Bug 40875

Summary: segfault from invalid write in JSC::JIT::unlinkCall
Product: WebKit Reporter: Michael Gratton <mike>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: UNCONFIRMED    
Severity: Critical CC: ap, ashl1future, ggaren, kbalazs, oliver, webkit, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Valgrind log showing invalid write none

Michael Gratton
Reported 2010-06-19 00:55:39 PDT
Created attachment 59179 [details] Valgrind log showing invalid write I'm getting pretty random crashes daily with WebKit 531.2 (Epiphany 2.30.2, libwebkit 1.2.0) that seems to be stemming from invalid write in JSC::JIT::unlinkCall. Valgrind memcheck log of one such crash is attached. This is reasonably straight-forward thing to reproduce, generally browsing my daily news sites in a single window with a bunch of tabs open will do it, so let me know if you need any additional information/debugging. Originally reported at https://bugzilla.gnome.org/show_bug.cgi?id=621657
Attachments
Valgrind log showing invalid write (104.00 KB, application/octet-stream)
2010-06-19 00:55 PDT, Michael Gratton 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2010-06-20 22:05:20 PDT
Is this 32 or 64bit? from the valgrind output i can't tell :-(
Michael Gratton
Comment 2 2010-06-20 22:09:54 PDT
It's on an Intel Core2 Duo (Thinkpad X61s) machine running the Ubuntu Lucid amd64 port.
Zoltan Herczeg
Comment 3 2010-06-20 23:40:39 PDT
I have checked your log, and it says: Invalid write of size 8 - blah blah Address 0x1fd44f16 is not stack'd, malloc'd or (recently) free'd Thus, the pointer contains an invalid value, instead of pointing a free memory chunk. Similar to what they say for gsplice in the original bug, it is likely that something override the memory, and unrealted to both gsplice and unlinkCall. You should also know, that Valigrind and JIT compilers don't like each other (at least none of the 3 compilers I used before), so the vg crash can even be unrelated to your bug. Ok, you're next question is probably how to proceed... I would give a shot to compile webkit with interpreter, and see the error still persists. Depending on your answer, we can decide what to do. It will probably be a difficult bug, and will take time. I will try to help you even if the bug is unrelated to webkit.
Balazs Kelemen
Comment 4 2010-06-21 02:09:16 PDT
I think this problem is definitely JIT specific. I have faced with a similar problem, reported in 39060.
Michael Gratton
Comment 5 2010-10-11 18:50:18 PDT
Okay, I recompiled webkitgtk passing --disable-jit to configure (I assume that uses the interpreter instead) and am still getting essentially the same segfault - in magazine_chain_pop_head when constructing some gobject. How do we proceed from here? I'll look at getting a valgrind log from the JIT-less build.
Alexey Proskuryakov
Comment 6 2010-11-19 21:06:31 PST
See also: bug 48840.
xxx
Comment 7 2011-04-14 03:37:46 PDT
In my case, reported at https://bugs.webkit.org/show_bug.cgi?id=48840, I cannot reproduce the crash on a webkit without jit. I get this on my webkit 533.3, but I'm not sure if it's useful thanks ==12385== Conditional jump or move depends on uninitialised value(s) ==12385== at 0x6AAB1CE: WebCore::jsString(JSC::ExecState*, WebCore::String const&) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x6AE93D7: WebCore::jsHTMLElementId(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x76074AE: JSC::JSValue::get(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) const (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x75F5015: JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*, JSC::JSValue*) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x76059DC: JSC::Interpreter::execute(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue*) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x7634C2C: JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue, JSC::ArgList const&) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x760F78D: JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x6E47AD9: WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x6E48326: WebCore::ScheduledAction::execute(WebCore::Document*) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x6E4845A: WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x7153BD9: WebCore::DOMTimer::fired() (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== by 0x7210CF8: WebCore::ThreadTimers::sharedTimerFiredInternal() (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2) ==12385== Uninitialised value was created by a stack allocation ==12385== at 0x7674D66: JSC::jsAddSlowCase(JSC::ExecState*, JSC::JSValue, JSC::JSValue) (in /opt/qtsdk-4.72-webkit-no-jit/lib/libQtWebKit.so.4.7.2)
Xan Lopez
Comment 8 2011-05-17 04:43:34 PDT
*** Bug 48840 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.