| Summary: | WebSocket tests are crashing | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Simon Fraser (smfr) <simon.fraser> |
| Component: | WebCore Misc. | Assignee: | Simon Fraser (smfr) <simon.fraser> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | abarth, ap, darin, jamesr, simon.fraser, tonikitoo |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac | ||
| OS: | OS X 10.5 | ||
There's a heap corruption bug somewhere. When debugging, I see variable display of 'this' go bad in Xcode in the SocketStreamHandleBase() ctor. Disassembling this gives: 0x0000000103c0ad64 <+0000> push %rbp 0x0000000103c0ad65 <+0001> mov %rsp,%rbp 0x0000000103c0ad68 <+0004> mov %rdi,-0x8(%rbp) 0x0000000103c0ad6c <+0008> lea 0x1437e0d(%rip),%rax # 0x105042b80 <_ZTVN7WebCore22SocketStreamHandleBaseE> 0x0000000103c0ad73 <+0015> lea 0x10(%rax),%rdx 0x0000000103c0ad77 <+0019> mov -0x8(%rbp),%rax 0x0000000103c0ad7b <+0023> mov %rdx,(%rax) <--- 'this' gets clobbered here It's loading the vtable, but I don't know what the lea 0x10(%rax),%rdx is trying to do. (In reply to comment #1) > It's loading the vtable, but I don't know what the > lea 0x10(%rax),%rdx > is trying to do. That looks to me like a multiple-inheritance pointer adjustment. Maybe we have a problem with unsafe casting to and from "this" when there is multiple inheritance involved? The superclass certainly uses multiple inheritance:
class SocketStreamHandle : public RefCounted<SocketStreamHandle>, public SocketStreamHandleBase, public AuthenticationClient {
but the assembly comes from the ctor of SocketStreamHandleBase, which has virtual functions, but doesn't inherit from anything.
If I shuffle the inheritance order of SocketStreamHandle to:
class SocketStreamHandle : public RefCounted<SocketStreamHandle>, public AuthenticationClient, public SocketStreamHandleBase {
then things to bad in the AuthenticationClient ctor, in a similar place.
Certainly looks like an issue with multiple-inheritance pointer adjustment.
The build is picking up network/qt/SocketStreamHandle.h The project was changed inadvertently in http://trac.webkit.org/changeset/68951 FFFFFFFFUUUUUUUUUUUUUUUUUU Looks like we might need to trigger a world-rebuild to see this fix things on the bots. |
From Adam: As you might have noticed, the WebSocket tests are crashing on Leopard and Snow Leopard. I thought for a while that this might be related to my recent move of the WebSocket tests, but looks unrelated. The crashes started with a patch that flipped off the SVN executable bit for a bunch of files, which also seems unrelated (reverting that change locally also don't seem to make a difference). Here's a reduced test case: <script> var ws = new WebSocket('ws://localhost:1111/'); </script> Just open a local HTML file containing that code and you'll crash WebKit on Snow Leopard (and presumably Leopard as well). The crash looks like some kind of heap corruption. At this point, I'd like to hand this off to someone who's more familiar with the WebSockets code. Any volunteers?