Bug 21234

Summary:

JavaScript crash for all pages in op_get_by_id_chain opcode

Product:

WebKit

Reporter:

Michael Goffioul <michael.goffioul>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

oliver

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Windows XP

Attachments:

Description	Flags
Remove NEXT_OPCODE calls within embedded while-loops	none

Description Michael Goffioul 2008-09-30 01:31:23 PDT

I have compiled WebKit/GTK (SVN from yesterday) on Windows XP with VC++ 2005. WebKit is configured to use Pango rendering and cURL networking. I am using the GtkLauncher test program and pre-defined http_proxy variable (as I am behind a proxy server).

I try to load the page http://www.lesoir.be (but the problem occur for any page containing javascript) and always a crash with the backtrace below. When the crash occur, baseObject (in Machine::privateExecute) is always 0x00000002 (as fas as I can tell, this seems to indicate the immediate jsNull value).

0 libwebkit-1.0-1.dll!JSC::JSCell::structureID()  Line 133 + 0x3 bytes
1 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012d9f4, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc6842c, JSC::ScopeChainNode * scopeChain=0x7f659050, JSC::JSValue * * exception=0x0012e598)  Line 2564 + 0xb bytes
2 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f507a00, JSC::ExecState * exec=0x0012e590, JSC::JSFunction * function=0x01b8afc0, JSC::JSObject * thisObj=0x01af2a00, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7ff442f0, JSC::JSValue * * exception=0x0012e598)  Line 986 + 0x21 bytes
3 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012e590, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...})  Line 71
4 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012e590, JSC::JSValue * functionObject=0x01b8afc0, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...})  Line 40
5 libwebkit-1.0-1.dll!JSC::functionProtoFuncApply(JSC::ExecState * exec=0x0012e590, JSC::JSObject * __formal=0x01af18a0, JSC::JSValue * thisValue=0x01b8afc0, const JSC::ArgList & args={...})  Line 114 + 0x1d bytes
6 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012e590, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc681a8, JSC::ScopeChainNode * scopeChain=0x7f6dcef0, JSC::JSValue * * exception=0x0012f134)  Line 3327 + 0x1f bytes
7 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f635280, JSC::ExecState * exec=0x0012f12c, JSC::JSFunction * function=0x01b8af40, JSC::JSObject * thisObj=0x01af2a00, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f6dcef0, JSC::JSValue * * exception=0x0012f134)  Line 986 + 0x21 bytes
8 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012f12c, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...})  Line 71
9 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012f12c, JSC::JSValue * functionObject=0x01b8af40, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...})  Line 40
10 libwebkit-1.0-1.dll!JSC::functionProtoFuncApply(JSC::ExecState * exec=0x0012f12c, JSC::JSObject * __formal=0x01af18a0, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...})  Line 114 + 0x1d bytes
11 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012f12c, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc6814c, JSC::ScopeChainNode * scopeChain=0x7f613f00, JSC::JSValue * * exception=0x0012fcbc)  Line 3327 + 0x1f bytes
12 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f635000, JSC::ExecState * exec=0x0012fcb4, JSC::JSFunction * function=0x01b89300, JSC::JSObject * thisObj=0x01b8af40, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f613f00, JSC::JSValue * * exception=0x0012fcbc)  Line 986 + 0x21 bytes
13 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012fcb4, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...})  Line 71
14 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012fcb4, JSC::JSValue * functionObject=0x01b89300, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...})  Line 40
15 libwebkit-1.0-1.dll!JSC::functionProtoFuncCall(JSC::ExecState * exec=0x0012fcb4, JSC::JSObject * __formal=0x01af18e0, JSC::JSValue * thisValue=0x01b89300, const JSC::ArgList & args={...})  Line 134 + 0x1d bytes
16 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012fcb4, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc680b8, JSC::ScopeChainNode * scopeChain=0x7f659050, JSC::JSValue * * exception=0x7ff460a8)  Line 3327 + 0x1f bytes
17 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f638780, JSC::ExecState * exec=0x7ff460a0, JSC::JSFunction * function=0x01b8b400, JSC::JSObject * thisObj=0x01af0000, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f613e80, JSC::JSValue * * exception=0x7ff460a8)  Line 986 + 0x21 bytes
18 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x7ff460a0, JSC::JSValue * thisValue=0x01af0000, const JSC::ArgList & args={...})  Line 71
19 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x7ff460a0, JSC::JSValue * functionObject=0x01b8b400, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af0000, const JSC::ArgList & args={...})  Line 40
20 libwebkit-1.0-1.dll!WebCore::ScheduledAction::execute(WebCore::JSDOMWindowShell * windowShell=0x01af0000)  Line 74 + 0x21 bytes
21 libwebkit-1.0-1.dll!WebCore::JSDOMWindowBase::timerFired(WebCore::DOMWindowTimer * timer=0x00000001)  Line 1648
22 libwebkit-1.0-1.dll!WebCore::DOMWindowTimer::fired()  Line 1699
23 libwebkit-1.0-1.dll!WebCore::TimerBase::fireTimers(double fireTime=1222762294.6899381, const WTF::Vector<WebCore::TimerBase *,0> & firingTimers={...})  Line 350
24 libwebkit-1.0-1.dll!WebCore::TimerBase::sharedTimerFired()  Line 368 + 0x17 bytes
25 libwebkit-1.0-1.dll!WebCore::timeout_cb(void * __formal=0x00000000)  Line 49

Comment 1 Michael Goffioul 2008-10-02 01:37:03 PDT

Created attachment 24011 [details]
Remove NEXT_OPCODE calls within embedded while-loops

I think I found the problem: NEXT_OPCODE translates to a simple "continue"
statement under MSVC (there's no computed goto). As a result, you can't
use NEXT_OPCODE within an embedded while-loop, as it will wrongly jump
to the nearest while-loop. I found 2 occurrences of this problem. Patch
attached. The patch is not very elegant, but it works.

Comment 2 Oliver Hunt 2010-03-04 02:04:38 PST

This has been fixed in tot, a goto is now used:
#define NEXT_INSTRUCTION() SAMPLE(callFrame->codeBlock(), vPC); goto interpreterLoopStart