Bug 47136

Summary:	WebSocket tests are crashing
Product:	WebKit	Reporter:	Simon Fraser (smfr) <simon.fraser>
Component:	WebCore Misc.	Assignee:	Simon Fraser (smfr) <simon.fraser>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	abarth, ap, darin, jamesr, simon.fraser, tonikitoo
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	Mac
OS:	OS X 10.5

Simon Fraser (smfr)

Reported 2010-10-04 17:27:49 PDT

From Adam: As you might have noticed, the WebSocket tests are crashing on Leopard and Snow Leopard. I thought for a while that this might be related to my recent move of the WebSocket tests, but looks unrelated. The crashes started with a patch that flipped off the SVN executable bit for a bunch of files, which also seems unrelated (reverting that change locally also don't seem to make a difference). Here's a reduced test case: <script> var ws = new WebSocket('ws://localhost:1111/'); </script> Just open a local HTML file containing that code and you'll crash WebKit on Snow Leopard (and presumably Leopard as well). The crash looks like some kind of heap corruption. At this point, I'd like to hand this off to someone who's more familiar with the WebSockets code. Any volunteers?

Attachments
Add attachment proposed patch, testcase, etc.

Simon Fraser (smfr)

Comment 1 2010-10-04 17:29:57 PDT

There's a heap corruption bug somewhere. When debugging, I see variable display of 'this' go bad in Xcode in the SocketStreamHandleBase() ctor. Disassembling this gives: 0x0000000103c0ad64 <+0000> push %rbp 0x0000000103c0ad65 <+0001> mov %rsp,%rbp 0x0000000103c0ad68 <+0004> mov %rdi,-0x8(%rbp) 0x0000000103c0ad6c <+0008> lea 0x1437e0d(%rip),%rax # 0x105042b80 <_ZTVN7WebCore22SocketStreamHandleBaseE> 0x0000000103c0ad73 <+0015> lea 0x10(%rax),%rdx 0x0000000103c0ad77 <+0019> mov -0x8(%rbp),%rax 0x0000000103c0ad7b <+0023> mov %rdx,(%rax) <--- 'this' gets clobbered here It's loading the vtable, but I don't know what the lea 0x10(%rax),%rdx is trying to do.

Darin Adler

Comment 2 2010-10-04 17:37:10 PDT

(In reply to comment #1) > It's loading the vtable, but I don't know what the > lea 0x10(%rax),%rdx > is trying to do. That looks to me like a multiple-inheritance pointer adjustment. Maybe we have a problem with unsafe casting to and from "this" when there is multiple inheritance involved?

Simon Fraser (smfr)

Comment 3 2010-10-04 17:43:36 PDT

The superclass certainly uses multiple inheritance: class SocketStreamHandle : public RefCounted<SocketStreamHandle>, public SocketStreamHandleBase, public AuthenticationClient { but the assembly comes from the ctor of SocketStreamHandleBase, which has virtual functions, but doesn't inherit from anything.

Simon Fraser (smfr)

Comment 4 2010-10-04 17:53:25 PDT

If I shuffle the inheritance order of SocketStreamHandle to: class SocketStreamHandle : public RefCounted<SocketStreamHandle>, public AuthenticationClient, public SocketStreamHandleBase { then things to bad in the AuthenticationClient ctor, in a similar place. Certainly looks like an issue with multiple-inheritance pointer adjustment.

Simon Fraser (smfr)

Comment 5 2010-10-04 18:08:03 PDT

The build is picking up network/qt/SocketStreamHandle.h

Simon Fraser (smfr)

Comment 6 2010-10-04 18:17:52 PDT

The project was changed inadvertently in http://trac.webkit.org/changeset/68951

Simon Fraser (smfr)

Comment 7 2010-10-04 18:23:36 PDT

http://trac.webkit.org/changeset/69057

James Robinson

Comment 8 2010-10-04 18:42:30 PDT

FFFFFFFFUUUUUUUUUUUUUUUUUU

Adam Barth

Comment 9 2010-10-04 20:23:54 PDT

Looks like we might need to trigger a world-rebuild to see this fix things on the bots.

Note You need to log in before you can comment on or make changes to this bug.