Bug 21234

Summary: JavaScript crash for all pages in op_get_by_id_chain opcode
Product: WebKit Reporter: Michael Goffioul <michael.goffioul>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
Attachments:
Description Flags
Remove NEXT_OPCODE calls within embedded while-loops none

Michael Goffioul
Reported 2008-09-30 01:31:23 PDT
I have compiled WebKit/GTK (SVN from yesterday) on Windows XP with VC++ 2005. WebKit is configured to use Pango rendering and cURL networking. I am using the GtkLauncher test program and pre-defined http_proxy variable (as I am behind a proxy server). I try to load the page http://www.lesoir.be (but the problem occur for any page containing javascript) and always a crash with the backtrace below. When the crash occur, baseObject (in Machine::privateExecute) is always 0x00000002 (as fas as I can tell, this seems to indicate the immediate jsNull value). 0 libwebkit-1.0-1.dll!JSC::JSCell::structureID() Line 133 + 0x3 bytes 1 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012d9f4, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc6842c, JSC::ScopeChainNode * scopeChain=0x7f659050, JSC::JSValue * * exception=0x0012e598) Line 2564 + 0xb bytes 2 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f507a00, JSC::ExecState * exec=0x0012e590, JSC::JSFunction * function=0x01b8afc0, JSC::JSObject * thisObj=0x01af2a00, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7ff442f0, JSC::JSValue * * exception=0x0012e598) Line 986 + 0x21 bytes 3 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012e590, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...}) Line 71 4 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012e590, JSC::JSValue * functionObject=0x01b8afc0, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...}) Line 40 5 libwebkit-1.0-1.dll!JSC::functionProtoFuncApply(JSC::ExecState * exec=0x0012e590, JSC::JSObject * __formal=0x01af18a0, JSC::JSValue * thisValue=0x01b8afc0, const JSC::ArgList & args={...}) Line 114 + 0x1d bytes 6 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012e590, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc681a8, JSC::ScopeChainNode * scopeChain=0x7f6dcef0, JSC::JSValue * * exception=0x0012f134) Line 3327 + 0x1f bytes 7 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f635280, JSC::ExecState * exec=0x0012f12c, JSC::JSFunction * function=0x01b8af40, JSC::JSObject * thisObj=0x01af2a00, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f6dcef0, JSC::JSValue * * exception=0x0012f134) Line 986 + 0x21 bytes 8 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012f12c, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...}) Line 71 9 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012f12c, JSC::JSValue * functionObject=0x01b8af40, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...}) Line 40 10 libwebkit-1.0-1.dll!JSC::functionProtoFuncApply(JSC::ExecState * exec=0x0012f12c, JSC::JSObject * __formal=0x01af18a0, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...}) Line 114 + 0x1d bytes 11 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012f12c, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc6814c, JSC::ScopeChainNode * scopeChain=0x7f613f00, JSC::JSValue * * exception=0x0012fcbc) Line 3327 + 0x1f bytes 12 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f635000, JSC::ExecState * exec=0x0012fcb4, JSC::JSFunction * function=0x01b89300, JSC::JSObject * thisObj=0x01b8af40, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f613f00, JSC::JSValue * * exception=0x0012fcbc) Line 986 + 0x21 bytes 13 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012fcb4, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...}) Line 71 14 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012fcb4, JSC::JSValue * functionObject=0x01b89300, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...}) Line 40 15 libwebkit-1.0-1.dll!JSC::functionProtoFuncCall(JSC::ExecState * exec=0x0012fcb4, JSC::JSObject * __formal=0x01af18e0, JSC::JSValue * thisValue=0x01b89300, const JSC::ArgList & args={...}) Line 134 + 0x1d bytes 16 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012fcb4, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc680b8, JSC::ScopeChainNode * scopeChain=0x7f659050, JSC::JSValue * * exception=0x7ff460a8) Line 3327 + 0x1f bytes 17 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f638780, JSC::ExecState * exec=0x7ff460a0, JSC::JSFunction * function=0x01b8b400, JSC::JSObject * thisObj=0x01af0000, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f613e80, JSC::JSValue * * exception=0x7ff460a8) Line 986 + 0x21 bytes 18 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x7ff460a0, JSC::JSValue * thisValue=0x01af0000, const JSC::ArgList & args={...}) Line 71 19 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x7ff460a0, JSC::JSValue * functionObject=0x01b8b400, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af0000, const JSC::ArgList & args={...}) Line 40 20 libwebkit-1.0-1.dll!WebCore::ScheduledAction::execute(WebCore::JSDOMWindowShell * windowShell=0x01af0000) Line 74 + 0x21 bytes 21 libwebkit-1.0-1.dll!WebCore::JSDOMWindowBase::timerFired(WebCore::DOMWindowTimer * timer=0x00000001) Line 1648 22 libwebkit-1.0-1.dll!WebCore::DOMWindowTimer::fired() Line 1699 23 libwebkit-1.0-1.dll!WebCore::TimerBase::fireTimers(double fireTime=1222762294.6899381, const WTF::Vector<WebCore::TimerBase *,0> & firingTimers={...}) Line 350 24 libwebkit-1.0-1.dll!WebCore::TimerBase::sharedTimerFired() Line 368 + 0x17 bytes 25 libwebkit-1.0-1.dll!WebCore::timeout_cb(void * __formal=0x00000000) Line 49
Attachments
Remove NEXT_OPCODE calls within embedded while-loops (1.25 KB, patch)
2008-10-02 01:37 PDT, Michael Goffioul 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Goffioul
Comment 1 2008-10-02 01:37:03 PDT
Created attachment 24011 [details] Remove NEXT_OPCODE calls within embedded while-loops I think I found the problem: NEXT_OPCODE translates to a simple "continue" statement under MSVC (there's no computed goto). As a result, you can't use NEXT_OPCODE within an embedded while-loop, as it will wrongly jump to the nearest while-loop. I found 2 occurrences of this problem. Patch attached. The patch is not very elegant, but it works.
Oliver Hunt
Comment 2 2010-03-04 02:04:38 PST
This has been fixed in tot, a goto is now used: #define NEXT_INSTRUCTION() SAMPLE(callFrame->codeBlock(), vPC); goto interpreterLoopStart
Note You need to log in before you can comment on or make changes to this bug.