Bug 25819
| Summary: | Assertion failure in JIT::compileGetByIdSlowCase on x86_64 Linux | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Alejandro G. Castro <alex> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | barraclough, danw, oliver |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Linux | ||
Alejandro G. Castro
I have the svn version 43755, compiled for 64 bits in Linux, just starting epiphany and loading the google webpage, I get this segfault:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f6d7bf5e7a0 (LWP 17467)]
0x00007f6d79ff8e1b in JSC::JIT::compileGetByIdSlowCase (this=0x7fff83f91430, resultVReg=4, baseVReg=-14, ident=0x1ddef80, iter=@0x7fff83f911e8, propertyAccessInstructionIndex=0)
at JavaScriptCore/jit/JITPropertyAccess.cpp:252
252 ASSERT(differenceBetween(coldPathBegin, call) == patchOffsetGetByIdSlowCaseCall);
Current language: auto; currently c++
(gdb) bt
#0 0x00007f6d79ff8e1b in JSC::JIT::compileGetByIdSlowCase (this=0x7fff83f91430, resultVReg=4, baseVReg=-14, ident=0x1ddef80, iter=@0x7fff83f911e8,
propertyAccessInstructionIndex=0) at JavaScriptCore/jit/JITPropertyAccess.cpp:252
#1 0x00007f6d79faf5b4 in JSC::JIT::emitSlow_op_get_by_id (this=0x7fff83f91430, currentInstruction=0x1ddf4a8, iter=@0x7fff83f911e8) at JavaScriptCore/jit/JITOpcodes.cpp:1006
#2 0x00007f6d79f06706 in JSC::JIT::privateCompileSlowCases (this=0x7fff83f91430) at JavaScriptCore/jit/JIT.cpp:382
#3 0x00007f6d79f086e5 in JSC::JIT::privateCompile (this=0x7fff83f91430) at JavaScriptCore/jit/JIT.cpp:456
#4 0x00007f6d79f20422 in JSC::JIT::compile (globalData=0x1dfd740, codeBlock=0x1e11aa0) at ./JavaScriptCore/jit/JIT.h:280
#5 0x00007f6d79fb7bac in JSC::Interpreter::execute (this=0x1e22f00, programNode=0x1e11990, callFrame=0x1e233e8, scopeChain=0x1e236a0, thisObj=0x7f6d6b3f0000,
exception=0x7fff83f917d0) at JavaScriptCore/interpreter/Interpreter.cpp:640
#6 0x00007f6d79ff6bda in JSC::evaluate (exec=0x1e233e8, scopeChain=@0x1e233a0, source=@0x7fff83f919e0, thisValue={m_ptr = 0x7f6d6b3f0000})
at JavaScriptCore/runtime/Completion.cpp:67
#7 0x00007f6d797e49fc in WebCore::ScriptController::evaluate (this=0x1d87858, sourceCode=@0x7fff83f919e0) at WebCore/bindings/js/ScriptController.cpp:101
#8 0x00007f6d79aabe10 in WebCore::FrameLoader::executeScript (this=0x1d87450, sourceCode=@0x7fff83f919e0) at WebCore/loader/FrameLoader.cpp:802
#9 0x00007f6d79aabec4 in WebCore::FrameLoader::executeScript (this=0x1d87450, script=@0x7fff83f91a70, forceUserGesture=true) at WebCore/loader/FrameLoader.cpp:791
#10 0x00007f6d79786cc6 in webkit_web_view_execute_script (webView=0x1c9a730,
script=0x4c0188 "var node = document.getElementById('epiphanyWebKitFloatingStatusBar');if (node) node.parentNode.removeChild(node);")
at WebKit/gtk/webkit/webkitwebview.cpp:2713
#11 0x000000000043fefd in ephy_window_link_message_cb (embed=0x19e41a0, spec=0x1d7c010, window=0x1b99070) at ephy-window.c:2685
#12 0x00007f6d7062cda9 in IA__g_cclosure_marshal_VOID__PARAM (closure=0x1daf880, return_value=0x0, n_param_values=2, param_values=0x1dffa30, invocation_hint=0x7fff83f92720,
marshal_data=0x0) at gmarshal.c:531
#13 0x00007f6d70610e5f in IA__g_closure_invoke (closure=0x1daf880, return_value=0x0, n_param_values=2, param_values=0x1dffa30, invocation_hint=0x7fff83f92720) at gclosure.c:767
#14 0x00007f6d7062b662 in signal_emit_unlocked_R (node=0x1993bc0, detail=2062, instance=0x19e41a0, emission_return=0x0, instance_and_params=0x1dffa30) at gsignal.c:3247
#15 0x00007f6d7062a299 in IA__g_signal_emit_valist (instance=0x19e41a0, signal_id=1, detail=2062, var_args=0x7fff83f92af0) at gsignal.c:2980
#16 0x00007f6d7062a8a8 in IA__g_signal_emit (instance=0x19e41a0, signal_id=1, detail=2062) at gsignal.c:3037
#17 0x00007f6d70613756 in g_object_dispatch_properties_changed (object=0x19e41a0, n_pspecs=5, pspecs=0x7fff83f92c60) at gobject.c:770
#18 0x00007f6d70612620 in g_object_notify_dispatcher (object=0x19e41a0, n_pspecs=5, pspecs=0x7fff83f92c60) at gobject.c:312
#19 0x00007f6d70613ca9 in g_object_notify_queue_thaw (object=0x19e41a0, nqueue=0x1e19380) at gobjectnotifyqueue.c:125
#20 0x00007f6d70613dc1 in IA__g_object_thaw_notify (object=0x19e41a0) at gobject.c:887
#21 0x000000000047b72c in ephy_base_embed_location_changed (embed=0x19e41a0, location=0x1debe70 "http://www.google.es/") at ephy-base-embed.c:1414
#22 0x0000000000476f65 in load_committed_cb (web_view=0x1c9a730, web_frame=0x1d7d540, embed=0x19e41a0) at webkit-embed.c:226
#23 0x00007f6d7062d025 in IA__g_cclosure_marshal_VOID__OBJECT (closure=0x1dabb10, return_value=0x0, n_param_values=2, param_values=0x1d19730, invocation_hint=0x7fff83f93180,
marshal_data=0x0) at gmarshal.c:636
#24 0x00007f6d70610e5f in IA__g_closure_invoke (closure=0x1dabb10, return_value=0x0, n_param_values=2, param_values=0x1d19730, invocation_hint=0x7fff83f93180) at gclosure.c:767
#25 0x00007f6d7062b662 in signal_emit_unlocked_R (node=0x1d7bbf0, detail=0, instance=0x1c9a730, emission_return=0x0, instance_and_params=0x1d19730) at gsignal.c:3247
#26 0x00007f6d7062a299 in IA__g_signal_emit_valist (instance=0x1c9a730, signal_id=339, detail=0, var_args=0x7fff83f93580) at gsignal.c:2980
#27 0x00007f6d7062ab37 in IA__g_signal_emit_by_name (instance=0x1c9a730, detailed_signal=0x7f6d7a186de8 "load-committed") at gsignal.c:3074
#28 0x00007f6d79773822 in WebKit::FrameLoaderClient::dispatchDidCommitLoad (this=0x1d86600) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:730
#29 0x00007f6d79a9ebbb in WebCore::FrameLoader::dispatchDidCommitLoad (this=0x1d87450) at WebCore/loader/FrameLoader.cpp:5182
#30 0x00007f6d79ab0a5f in WebCore::FrameLoader::receivedFirstData (this=0x1d87450) at WebCore/loader/FrameLoader.cpp:882
#31 0x00007f6d79ab0cc3 in WebCore::FrameLoader::setEncoding (this=0x1d87450, name=@0x7fff83f93830, userChosen=false) at WebCore/loader/FrameLoader.cpp:1801
#32 0x00007f6d79774966 in WebKit::FrameLoaderClient::committedLoad (this=0x1d86600, loader=0x1df5800,
data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:210
#33 0x00007f6d79aa21ce in WebCore::FrameLoader::committedLoad (this=0x1d87450, loader=0x1df5800,
data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413) at WebCore/loader/FrameLoader.cpp:3617
#34 0x00007f6d79a8c9fd in WebCore::DocumentLoader::commitLoad (this=0x1df5800,
data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413) at WebCore/loader/DocumentLoader.cpp:361
#35 0x00007f6d79a8ca56 in WebCore::DocumentLoader::receivedData (this=0x1df5800, data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413) at WebCore/loader/DocumentLoader.cpp:373
#36 0x00007f6d79aa58a7 in WebCore::FrameLoader::receivedData (this=0x1d87450,
data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413) at WebCore/loader/FrameLoader.cpp:2443
#37 0x00007f6d79abb528 in WebCore::MainResourceLoader::addData (this=0x1df8400,
data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413, allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:148
#38 0x00007f6d79ac27ee in WebCore::ResourceLoader::didReceiveData (this=0x1df8400,
data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413, lengthReceived=0, allAtOnce=false) at WebCore/loader/ResourceLoader.cpp:257
#39 0x00007f6d79aba6c8 in WebCore::MainResourceLoader::didReceiveData (this=0x1df8400,
data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413, lengthReceived=0, allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:360
#40 0x00007f6d79ac1bf9 in WebCore::ResourceLoader::didReceiveData (this=0x1df8400,
data=0x7fff83f94360 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><script>window.google={kEI:\"DVENSorhMePRjAfWj_CtBg\",kEXPI:\"17259,20430,20457\",kHL:\"es\"};\nwindow.goog"..., length=1413, lengthReceived=0) at WebCore/loader/ResourceLoader.cpp:411
#41 0x00007f6d79cf41e7 in gotChunkCallback (msg=0x1d59440, chunk=0x1dffb50, data=0x1daece0) at WebCore/platform/network/soup/ResourceHandleSoup.cpp:310
#42 0x00007f6d7062ce7d in IA__g_cclosure_marshal_VOID__BOXED (closure=0x1dc9f10, return_value=0x0, n_param_values=2, param_values=0x1d19610, invocation_hint=0x7fff83f93e90,
marshal_data=0x0) at gmarshal.c:566
#43 0x00007f6d70610e5f in IA__g_closure_invoke (closure=0x1dc9f10, return_value=0x0, n_param_values=2, param_values=0x1d19610, invocation_hint=0x7fff83f93e90) at gclosure.c:767
#44 0x00007f6d7062b662 in signal_emit_unlocked_R (node=0x1d86120, detail=0, instance=0x1d59440, emission_return=0x0, instance_and_params=0x1d19610) at gsignal.c:3247
#45 0x00007f6d7062a299 in IA__g_signal_emit_valist (instance=0x1d59440, signal_id=378, detail=0, var_args=0x7fff83f94260) at gsignal.c:2980
#46 0x00007f6d7062a8a8 in IA__g_signal_emit (instance=0x1d59440, signal_id=378, detail=0) at gsignal.c:3037
#47 0x00007f6d730c6ce1 in soup_message_got_chunk (msg=0x1d59440, chunk=0x1dffb50) at soup-message.c:830
#48 0x00007f6d730cb2b4 in read_body_chunk (msg=0x1d59440) at soup-message-io.c:320
#49 0x00007f6d730cc22d in io_read (sock=0x1e03960, msg=0x1d59440) at soup-message-io.c:800
#50 0x00007f6d7062c30a in IA__g_cclosure_marshal_VOID__VOID (closure=0x1e05420, return_value=0x0, n_param_values=1, param_values=0x1e091a0, invocation_hint=0x7fff83f967e0,
marshal_data=0x0) at gmarshal.c:77
#51 0x00007f6d70610e5f in IA__g_closure_invoke (closure=0x1e05420, return_value=0x0, n_param_values=1, param_values=0x1e091a0, invocation_hint=0x7fff83f967e0) at gclosure.c:767
#52 0x00007f6d7062b662 in signal_emit_unlocked_R (node=0x1cfe000, detail=0, instance=0x1e03960, emission_return=0x0, instance_and_params=0x1e091a0) at gsignal.c:3247
#53 0x00007f6d7062a299 in IA__g_signal_emit_valist (instance=0x1e03960, signal_id=386, detail=0, var_args=0x7fff83f96bb0) at gsignal.c:2980
#54 0x00007f6d7062a8a8 in IA__g_signal_emit (instance=0x1e03960, signal_id=386, detail=0) at gsignal.c:3037
#55 0x00007f6d730d7e3a in socket_read_watch (chan=0x1deaad0, cond=G_IO_IN, user_data=0x1e03960) at soup-socket.c:1152
#56 0x00007f6d70382686 in g_io_unix_dispatch (source=0x1dee2a0, callback=0x7f6d730d7daa <socket_read_watch>, user_data=0x1e03960) at giounix.c:162
#57 0x00007f6d703407a8 in g_main_dispatch (context=0x19ad670) at gmain.c:1814
#58 0x00007f6d70341f21 in IA__g_main_context_dispatch (context=0x19ad670) at gmain.c:2367
#59 0x00007f6d70342566 in g_main_context_iterate (context=0x19ad670, block=1, dispatch=1, self=0x1980660) at gmain.c:2448
#60 0x00007f6d70342d70 in IA__g_main_loop_run (loop=0x19cb760) at gmain.c:2656
#61 0x00007f6d762f6e89 in IA__gtk_main () at gtkmain.c:1205
#62 0x0000000000432aac in main (argc=1, argv=0x7fff83f981b8) at ephy-main.c:781
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alejandro G. Castro
More information about this one, it just happens with debug compilation.
Mark Rowe (bdash)
It is an assertion failure, so of course it only happens in a debug build.
Alejandro G. Castro
Requested by bdash :)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f77cbbc87a0 (LWP 1607)]
0x00007f77c9c62e1b in JSC::JIT::compileGetByIdSlowCase (this=0x7fffd3bfb090, resultVReg=4, baseVReg=-14, ident=0x139bcb0, iter=@0x7fffd3bfae48, propertyAccessInstructionIndex=0)
at JavaScriptCore/jit/JITPropertyAccess.cpp:252
252 ASSERT(differenceBetween(coldPathBegin, call) == patchOffsetGetByIdSlowCaseCall);
Current language: auto; currently c++
(gdb) p differenceBetween(coldPathBegin, call)
$1 = 38
(gdb) p patchOffsetGetByIdSlowCaseCall
$2 = 44
(gdb) p coldPathBegin
$3 = {m_label = {m_offset = 410, m_used = false}}
(gdb) p call
$4 = {m_jmp = {m_offset = 448}, m_flags = JSC::AbstractMacroAssembler<JSC::X86Assembler>::Call::Linkable}
Oliver Hunt
This is likely an ABI issue exposed when the 64bit jit was reenabled
Dan Winship
There is a sporadic crash in x86_64 webkit (or at least, x86_64 epiphany) that seems to be javascript related, although it is difficult to say for sure because the webkit crash causes gdb to get stuck in an infinite loop, so you can't debug it in gdb (qv https://bugzilla.redhat.com/show_bug.cgi?id=507267).
I'm assuming that the crash is caused by the same bug that this assertion is pointing out, it's just that if you have assertions enabled, it *always* crashes, and if you don't, then it only crashes when the bug causes some important bit of memory to get overwritten. (Presumably something on the stack, given the gdb hang?)
Anyway, if you go to digg or reddit or some other site that links to lots of other sites, and start middle-clicking on links, you'll quickly hit the crash. Here's one example from today: http://www.usefultools.com/2009/06/rss-feeds-from-any-website/. It crashes if javascript is enabled, but not if javascript is disabled.
Alejandro G. Castro
It works for me now, with the svn version 48924, I tested the usual use cases that were crashing before in the same conditions.