dispatchMouseEvent () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #35 0x00002af401bde0bf in WebCore::EventHandler::handleMouseReleaseEvent () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #36 0x00002af40192f209 in webkit_web_view_button_release_event () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #37 0x00002af4027de4df in _gtk_marshal_BOOLEAN__BOXED (closure=0x6358c0, return_value=0x7fffa94ea1c0, n_param_values=<value optimized out>, param_values=0x7fffa94ea2a0, invocation_hint=<value optimized out>, marshal_data=0x2af40192f190) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmarshalers.c:84 #38 0x00002af402c59b5f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #39 0x00002af402c6d9d8 in ?? () from /usr/lib/libgobject-2.0.so.0 #40 0x00002af402c6ed16 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #41 0x00002af402c6f3b3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #42 0x00002af4028e5925 in gtk_widget_event_internal (widget=0x66e3b0, event=0x871a50) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkwidget.c:4678 #43 0x00002af4027d77f2 in IA__gtk_propagate_event (widget=0x66e3b0, event=0x871a50) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:2336 #44 0x00002af4027d8795 in IA__gtk_main_do_event (event=0x871a50) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1556 #45 0x00002af4035a214c in gdk_event_dispatch (source=<value optimized out>, callback=<value optimized out>, user_data=<value optimized out>) at /build/buildd/gtk+2.0-2.12.9/gdk/x11/gdkevents-x11.c:2351 #46 0x00002af402ec80b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #47 0x00002af402ecb356 in ?? () from /usr/lib/libglib-2.0.so.0 #48 0x00002af402ecb617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #49 0x00002af4027d8b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 #50 0x0000000000401eab in main ()

Mike Hommey

Comment 1 2008-04-08 13:48:27 PDT

Better backtrace: Thread 1 (Thread 0x2b83fd43fec0 (LWP 31556)): #0 0x00002b83f3d7eea5 in waitpid () from /lib/libpthread.so.0 No symbol table info available. #1 0x00002b83f4b3d4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #2 0x00002b83f4b3d808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #3 0x00002b83fddb94b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so No symbol table info available. #4 <signal handler called> No symbol table info available. #5 0x00002b83f39a685b in KJS::stringProtoFuncIndexOf (exec=0x7fffb78a7750, thisObj=0x2b83ff8a0180, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.h:510 s = {m_rep = {m_ptr = 0x7fffb78a7490}} len = <value optimized out> a0 = <value optimized out> a1 = <value optimized out> u2 = {m_rep = {m_ptr = 0x2b83fe709660}} dpos = <value optimized out> #6 0x00002b83f3984e49 in KJS::JSObject::call (this=0x2b83ff8a0180, exec=0x7fffb78a7750, thisObj=0x7fffb78a74b0, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 4 #7 0x00002b83f3998ae3 in KJS::FunctionCallDotNode::evaluate (this=0x2b83fe708aa0, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:1500 No locals. #8 0x00002b83f3990f43 in KJS::EqualNode::evaluateToBoolean (this=0x2b83fe709620, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3121 No locals. #9 0x00002b83f3990a1d in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709600, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:3371 b = <value optimized out> #10 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709560, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #11 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe7094c0, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #12 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709420, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #13 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709b80, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #14 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709ae0, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #15 0x00002b83f395d8ce in KJS::LogicalNotNode::evaluateToBoolean (this=<value optimized out>, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:2382 No locals. #16 0x00002b83f398cbc2 in KJS::DoWhileNode::execute (this=0x2b83fe6f5360, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:4089 statementValue = (class KJS::JSValue *) 0x2b83ff8a02c0 b = <value optimized out> value = (class KJS::JSValue *) 0x2b83ff8a02c0 #17 0x00002b83f395b46a in KJS::BlockNode::execute (this=0x2b83fe62be38, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #18 0x00002b83f398c9b9 in KJS::ForNode::execute (this=0x2b83fe61f000, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:4164 b = <value optimized out> statementValue = (class KJS::JSValue *) 0x7fffb78a7750 value = (class KJS::JSValue *) 0x0 #19 0x00002b83f395b46a in KJS::BlockNode::execute (this=0x2b83fe706240, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #20 0x00002b83f39ae94f in KJS::FunctionImp::callAsFunction (this=0x2b83ff331b00, exec=0x7fffb78a7980, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b83ff330000, m_exception = 0x0, m_propertyNames = 0x2b83fe6cfdc0, m_emptyList = 0x2b83f3d5ebe0, m_callingExec = 0x7fffb78a7980, m_scopeNode = 0x2b83fe706240, m_function = 0x2b83ff331b00, m_arguments = 0x7fffb78a7850, m_activation = 0x2b83fe64d4e8, m_localStorage = 0x2b83fe64d518, m_scopeChain = {_node = 0x7fffb78a77a8}, m_inlineScopeChainNode = { next = 0x2b83fe704948, object = 0x2b83fe64d4e8, refCount = 2}, m_variableObject = 0x2b83fe64d4e8, m_thisValue = 0x2b83ff330000, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 1, m_switchDepth = 0, m_codeType = KJS::FunctionCode, m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b83fe6ed690}, <No data fields>} result = <value optimized out> #21 0x00002b83f3984e49 in KJS::JSObject::call (this=0x2b83ff8a0180, exec=0x7fffb78a7750, thisObj=0x7fffb78a74b0, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 4 #22 0x00002b83f3997910 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b83fe6f5480, exec=0x7fffb78a7980) at JavaScriptCore/kjs/nodes.cpp:1322 No locals. #23 0x00002b83f398fe2e in KJS::AssignLocalVarNode::evaluate (this=0x2b83fe6f6050, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3559 v = <value optimized out> #24 0x00002b83f398cdee in KJS::ExprStatementNode::execute (this=0x2b83fe6f6028, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3998 value = (class KJS::JSValue *) 0x0 #25 0x00002b83f395b46a in KJS::BlockNode::execute (this=0x2b83fe6ed480, exec=0x7fffb78a7980) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #26 0x00002b83f39ae94f in KJS::FunctionImp::callAsFunction (this=0x2b83ff331780, exec=0x7fffb78a7bd0, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b83ff330000, m_exception = 0x0, m_propertyNames = 0x2b83fe6cfdc0, m_emptyList = 0x2b83f3d5ebe0, m_callingExec = 0x7fffb78a7bd0, m_scopeNode = 0x2b83fe6ed480, m_function = 0x2b83ff331780, m_arguments = 0x7fffb78a7a90, m_activation = 0x2b83fe64d278, m_localStorage = 0x2b83fe64d2a8, m_scopeChain = {_node = 0x7fffb78a79d8}, m_inlineScopeChainNode = { next = 0x2b83fe704948, object = 0x2b83fe64d278, refCount = 2}, m_variableObject = 0x2b83fe64d278, m_thisValue = 0x2b83ff330000, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode, m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b83ff330000}, <No data fields>} result = <value optimized out> #27 0x00002b83f3984e49 in KJS::JSObject::call (this=0x2b83ff8a0180, exec=0x7fffb78a7750, thisObj=0x7fffb78a74b0, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 4 #28 0x00002b83f39b9c01 in KJS::NonLocalVarFunctionCallNode::evaluate (this=0x2b83ff586360, exec=0x7fffb78a7bd0) at JavaScriptCore/kjs/nodes.cpp:1141 No locals. #29 0x00002b83f398cdee in KJS::ExprStatementNode::execute (this=0x2b83ff5f0618, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3998 value = (class KJS::JSValue *) 0x0 #30 0x00002b83f395b46a in KJS::BlockNode::execute (this=0x2b83ff4fb000, exec=0x7fffb78a7bd0) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #31 0x00002b83f39ae94f in KJS::FunctionImp::callAsFunction (this=0x2b83ff33ae80, exec=0x2b83fe6cec38, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b83ff330000, m_exception = 0x0, m_propertyNames = 0x2b83fe6cfdc0, m_emptyList = 0x2b83f3d5ebe0, m_callingExec = 0x2b83fe6cec38, m_scopeNode = 0x2b83ff4fb000, m_function = 0x2b83ff33ae80, m_arguments = 0x7fffb78a7d00, m_activation = 0x2b83fe64d008, m_localStorage = 0x2b83fe64d038, m_scopeChain = {_node = 0x7fffb78a7c28}, m_inlineScopeChainNode = { next = 0x2b83ff4e7168, object = 0x2b83fe64d008, refCount = 2}, m_variableObject = 0x2b83fe64d008, m_thisValue = 0x2b83ff33ad80, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode, m_completionType = 11139, m_breakOrContinueTarget = 0x2b83ff6dbdc0}, <No data fields>} result = <value optimized out> #32 0x00002b83f3984e49 in KJS::JSObject::call (this=0x2b83ff8a0180, exec=0x7fffb78a7750, thisObj=0x7fffb78a74b0, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 4 #33 0x00002b83f36516d2 in WebCore::JSAbstractEventListener::handleEvent (this=0x2b83ff53fd40, ele=0x2b83ff6dbdc0, isWindowEvent=false) at WebCore/bindings/js/kjs_events.cpp:101 thisObj = (class KJS::JSObject *) 0x2b83ff33ad80 args = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_vector = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<KJS::JSValue*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x7fffb78a7d18, m_capacity = 8}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "\200¬3ÿ\203+\000\000p\177\212·ÿ\177\000\000\aV\212ó\203+\000\000 \227]ÿ\203+\000\000ðB\226ó\203+\000\000\000\000\000\000\000\000\000\000\210±dþ\203+\000\000P©dþ\203+\000"}}, m_isInMarkSet = false} retval = <value optimized out> listener = (class KJS::JSObject *) 0x2b83ff33ae80 window = (class WebCore::JSDOMWindow *) 0x2b83ff330000 frame = <value optimized out> scriptProxy = <value optimized out> globalObject = (class KJS::JSGlobalObject *) 0x2b83ff330000 exec = (class KJS::ExecState *) 0x2b83fe6cec38 handleEventFuncValue = <value optimized out> handleEventFunc = <value optimized out> #34 0x00002b83f36cb2f5 in WebCore::EventTarget::handleLocalEvents (this=<value optimized out>, referenceNode=<value optimized out>, evt=0x2b83ff6dbdc0, useCapture=false) at WebCore/dom/EventTarget.cpp:307 listenersCopy = {impl = {d = {m_ptr = 0x2b83fe69d3c0}}} #35 0x00002b83f36cb0d7 in WebCore::EventTarget::dispatchGenericEvent (this=0x2b83ff4e3908, referenceNode=0x2b83ff4e38c0, e=<value optimized out>, tempEvent=true) at WebCore/dom/EventTarget.cpp:205 nodeChain = {impl = {head = 0x2b83ff4e7090, tail = 0x2b83fe716378, cur = 0x2b83ff4e7090, nodeCount = 10, deleteItem = 0x2b83f36cb770 <WebCore::DeprecatedPtrList<WebCore::Node>::deleteFunc(void*)>, iterators = 0x7fffb78a7f20}, del_item = false} it = {impl = {list = 0x7fffb78a7ee0, node = 0x2b83fe716378, next = 0x0, prev = 0x0}} data = (void *) 0x0 eventTargetNode = (class WebCore::EventTargetNode *) 0x2b83ff4e38c0 frame = <value optimized out> #36 0x00002b83f36cc7b3 in WebCore::EventTargetNode::dispatchEvent (this=<value optimized out>, e=<value optimized out>, ec=@0x7fffb78a80cc, tempEvent=80) at WebCore/dom/EventTargetNode.cpp:118 eventTarget = (class WebCore::EventTargetNode *) 0x2b83ff4e38c0 #37 0x00002b83f36ccada in WebCore::EventTargetNode::dispatchMouseEvent (this=0x2b83ff4e38c0, eventType=@0x2b83f3d39868, button=<value optimized out>, detail=1, pageX=446, pageY=1071, screenX=450, screenY=455, ctrlKey=false, altKey=false, shiftKey=false, metaKey=false, isSimulated=false, relatedTargetArg=0x0, underlyingEvent=@0x7fffb78a8160) at WebCore/dom/EventTargetNode.cpp:287 ec = 0 swallowEvent = <value optimized out> #38 0x00002b83f36cd168 in WebCore::EventTargetNode::dispatchMouseEvent (this=0x2b83ff4e38c0, event=@0x7fffb78a82c0, eventType=@0x2b83f3d39868, detail=1, relatedTarget=0x0) at WebCore/dom/EventTargetNode.cpp:204 button = 29872 #39 0x00002b83f381eaa2 in WebCore::EventHandler::dispatchMouseEvent (this=0x2b83fe61c9f0, eventType=@0x2b83f3d39868, targetNode=<value optimized out>, cancelable=<value optimized out>, clickCount=1, mouseEvent=@0x7fffb78a82c0, setUnder=<value optimized out>) at WebCore/page/EventHandler.cpp:1262 swallowEvent = <value optimized out> #40 0x00002b83f38200bf in WebCore::EventHandler::handleMouseReleaseEvent (this=0x2b83fe61c9f0, mouseEvent=@0x7fffb78a82c0) at WebCore/page/EventHandler.cpp:1084 mev = {m_event = {m_position = {m_x = 446, m_y = 391}, m_globalPosition = {m_x = 450, m_y = 455}, m_button = WebCore::LeftButton, m_eventType = WebCore::MouseEventReleased, m_clickCount = 0, m_shiftKey = false, m_ctrlKey = false, m_altKey = false, m_metaKey = false, m_timestamp = 228561197, m_modifierFlags = 3079308896}, m_hitTestResult = {m_innerNode = {m_ptr = 0x2b83ff4e38c0}, m_innerNonSharedNode = {m_ptr = 0x2b83ff4e38c0}, m_point = {m_x = 446, m_y = 1071}, m_localPoint = {m_x = 38, m_y = 12}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}}} targetNode = <value optimized out> subframe = <value optimized out> swallowMouseUpEvent = false swallowClickEvent = <value optimized out> swallowMouseReleaseEvent = <value optimized out> #41 0x00002b83f3571209 in webkit_web_view_button_release_event (widget=0x66e3b0, event=0x871ac0) at WebKit/gtk/webkit/webkitwebview.cpp:359 priv = (WebKitWebViewPrivate *) 0x66e430 focusedFrame = (class WebCore::Frame *) 0x2b83fe61d228 #42 0x00002b83f44204df in _gtk_marshal_BOOLEAN__BOXED (closure=0x6358c0, return_value=0x7fffb78a8580, n_param_values=<value optimized out>, param_values=0x7fffb78a8660, invocation_hint=<value optimized out>, marshal_data=0x2b83f3571190) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmarshalers.c:84 data1 = (gpointer) 0x66e3b0 data2 = (gpointer) 0x7fffb78a74b0 v_return = <value optimized out> __PRETTY_FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED" #43 0x00002b83f489bb5f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #44 0x00002b83f48af9d8 in ?? () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #45 0x00002b83f48b0d16 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #46 0x00002b83f48b13b3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #47 0x00002b83f4527925 in gtk_widget_event_internal (widget=0x66e3b0, event=0x871ac0) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkwidget.c:4678 signal_num = <value optimized out> return_val = 0 #48 0x00002b83f44197f2 in IA__gtk_propagate_event (widget=0x66e3b0, event=0x871ac0) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:2336 tmp = (GtkWidget *) 0x6da2c0 handled_event = <value optimized out> __PRETTY_FUNCTION__ = "IA__gtk_propagate_event" #49 0x00002b83f441a795 in IA__gtk_main_do_event (event=0x871ac0) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1556 event_widget = (GtkWidget *) 0x66e3b0 grab_widget = (GtkWidget *) 0x66e3b0 window_group = (GtkWindowGroup *) 0x6da2c0 rewritten_event = (GdkEvent *) 0x0 tmp_list = <value optimized out> __PRETTY_FUNCTION__ = "IA__gtk_main_do_event" #50 0x00002b83f51e414c in gdk_event_dispatch (source=<value optimized out>, callback=<value optimized out>, user_data=<value optimized out>) at /build/buildd/gtk+2.0-2.12.9/gdk/x11/gdkevents-x11.c:2351 display = <value optimized out> event = (GdkEvent *) 0x871ac0 #51 0x00002b83f4b0a0b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #52 0x00002b83f4b0d356 in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #53 0x00002b83f4b0d617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #54 0x00002b83f441ab63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 tmp_list = (GList *) 0x62a8b0 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x661280 loop = (GMainLoop *) 0x884460 #55 0x0000000000401eab in main (argc=2, argv=0x7fffb78a8d58) at WebKitTools/GtkLauncher/main.c:200 vbox = (GtkWidget *) 0x62a8b0 uri = <value optimized out>

Mike Hommey

Comment 2 2008-04-09 02:51:05 PDT

FWIW, building without -O2 leads to a webkit that doesn't crash

Mike Hommey

Comment 3 2008-04-09 05:07:22 PDT

It also happens on the Qt port.

Mike Hommey

Comment 4 2008-04-09 10:20:51 PDT

It doesn't happen on x86

Mark Rowe (bdash)

Comment 5 2008-04-09 17:03:41 PDT

I can reproduce a crash that looks very similar to this while running SunSpider at http://webkit.org/perf/sunspider-0.9/sunspider.html in WebKitGtk on x86_64. I'll see if I can debug and track down the issue.

Mark Rowe (bdash)

Comment 6 2008-04-09 18:07:55 PDT

Simpler steps to reproduce: WebKitBuild/Release/Programs/testkjs -f SunSpider/tmp/sunspider-test-prefix.js -f SunSpider/tests/string-tagcloud.js

Mark Rowe (bdash)

Comment 7 2008-04-09 21:03:28 PDT

Ok, I think I've tracked down the problem: Collector::markCurrentThreadConservatively uses setjmp to force registers onto the stack. The setjmp implementation for x86-64 in glibc is the following: 0x00007f5f7d0c5e00 <__sigsetjmp+0>: mov %rbx,(%rdi) 0x00007f5f7d0c5e03 <__sigsetjmp+3>: mov %rbp,%rax 0x00007f5f7d0c5e06 <__sigsetjmp+6>: xor %fs:0x30,%rax 0x00007f5f7d0c5e0f <__sigsetjmp+15>: rol $0x11,%rax 0x00007f5f7d0c5e13 <__sigsetjmp+19>: mov %rax,0x8(%rdi) 0x00007f5f7d0c5e17 <__sigsetjmp+23>: mov %r12,0x10(%rdi) 0x00007f5f7d0c5e1b <__sigsetjmp+27>: mov %r13,0x18(%rdi) 0x00007f5f7d0c5e1f <__sigsetjmp+31>: mov %r14,0x20(%rdi) 0x00007f5f7d0c5e23 <__sigsetjmp+35>: mov %r15,0x28(%rdi) 0x00007f5f7d0c5e27 <__sigsetjmp+39>: lea 0x8(%rsp),%rdx 0x00007f5f7d0c5e2c <__sigsetjmp+44>: xor %fs:0x30,%rdx 0x00007f5f7d0c5e35 <__sigsetjmp+53>: rol $0x11,%rdx 0x00007f5f7d0c5e39 <__sigsetjmp+57>: mov %rdx,0x30(%rdi) 0x00007f5f7d0c5e3d <__sigsetjmp+61>: mov (%rsp),%rax 0x00007f5f7d0c5e41 <__sigsetjmp+65>: xor %fs:0x30,%rax 0x00007f5f7d0c5e4a <__sigsetjmp+74>: rol $0x11,%rax 0x00007f5f7d0c5e4e <__sigsetjmp+78>: mov %rax,0x38(%rdi) 0x00007f5f7d0c5e52 <__sigsetjmp+82>: jmpq 0x7f5f7d0c5e60 Two important things to note: only a subset of registers are saved, and several of those that are saved are mangled (xor'd with a magic value, then rotated left) to not look pointer-like. I suspect this may explain many, if not all, of the x86-64 specific crashers.

Mark Rowe (bdash)

Comment 8 2008-04-09 21:04:37 PDT

0xb7e4dcb0 <_setjmp+0>: xor %eax,%eax 0xb7e4dcb2 <_setjmp+2>: mov 0x4(%esp),%edx 0xb7e4dcb6 <_setjmp+6>: mov %ebx,(%edx) 0xb7e4dcb8 <_setjmp+8>: mov %esi,0x4(%edx) 0xb7e4dcbb <_setjmp+11>: mov %edi,0x8(%edx) 0xb7e4dcbe <_setjmp+14>: lea 0x4(%esp),%ecx 0xb7e4dcc2 <_setjmp+18>: xor %gs:0x18,%ecx 0xb7e4dcc9 <_setjmp+25>: rol $0x9,%ecx 0xb7e4dccc <_setjmp+28>: mov %ecx,0x10(%edx) 0xb7e4dccf <_setjmp+31>: mov (%esp),%ecx 0xb7e4dcd2 <_setjmp+34>: xor %gs:0x18,%ecx 0xb7e4dcd9 <_setjmp+41>: rol $0x9,%ecx 0xb7e4dcdc <_setjmp+44>: mov %ecx,0x14(%edx) 0xb7e4dcdf <_setjmp+47>: mov %ebp,0xc(%edx) 0xb7e4dce2 <_setjmp+50>: mov %eax,0x18(%edx) 0xb7e4dce5 <_setjmp+53>: ret i386 looks to have similar pointer-mangling behaviour in setjmp, so perhaps we should consider applying the fix for this to i386 too.

Mark Rowe (bdash)

Comment 9 2008-04-10 00:22:22 PDT

Ok, looks like I misspoke. It looks like GCC on Linux is ordering the local variables differently inside Collector::markCurrentThreadConservatively, which causes the address of dummy to no longer be that of the top of the stack. This means that markStackObjectsConservatively is effectively not scanning the registers at all.

Mike Hommey

Comment 10 2008-04-10 00:51:22 PDT

It's usually not a good idea to depend on relative position of variables on the stack when using optimization. This also explains why it doesn't happen without optimization, as the stack is left alone.

Mark Rowe (bdash)

Comment 11 2008-04-10 00:56:23 PDT

Yup, definitely a bad idea to depend on it as the compiler is free to structure stack frames as it sees fit. I'm working on a fix which should be a lot less fragile than the current situation, though it still won't be quite perfect in this regard.

Mark Rowe (bdash)

Comment 12 2008-04-10 01:52:01 PDT

Had two different thoughts on how to solve this: <http://rafb.net/p/77WoeV92.txt> and <http://rafb.net/p/x6jxG810.txt>. Neither is 100% guaranteed to be portable and correct, but I can't think of any other method that is. I need to think on this further before deciding which should be reviewed.

Mike Hommey

Comment 13 2008-04-10 13:06:26 PDT

*** Bug 18369 has been marked as a duplicate of this bug. ***

Mike Hommey

Comment 14 2008-04-10 13:06:53 PDT

*** Bug 18368 has been marked as a duplicate of this bug. ***

Mike Hommey

Comment 15 2008-04-10 13:07:13 PDT

*** Bug 18366 has been marked as a duplicate of this bug. ***

Mike Hommey

Comment 16 2008-04-10 13:19:47 PDT

(In reply to comment #12) > Had two different thoughts on how to solve this: > <http://rafb.net/p/77WoeV92.txt> and <http://rafb.net/p/x6jxG810.txt>. Neither > is 100% guaranteed to be portable and correct, but I can't think of any other > method that is. I need to think on this further before deciding which should > be reviewed. FWIW, all the crashes I reported on amd64 (bugs 18366 to 18369) that had different backtraces are solved with both these patches.

Mark Rowe (bdash)

Comment 17 2008-04-10 13:33:09 PDT

Thanks for verifying that Mike! I had suspected that would be the case.

Mark Rowe (bdash)

Comment 18 2008-04-10 15:38:18 PDT

Created attachment 20464 [details] Patch

Mark Rowe (bdash)

Comment 19 2008-04-10 15:40:55 PDT

Created attachment 20465 [details] Patch

Maciej Stachowiak

Comment 20 2008-04-10 15:42:16 PDT

Comment on attachment 20465 [details] Patch r=me

Mark Rowe (bdash)

Comment 21 2008-04-10 15:53:35 PDT

Landed in r31787.

Mike Hommey

Comment 22 2008-04-10 23:36:11 PDT

FWIW, I don't know yet if this is related, but I got a crash with gcc-4.3 with the following backtrace: [Thread debugging using libthread_db enabled] [New Thread 0x2ad6586adec0 (LWP 13452)] 0x00002ad64efedea5 in waitpid () from /lib/libpthread.so.0 #0 0x00002ad64efedea5 in waitpid () from /lib/libpthread.so.0 #1 0x00002ad64fdac5a6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 #2 0x00002ad64fdac8b8 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 #3 0x00002ad6590274b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so #4 <signal handler called> #5 0x00002ad64ebbe584 in KJS::JSGlobalObject::getOwnPropertySlot () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #6 0x00002ad64e88e0ad in WebCore::JSDOMWindow::customGetOwnPropertySlot () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #7 0x00002ad64e81c979 in WebCore::JSDOMWindow::getOwnPropertySlot () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #8 0x00002ad64ec081d2 in KJS::AssignResolveNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #9 0x00002ad64ec07cae in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #10 0x00002ad64ebcaefd in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #11 0x00002ad64ec2544a in KJS::ProgramNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #12 0x00002ad64ec1f879 in KJS::Interpreter::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #13 0x00002ad64e8a3511 in WebCore::KJSProxy::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #14 0x00002ad64ea38608 in WebCore::FrameLoader::executeScript () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #15 0x00002ad64ea01995 in WebCore::HTMLTokenizer::scriptExecution () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #16 0x00002ad64ea04ce9 in WebCore::HTMLTokenizer::scriptHandler () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #17 0x00002ad64ea053e8 in WebCore::HTMLTokenizer::parseSpecial () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #18 0x00002ad64ea070f0 in WebCore::HTMLTokenizer::parseTag () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #19 0x00002ad64ea07987 in WebCore::HTMLTokenizer::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #20 0x00002ad64ea01e68 in WebCore::HTMLTokenizer::notifyFinished () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #21 0x00002ad64ea1a60c in WebCore::CachedScript::checkNotify () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #22 0x00002ad64ea1ab22 in WebCore::CachedScript::data () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #23 0x00002ad64ea463fc in WebCore::Loader::Host::didFinishLoading () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #24 0x00002ad64ea56653 in WebCore::SubresourceLoader::didFinishLoading () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #25 0x00002ad64eb79fb7 in WebCore::ResourceHandleManager::downloadTimerCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #26 0x00002ad64eacb203 in WebCore::TimerBase::fireTimers () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #27 0x00002ad64eacb2be in WebCore::TimerBase::sharedTimerFired () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #28 0x00002ad64e7e2a12 in WebCore::timeout_cb () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #29 0x00002ad64fd790f2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #30 0x00002ad64fd7c396 in ?? () from /usr/lib/libglib-2.0.so.0 #31 0x00002ad64fd7c657 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #32 0x00002ad64f689b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 #33 0x0000000000401eeb in main () This happens both with r31789 and r31722 + the patch from r31787 (which means it's not a regression since r31722). I doubt this patch to be responsible, though just to make sure, I will try a build without it. Please tell me if I should file a new bug with this information right now or if you think it is yet the same issue raising on a different form with gcc 4.3.

Mike Hommey

Comment 23 2008-04-10 23:42:12 PDT

btw, you don't even need to start the test to get this (new) crash

Mike Hommey

Comment 24 2008-04-10 23:46:48 PDT

Confirmed. This crashes with plain r31722.

Mark Rowe (bdash)

Comment 25 2008-04-11 12:53:59 PDT

Please file a new bug report on that Mike.

Mike Hommey

Comment 26 2008-04-11 12:58:45 PDT

Already did ;) Bug 18430

Jan Alonzo

Comment 27 2008-04-13 18:48:16 PDT

*** Bug 18108 has been marked as a duplicate of this bug. ***

Attachments
Patch (3.09 KB, patch) 2008-04-10 15:38 PDT, Mark Rowe (bdash)	no flags	Details Formatted Diff Diff
Patch (3.08 KB, patch) 2008-04-10 15:40 PDT, Mark Rowe (bdash)	mjs: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Bug 18367