Bug 24326

Summary: WebKit Gtk built with gcc4.4 and -O2 crashes and has layout issues
Product: WebKit Reporter: Martin Sourada <martin.sourada>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   

Martin Sourada
Reported 2009-03-03 09:54:59 PST
JS crashes and layout has issues when WebKit/GTK is built with gcc4.4 with -O2 option (recently made default on Fedora Rawhide). Here's an example of the layout issues: http://www.declera.com/~yaneti/webkit-gcc-rend.png Here's a backtrace from JS crash from midori: #0 WTF::dtoa (d=63232, ndigits=<value optimized out>, decpt=<value optimized out>, sign=<value optimized out>, rve=<value optimized out>) at JavaScriptCore/wtf/dtoa.cpp:2170 #1 0x00002aaaab3e76e3 in JSC::UString::from (d=0) at JavaScriptCore/runtime/UString.cpp:929 #2 0x00002aaaab43484c in jscyyparse (globalPtr=<value optimized out>) at JavaScriptCore/parser/Grammar.y:318 #3 0x00002aaaab43b1b7 in JSC::Parser::parse (this=0x2aaab65f4240, globalData=0x2aaab65ff400, errLine=0x7fffffff01dc, errMsg=0x7fffffff01d0) at JavaScriptCore/parser/Parser.cpp:58 #4 0x00002aaaab43b28f in JSC::Parser::reparseInPlace (this=0x4, globalData=0x40eee000, functionBodyNode=0x2aaab74acc60) at JavaScriptCore/parser/Parser.cpp:77 #5 0x00002aaaab43bbfb in JSC::FunctionBodyNode::generateBytecode (this=0x2aaab74acc60, scopeChainNode=0x2aaab49bc618) at JavaScriptCore/parser/Nodes.cpp:2617 #6 0x00002aaaab38f282 in JSC::FunctionBodyNode::bytecode () at JavaScriptCore/parser/Nodes.h:2194 #7 JSC::Interpreter::privateExecute (this=0x2aaab6601b00, flag=<value optimized out>, registerFile=<value optimized out>, callFrame=0x2aaab6657048, exception=<value optimized out>) at JavaScriptCore/interpreter/Interpreter.cpp:3290 #8 0x00002aaaab39180b in JSC::Interpreter::execute (this=0x2aaab6601b00, programNode=0x2aaac448e510, callFrame=0x2aaab6b9c808, scopeChain=<value optimized out>, thisObj=<value optimized out>, exception=<value optimized out>) at JavaScriptCore/interpreter/Interpreter.cpp:870 #9 0x00002aaaab43d401 in JSC::evaluate (exec=0x2aaab6b9c808, scopeChain=@0x2aaab6b9c7c0, source=@0x7fffffffd260, thisValue=<value optimized out>) at JavaScriptCore/runtime/Completion.cpp:67 #10 0x00002aaaaad8e14b in WebCore::ScriptController::evaluate (this=0x2aaaabbb6bd8, sourceCode=@0x7fffffffd260) at WebCore/bindings/js/ScriptController.cpp:114 #11 0x00002aaaaafe8f9b in WebCore::FrameLoader::executeScript (this=0x2aaaabbb6850, sourceCode=@0x7fffffffd260) at WebCore/loader/FrameLoader.cpp:781 #12 0x00002aaaaaf867da in WebCore::HTMLTokenizer::scriptExecution (this=0x2aaab6637800, sourceCode=@0x7fffffffd260, state=<value optimized out>) at WebCore/html/HTMLTokenizer.cpp:563 #13 0x00002aaaaaf86ebf in WebCore::HTMLTokenizer::notifyFinished (this=0x2aaab6637800) at WebCore/html/HTMLTokenizer.cpp:1986 #14 0x00002aaaaafbe4cc in WebCore::CachedScript::checkNotify (this=0x2aaab6c42200) at WebCore/loader/CachedScript.cpp:108 #15 0x00002aaaab00cb7d in WebCore::Loader::Host::didFinishLoading (this=0x2aaab6c2dc60, loader=0x2aaab48e1500) at WebCore/loader/loader.cpp:304 #16 0x00002aaaaaffbb7f in WebCore::SubresourceLoader::didFinishLoading (this=0x2aaab48e1500) at WebCore/loader/SubresourceLoader.cpp:183 #17 0x00002aaaab1af93e in finishedCallback (session=<value optimized out>, msg=0x1560450, data=<value optimized out>) at WebCore/platform/network/soup/ResourceHandleSoup.cpp:285 #18 0x0000003164a320a4 in final_finished (req=0x1560450, user_data=<value optimized out>) at soup-session-async.c:329 #19 0x000000314de0b8ee in IA__g_closure_invoke (closure=0x151bce0, return_value=0x0, n_param_values=1, param_values=0x1577800, invocation_hint=0x7fffffffd5e0) at gclosure.c:767 #20 0x000000314de22527 in signal_emit_unlocked_R (node=0x158bb40, detail=<value optimized out>, instance=<value optimized out>, emission_return=<value optimized out>, ---Type <return> to continue, or q <return> to quit--- instance_and_params=<value optimized out>) at gsignal.c:3314 #21 0x000000314de232de in IA__g_signal_emit_valist (instance=0x1560450, signal_id=<value optimized out>, detail=0, var_args=0x7fffffffd7d0) at gsignal.c:2977 #22 0x000000314de23873 in IA__g_signal_emit (instance=0x4, signal_id=1089396736, detail=2147483648) at gsignal.c:3034 #23 0x0000003164a296b5 in soup_message_io_finished (msg=0x1560450) at soup-message-io.c:172 #24 0x000000314de0b8ee in IA__g_closure_invoke (closure=0x1511b70, return_value=0x0, n_param_values=1, param_values=0x1616400, invocation_hint=0x7fffffffda00) at gclosure.c:767 #25 0x000000314de21ef8 in signal_emit_unlocked_R (node=0x176d610, detail=<value optimized out>, instance=<value optimized out>, emission_return=<value optimized out>, instance_and_params=<value optimized out>) at gsignal.c:3244 #26 0x000000314de232de in IA__g_signal_emit_valist (instance=0x14ffb30, signal_id=<value optimized out>, detail=0, var_args=0x7fffffffdbf0) at gsignal.c:2977 #27 0x000000314de23873 in IA__g_signal_emit (instance=0x4, signal_id=1089396736, detail=2147483648) at gsignal.c:3034 #28 0x0000003164a33da2 in socket_read_watch (chan=<value optimized out>, cond=0, user_data=0x14ffb30) at soup-socket.c:1049 #29 0x000000314d23812e in g_main_dispatch (context=<value optimized out>) at gmain.c:1814 #30 IA__g_main_context_dispatch (context=0x6ad630) at gmain.c:2367 #31 0x000000314d23b888 in g_main_context_iterate (context=0x6ad630, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at gmain.c:2448 #32 0x000000314d23bd25 in IA__g_main_loop_run (loop=0x7faf40) at gmain.c:2656 #33 0x0000003154744a57 in IA__gtk_main () at gtkmain.c:1205 #34 0x000000000041c028 in main () Downstream bug at https://bugzilla.redhat.com/show_bug.cgi?id=488112 and related bug at https://bugzilla.redhat.com/show_bug.cgi?id=488163 I am able to reproduce these issues on r41071 (but it seems older/newer revisions are affected as well). It looks like building without -O2 makes these issues dissapear.
Attachments
Add attachment proposed patch, testcase, etc.
Martin Sourada
Comment 1 2009-03-03 10:04:52 PST
Note, that one of the pages that bring instant crash to me is http://jisho.org/
Mamoru Tasaka
Comment 2 2009-03-06 05:13:16 PST
As I wrote in RH bug https://bugzilla.redhat.com/show_bug.cgi?id=488112 this seems aliasing issue. Actually compiling libJavaScriptCore.a with -fno-strict-aliasing seems to fix this issue. When compiled with -O2 (Fedora uses -O2 by default and -O2 implies -fstrict-aliasing), log messages show some warnings related to aliasing issue. Note that currently nspr has similar issue: https://bugzilla.redhat.com/show_bug.cgi?id=487844
Xan Lopez
Comment 3 2009-04-05 13:58:35 PDT
Sorry, I opened a bug about this without realizing there was already one. I've attached a patch there, so I'll close this one as duplicate. *** This bug has been marked as a duplicate of 25033 ***
Note You need to log in before you can comment on or make changes to this bug.