| Summary: | Assertion failure in JSC::Structure::typeInfo when reloading weather.com video page | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Roben (:aroben) <aroben> | ||||
| Component: | JavaScriptCore | Assignee: | Oliver Hunt <oliver> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ggaren, oliver | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | PC | ||||||
| OS: | Windows 7 | ||||||
| URL: | http://www.weather.com/outlook/videos/todays-top-forecast-4276 | ||||||
| Attachments: |
|
||||||
|
Description
Adam Roben (:aroben)
2011-05-10 14:07:30 PDT
I don't know what symptoms this causes in a release build. The script being evaluated is:
try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }
JSObject::hasProperty is looking for a property named callback5295 (In reply to comment #3) > The script being evaluated is: > > try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; } That is the script being passed to NPN_Evaluate. The script being dealt with in Interpreter::callEval is (unsurprisingly): if (typeof(onTemplateLoaded) != "undefined") onTemplateLoaded('myExperience'); Some more data from the debugger: > structure()->classInfo() 0x0317073c struct JSC::ClassInfo const JSC::JSActivation::s_info {className=0x02e2fd00 "JSActivation" parentClass=0x031707d4 staticPropHashTable=0x00000000 ...} className: 0x02e2fd00 "JSActivation" parentClass: 0x031707d4 struct JSC::ClassInfo const JSC::JSObject::s_info {className=0x02e83bc4 "Object" parentClass=0x00000000 staticPropHashTable=0x00000000 ...} staticPropHashTable: 0x00000000 {compactSize=??? compactHashSizeMask=??? values=??? ...} classPropHashTableGetterFunction: 0x00000000 > &s_info 0x03170914 struct JSC::ClassInfo const JSC::Structure::s_info {className=0x02f56614 "Structure" parentClass=0x00000000 staticPropHashTable=0x00000000 ...} className: 0x02f56614 "Structure" parentClass: 0x00000000 {className=??? parentClass=??? staticPropHashTable=??? ...} staticPropHashTable: 0x00000000 {compactSize=??? compactHashSizeMask=??? values=??? ...} classPropHashTableGetterFunction: 0x00000000 This data seems to indicate that JSGlobalData::structureStructure was recycled to allocate JSGlobalData::activationStructure. That is very odd, since both objects are allocated before any webpages are loaded, and both are global roots. I'm flummoxed. I believe the release build symptom would be a crash. Oliver pointed out that what's more likely going on here is not that JSGlobalData::structureStructure was recycled, but instead that the current Structure was recycled, and an Activation allocated in its place. I couldn't reproduce this in a Mac release build. I was able to reproduce this. It doesn't seem to happen every time, but happens maybe once out of every 3 times. Here's the backtrace from another time I reproduced it:
> JavaScriptCore.dll!JSC::Structure::typeInfo() Line 101 + 0x43 bytes C++
JavaScriptCore.dll!JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 510 + 0xf bytes C++
JavaScriptCore.dll!JSC::JSObject::getPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 521 + 0x14 bytes C++
JavaScriptCore.dll!JSC::JSObject::hasProperty(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}) Line 208 C++
WebKit.dll!WebCore::runtimeObjectCustomGetOwnPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}, WebCore::JSHTMLElement * element=0x0d3c3768) Line 119 + 0x10 bytes C++
WebKit.dll!WebCore::JSHTMLObjectElement::getOwnPropertySlotDelegate(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 38 + 0x15 bytes C++
WebKit.dll!WebCore::JSHTMLObjectElement::getOwnPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 181 + 0x14 bytes C++
JavaScriptCore.dll!JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 512 + 0x1b bytes C++
JavaScriptCore.dll!cti_op_get_by_val(void * * args=0x0012c1d0) Line 2353 + 0x1b bytes C++
JavaScriptCore.dll!@cti_op_create_this@4() + 0x1cf bytes C++
JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x03dcaf94, JSC::ExecState * callFrame=0x06a00090, JSC::JSGlobalData * globalData=0x03d2fe50) Line 77 + 0x22 bytes C++
JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval=0x0c200700, JSC::ExecState * callFrame=0x06a00038, JSC::JSObject * thisObj=0x0a940128, int globalRegisterOffset=18, JSC::ScopeChainNode * scopeChain=0x0d9a08c8) Line 1138 + 0x2b bytes C++
JavaScriptCore.dll!JSC::Interpreter::callEval(JSC::ExecState * callFrame=0x06a00038, JSC::RegisterFile * registerFile=0x03dcaf94, JSC::Register * argv=0x06a00050, int argc=2, int registerOffset=11) Line 412 + 0x6c bytes C++
JavaScriptCore.dll!cti_op_call_eval(void * * args=0x0012c4c8) Line 3210 C++
JavaScriptCore.dll!@cti_op_create_this@4() + 0x1cf bytes C++
JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x03dcaf94, JSC::ExecState * callFrame=0x06a00038, JSC::JSGlobalData * globalData=0x03d2fe50) Line 77 + 0x22 bytes C++
JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program=0x0c2006a8, JSC::ExecState * callFrame=0x0e880ba0, JSC::ScopeChainNode * scopeChain=0x0d9a08c8, JSC::JSObject * thisObj=0x0e880b28) Line 767 + 0x25 bytes C++
JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x0e880ba0, JSC::ScopeChainNode * scopeChain=0x0d9a08c8, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 66 C++
WebKit.dll!WebKit::NPRuntimeObjectMap::evaluate(NPObject * npObject=0x0b9debf0, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4) Line 196 + 0x4f bytes C++
WebKit.dll!WebKit::PluginView::evaluate(NPObject * npObject=0x0b9debf0, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4, bool allowPopups=false) Line 983 + 0x1a bytes C++
WebKit.dll!WebKit::NetscapePlugin::evaluate(NPObject * npObject=0x0b9debf0, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4) Line 215 + 0x2c bytes C++
WebKit.dll!WebKit::NPN_Evaluate(_NPP * npp=0x0d3498b4, NPObject * npObject=0x0b9debf0, _NPString * script=0x0012c7e4, _NPVariant * result=0x0012c7d4) Line 681 + 0x1b bytes C++
NPSWF32.dll!1652e947()
[Frames below may be incorrect and/or missing, no symbols loaded for NPSWF32.dll]
<many NPSWF32.dll frames omitted>
NPSWF32.dll!1653262b()
WebKit.dll!WTF::removeIterator<unsigned __int64,std::pair<unsigned __int64,RunLoop::TimerBase *>,WTF::PairFirstExtractor<std::pair<unsigned __int64,RunLoop::TimerBase *> >,WTF::IntHash<unsigned __int64>,WTF::PairHashTraits<WTF::HashTraits<unsigned __int64>,WTF::HashTraits<RunLoop::TimerBase *> >,WTF::HashTraits<unsigned __int64> >(WTF::HashTableConstIterator<unsigned __int64,std::pair<unsigned __int64,RunLoop::TimerBase *>,WTF::PairFirstExtractor<std::pair<unsigned __int64,RunLoop::TimerBase *> >,WTF::IntHash<unsigned __int64>,WTF::PairHashTraits<WTF::HashTraits<unsigned __int64>,WTF::HashTraits<RunLoop::TimerBase *> >,WTF::HashTraits<unsigned __int64> > * it=0x00070cf4) Line 1116 + 0xf bytes C++
user32.dll!_InternalCallWinProc@20() + 0x28 bytes
user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes
user32.dll!_DispatchMessageWorker@8() + 0xdc bytes
user32.dll!_DispatchMessageW@4() + 0xf bytes
WebKit.dll!RunLoop::run() Line 78 + 0xc bytes C++
WebKit.dll!WebKit::WebProcessMain(const WebKit::CommandLine & commandLine={...}) Line 82 C++
WebKit.dll!WebKitMain(const WebKit::CommandLine & commandLine={...}) Line 48 + 0x9 bytes C++
WebKit.dll!WebKitMain(HINSTANCE__ * hInstance=0x00400000, HINSTANCE__ * hPrevInstance=0x00000000, wchar_t * lpstrCmdLine=0x0002114c, int nCmdShow=10) Line 172 + 0x9 bytes C++
WebKit2WebProcess.exe!wWinMain(HINSTANCE__ * hInstance=0x00400000, HINSTANCE__ * hPrevInstance=0x00000000, wchar_t * lpstrCmdLine=0x0002114c, int nCmdShow=10) Line 66 + 0x18 bytes C++
WebKit2WebProcess.exe!__tmainCRTStartup() Line 589 + 0x1c bytes C
kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
This seems to indicate that there is no reentrancy involved.
In JSCell::fastGetOwnPropertySlot, "this" is a WebKit::JSNPObject. I have Flash 10.2 r159 installed. Created attachment 93058 [details]
Patch
Comment on attachment 93058 [details]
Patch
Nice!
r=me
Committed r86206: <http://trac.webkit.org/changeset/86206> |