Bug 24738

Summary:

Multiple crashes in JSDOMWindow::getOwnPropertySlot

Product:

WebKit

Reporter:

Xan Lopez <xan.lopez>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mh+webkit

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Linux

Attachments:

Description	Flags
patch to test	none
use work-around on non-mac x86	none

Xan Lopez

Reported 2009-03-21 01:03:19 PDT

I'm getting this crash in many sites (reader.google.com, meneame.com, reddit.com, ...) since updating to r41889 (I haven't bisected it, but it worked fine two days ago). Building debug image now... (gdb) bt #0 0xb7c273e2 in WebCore::JSDOMWindow::getOwnPropertySlot () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #1 0xb7b07827 in JSC::JITStubs::cti_op_resolve_with_base () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #2 0xb29917ab in ?? () #3 0xb7b38515 in JSC::Interpreter::execute () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #4 0xb7be5f18 in JSC::evaluate () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #5 0xb7584729 in WebCore::ScriptController::evaluate () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #6 0xb779cb56 in WebCore::FrameLoader::executeScript () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #7 0xb77406f2 in WebCore::HTMLTokenizer::scriptExecution () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #8 0xb77413ca in WebCore::HTMLTokenizer::notifyFinished () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #9 0xb7772d3c in WebCore::CachedScript::checkNotify () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #10 0xb77c189c in WebCore::Loader::Host::didFinishLoading () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #11 0xb77b1110 in WebCore::SubresourceLoader::didFinishLoading () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #12 0xb77ac0c1 in WebCore::ResourceLoader::didFinishLoading () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #13 0xb794714f in WebCore::finishedCallback () from /home/xan/git/WebKit/build/normal/.libs/libwebkit-1.0.so #14 0xb61e25eb in final_finished (req=0xb264a200, user_data=0x935e180) at soup-session-async.c:331 #15 0xb5c37704 in IA__g_cclosure_marshal_VOID__VOID (closure=0x93a6b40, return_value=0x0, n_param_values=1, param_values=0x8fa2cc0, invocation_hint=0xbfcd4ebc, marshal_data=0xb61e2540) at gmarshal.c:77 #16 0xb5c29fdb in IA__g_closure_invoke (closure=0x93a6b40, return_value=0x0, n_param_values=1, param_values=0x8fa2cc0, invocation_hint=0xbfcd4ebc) at gclosure.c:767 #17 0xb5c40722 in signal_emit_unlocked_R (node=0x93f5680, detail=0, instance=0x92da6b0, emission_return=0x0, instance_and_params=0x8fa2cc0) at gsignal.c:3317 #18 0xb5c41809 in IA__g_signal_emit_valist (instance=0x92da6b0, signal_id=377, detail=0, var_args=0xbfcd505c "\034\021 �)B\035�\034\021 �\210PͿ;\220\035��-\t�&-\t�\"E\t�\217\035�\214!Ƶ�\226\035��PͿ\004wõ`�-\t��-\t") at gsignal.c:2980

Attachments
patch to test (687 bytes, patch) 2009-03-21 10:50 PDT, Mike Hommey	no flags	Details Formatted Diff Diff
use work-around on non-mac x86 (1020 bytes, patch) 2009-03-21 11:14 PDT, Gustavo Noronha (kov)	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Xan Lopez

Comment 1 2009-03-21 01:37:51 PDT

Debug build: (gdb) bt full #0 0xb66c9ff4 in JSC::JSCell::structure (this=0x1) at ../../JavaScriptCore/runtime/JSCell.h:144 No locals. #1 0xb66ca663 in JSC::JSCell::fastGetOwnPropertySlot (this=0x1, exec=0xbfce703c, propertyName=@0x0, slot=@0xbfce6ebc) at ../../JavaScriptCore/runtime/JSObject.h:330 No locals. #2 0xb66ca724 in JSC::JSObject::getPropertySlot (this=0x1, exec=0xbfce703c, propertyName=@0x0, slot=@0xbfce6ebc) at ../../JavaScriptCore/runtime/JSObject.h:341 prototype = {m_ptr = 0xb66ca0d4} object = (class JSC::JSObject *) 0x1 #3 0xb6e43fc0 in JSC::JITStubs::cti_op_resolve_with_base (args=0x87db8d8) at ../../JavaScriptCore/jit/JITStubs.cpp:1653 slot = {m_getValue = 0, m_slotBase = {m_ptr = 0x1}, m_data = {getterFunc = 0xc8, valueSlot = 0xc8, registerSlot = 0xc8, index = 200}, m_value = {m_ptr = 0x0}, m_offset = 4294967295} vl_args = 0xbfce6f28 "" stackHack = {returnAddressLocation = 0xbfce6f20, savedReturnAddress = 0x0} callFrame = (CallFrame *) 0xbfce703c scopeChain = (class JSC::ScopeChainNode *) 0x8740a60 iter = {m_node = 0x8740a60} end = {m_node = 0x0} ident = (JSC::Identifier &) @0x0: <error reading variable> base = (class JSC::JSObject *) 0x1 codeBlock = (class JSC::CodeBlock *) 0x0 vPCIndex = 2978943744 __PRETTY_FUNCTION__ = "static JSC::VoidPtrPair JSC::JITStubs::cti_op_resolve_with_base(void*, ...)" #4 0xb1d1d7af in ?? () No symbol table info available. #5 0xb6ed2902 in JSC::JITCode::execute (this=0xbfce6fbc, registerFile=0x8740a68, callFrame=0xb191d048, globalData=0x873f508, exception=0xbfce703c) at ../../JavaScriptCore/jit/JITCode.h:86 No locals. #6 0xb6ebd61f in JSC::Interpreter::execute (this=0x8740a60, programNode=0x87b4bd8, callFrame=0x87b603c, scopeChain=0x87b7838, thisObj=0xb18f0000, exception=0xbfce703c) at ../../JavaScriptCore/interpreter/Interpreter.cpp:623 callRecord = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, <No data fields>} codeBlock = (class JSC::CodeBlock *) 0x87c1520 oldEnd = (JSC::Register *) 0xb191d000 newEnd = (JSC::Register *) 0xb191d120 globalObjectScope = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_dynamicGlobalObjectSlot = @0x873fa7c, m_savedDynamicGlobalObject = 0x0} lastGlobalObject = (class JSC::JSGlobalObject *) 0xb18f1380 globalObject = (class JSC::JSGlobalObject *) 0xb18f1380 newCallFrame = (CallFrame *) 0xb191d048 profiler = (JSC::Profiler **) 0xb7fccbac result = {m_ptr = 0x0} __PRETTY_FUNCTION__ = "JSC::JSValuePtr JSC::Interpreter::execute(JSC::ProgramNode*, JSC::CallFrame*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValuePtr*)" #7 0xb6edf26d in JSC::evaluate (exec=0x87b603c, scopeChain=@0x87b5ff8, source=@0xbfce7340, thisValue= {m_ptr = 0xb18f0000}) at ../../JavaScriptCore/runtime/Completion.cpp:67 lock = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_lockingForReal = false} errLine = -1 errMsg = {m_rep = {m_ptr = 0x8712d40}, static nullUString = 0x8712db0} programNode = {m_ptr = 0x87b4bd8} thisObj = (class JSC::JSObject *) 0xb18f0000 exception = {m_ptr = 0x0} result = {m_ptr = 0xbfce7048} #8 0xb67186d5 in WebCore::ScriptController::evaluate (this=0x85c57d4, sourceCode=@0xbfce7340) at ../../WebCore/bindings/js/ScriptController.cpp:112 jsSourceCode = (const JSC::SourceCode &) @0xbfce7340: {m_provider = {m_ptr = 0x87da438}, m_startChar = 0, m_endChar = 31033, m_firstLine = 1} exec = (class JSC::ExecState *) 0x87b603c savedSourceURL = (const WebCore::String *) 0x0 sourceURL = {m_impl = {m_ptr = 0x87c5a40}} lock = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_lockingForReal = false} comp = {m_type = 141634016, m_value = {m_ptr = 0xbfce70c8}} #9 0xb69ede6f in WebCore::FrameLoader::executeScript (this=0x85c54ec, sourceCode=@0xbfce7340) at ../../WebCore/loader/FrameLoader.cpp:792 wasRunningScript = false result = {_vptr.ScriptValue = 0xbfce7290, m_value = {m_value = {m_ptr = 0xb7faa51c}}} #10 0xb6972a7e in WebCore::HTMLTokenizer::scriptExecution (this=0x87bf078, sourceCode=@0xbfce7340, state={static EntityShift = 4, m_bits = 4194304}) at ../../WebCore/html/HTMLTokenizer.cpp:554 savedPrependingSrc = (WebCore::SegmentedString *) 0x0 prependingSrc = {m_pushedChar1 = 0, m_pushedChar2 = 0, m_currentString = {m_length = 0, m_current = 0x0, m_string = {m_impl = {m_ptr = 0x0}}, m_doNotExcludeLineNumbers = true}, m_currentChar = 0x0, m_substrings = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WebCore::SegmentedSubstring>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x0, m_capacity = 0}, <No data fields>}, m_iterators = 0x0}, m_composite = false} #11 0xb6972ed3 in WebCore::HTMLTokenizer::notifyFinished (this=0x87bf078) at ../../WebCore/html/HTMLTokenizer.cpp:1974 cs = (class WebCore::CachedScript *) 0x87c0ea0 sourceCode = {m_code = {m_provider = {m_ptr = 0x87da438}, m_startChar = 0, m_endChar = 31033, m_firstLine = 1}} errorOccurred = false n = {m_ptr = 0x87c0c28} finished = false __PRETTY_FUNCTION__ = "virtual void WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*)" #12 0xb69c12dc in WebCore::CachedScript::checkNotify (this=0x87c0ea0) at ../../WebCore/loader/CachedScript.cpp:106 c = (class WebCore::CachedResourceClient *) 0x87bf080 w = {m_clientSet = @0x87c0ea4, m_clientVector = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<WebCore::CachedResourceClient*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x87da340, m_capacity = 1}, <No data fields>}}, m_index = 1} #13 0xb69c13c2 in WebCore::CachedScript::data (this=0x87c0ea0, data={m_ptr = 0xbfce7438}, allDataReceived=true) at ../../WebCore/loader/CachedScript.cpp:96 No locals. ...

Xan Lopez

Comment 2 2009-03-21 02:16:43 PDT

Reverting r41886 fixes the problem. CCing the autor.

Xan Lopez

Comment 3 2009-03-21 07:31:26 PDT

Btw, this patch made more than a thousand tests crash. It's a good idea to keep an eye on the bot after landing anything, but especially something touching core stuff like this: http://build.webkit.org/waterfall.

Mike Hommey

Comment 4 2009-03-21 10:32:22 PDT

Is that x86 linux crashing ?

Xan Lopez

Comment 5 2009-03-21 10:35:48 PDT

(In reply to comment #4) > Is that x86 linux crashing ? > Yes.

Mike Hommey

Comment 6 2009-03-21 10:50:00 PDT

Created attachment 28823 [details] patch to test This doesn't make much sense but the attached patch should work. I think it shouldn't break mac, but it would be best to check thouroughly.

Xan Lopez

Comment 7 2009-03-21 11:11:27 PDT

(In reply to comment #6) > Created an attachment (id=28823) [review] > patch to test > > This doesn't make much sense but the attached patch should work. I think it > shouldn't break mac, but it would be best to check thouroughly. > Seems to me you are changing how this works. I assume !MSVC would run for Mac-x86 too, for example.

Gustavo Noronha (kov)

Comment 8 2009-03-21 11:14:39 PDT

Created attachment 28824 [details] use work-around on non-mac x86 I tested this fix in linux x86; would be good if someone could test that it works correctly on other arches that support jit. This seems to me like a better fix than the one Mike posted because it doesn't change the behavior for mac, while still fixing our problem.

Mike Hommey

Comment 9 2009-03-22 00:03:58 PDT

(In reply to comment #8) > Created an attachment (id=28824) [review] > use work-around on non-mac x86 > > I tested this fix in linux x86; would be good if someone could test that it > works correctly on other arches that support jit. This seems to me like a > better fix than the one Mike posted because it doesn't change the behavior for > mac, while still fixing our problem. Yes, but the thing is, reading the code carefully, I see no reason for the second version not to work on any 32 bits platform. The test should actually be something like #if PLATFORM(64BITS) but I am not aware of such thing. It would be better to actually check if it works everywhere, though.

Mike Hommey

Comment 10 2009-03-24 15:05:17 PDT

I guess this one can be marked fixed, as the change has been reverted. The discussion will go on on the original bug.

Xan Lopez

Comment 11 2009-04-20 07:37:34 PDT

Comment on attachment 28824 [details] use work-around on non-mac x86 Clearing review flag.

Note You need to log in before you can comment on or make changes to this bug.