Bug 78710

Summary: [Gtk][JSC] Crash (Segmentation fault) in JSC::FunctionExecutable::discardCode()
Product: WebKit Reporter: Jean Louis <une.belette>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: UNCONFIRMED ---    
Severity: Major CC: bugs-noreply, fpizlo, ggaren, gustavo, kenneth, mrobinson, ngockhanhlam87, oliver, une.belette
Priority: P2 Keywords: Gtk
Version: 528+ (Nightly build)   
Hardware: Other   
OS: Linux   

Description Jean Louis 2012-02-15 06:24:19 PST 
Hi,

I use Angstrom distribution with eglibc and libjavascriptcoregtk-1.0-0_1.7.2+svnr101488-r2 on armv7a.

I have a Segmentation fault with this backtrace :

Program received signal SIGSEGV, Segmentation fault.
0x42171f04 in JSC::CodeBlock::clearEvalCache() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
(gdb) bt
#0  0x42171f04 in JSC::CodeBlock::clearEvalCache() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#1  0x42171f14 in JSC::CodeBlock::clearEvalCache() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#2  0x4228b550 in JSC::FunctionExecutable::discardCode() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#3  0x422a1f78 in JSC::JSGlobalData::recompileAllJSFunctions() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#4  0x4219e8ac in JSC::Heap::collectAllGarbage() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#5  0x40c8e280 in ?? () from /usr/lib/libwebkitgtk-1.0.so.0
#6  0x40c8e280 in ?? () from /usr/lib/libwebkitgtk-1.0.so.0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) JSC::CodeBlock::clearEvalCacheQuit

I don't have more information.

I don't see any patch for this bug on trunk branche.

Bye.
Comment 1 Jean Louis 2012-02-15 06:42:56 PST 
An other backtrace :

Program received signal SIGSEGV, Segmentation fault.
0x4228b5ac in JSC::FunctionExecutable::discardCode() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
(gdb) bt
#0  0x4228b5ac in JSC::FunctionExecutable::discardCode() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#1  0x422a1f78 in JSC::JSGlobalData::recompileAllJSFunctions() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#2  0x4219e8ac in JSC::Heap::collectAllGarbage() ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#3  0x40c8e280 in ?? () from /usr/lib/libwebkitgtk-1.0.so.0
#4  0x40c8e280 in ?? () from /usr/lib/libwebkitgtk-1.0.so.0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Comment 2 Alexey Proskuryakov 2012-02-15 10:06:50 PST 
Do you have any steps to reproduce?
Comment 3 Jean Louis 2012-02-15 10:20:58 PST 
(In reply to comment #2)
> Do you have any steps to reproduce?

No, sorry.

I can't give you the source code of the web application used in the browser because it is very too big with ajax and many others and I can't export it out of my company.

The bug appears after a while navigation between multiple (big) pages.

I know it was not very helpful but I don't have this bug with revision 72648 (v1.3.6) of libwebkitgtk.
Comment 4 Jean Louis 2012-02-15 10:49:13 PST 
I see some similitaries with https://bugs.webkit.org/show_bug.cgi?id=65161 .

I use also midori as browser.
Comment 5 Jean Louis 2012-02-16 05:14:34 PST 
Hi,

I have installed debug version of libwebkit, I have a better trace for you : 


Program received signal SIGSEGV, Segmentation fault.
JSC::CodeBlock::clearEvalCache (this=0xe1a03000)
    at Source/JavaScriptCore/bytecode/CodeBlock.cpp:2078
2078        if (!!m_alternative)
(gdb) bt
#0  JSC::CodeBlock::clearEvalCache (this=0xe1a03000)
    at Source/JavaScriptCore/bytecode/CodeBlock.cpp:2078
#1  0x42164f14 in JSC::CodeBlock::clearEvalCache (this=0x422a630c)
    at Source/JavaScriptCore/bytecode/CodeBlock.cpp:2079
#2  0x4227e550 in clearCode (this=0x4237a4e0)
    at Source/JavaScriptCore/runtime/Executable.cpp:684
#3  JSC::FunctionExecutable::discardCode (this=0x4237a4e0)
    at Source/JavaScriptCore/runtime/Executable.cpp:673
#4  0x42294f78 in operator() (this=<value optimized out>)
    at Source/JavaScriptCore/runtime/JSGlobalData.cpp:86
#5  forEachCell<<unnamed>::Recompiler> (this=<value optimized out>)
    at Source/JavaScriptCore/heap/MarkedBlock.h:319
#6  forEachCell<<unnamed>::Recompiler> (this=<value optimized out>)
    at Source/JavaScriptCore/heap/AllocationSpace.h:89
#7  forEachCell<<unnamed>::Recompiler> (this=<value optimized out>)
    at Source/JavaScriptCore/heap/AllocationSpace.h:96
#8  JSC::JSGlobalData::recompileAllJSFunctions (this=<value optimized out>)
    at Source/JavaScriptCore/runtime/JSGlobalData.cpp:453
#9  0x421918ac in JSC::Heap::collectAllGarbage (this=0x43abe6f8)
    at Source/JavaScriptCore/heap/Heap.cpp:763
#10 0x40c96280 in WebCore::collect ()
    at Source/WebCore/bindings/js/GCController.cpp:42
#11 0x40c96408 in WebCore::Timer<WebCore::GCController>::fired (
---Type <return> to continue, or q <return> to quit---
    this=<value optimized out>) at Source/WebCore/platform/Timer.h:100
#12 0x411f986c in WebCore::ThreadTimers::sharedTimerFiredInternal (this=
    0x43a9c150) at Source/WebCore/platform/ThreadTimers.cpp:115
#13 0x419960c0 in WebCore::timeout_cb ()
    at Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49
#14 0x4082d984 in g_timeout_dispatch (source=0x2fd808, callback=
    0x419960a8 <WebCore::timeout_cb(gpointer)>,
    user_data=<value optimized out>) at gmain.c:3907
#15 0x4082c98c in g_main_dispatch (context=0xd9070) at gmain.c:2441
#16 g_main_context_dispatch (context=0xd9070) at gmain.c:3011
#17 0x4082cce8 in g_main_context_iterate (context=0xd9070,
    block=<value optimized out>, dispatch=1, self=<value optimized out>)
    at gmain.c:3089
#18 0x4082d368 in g_main_loop_run (loop=0x10eb18) at gmain.c:3297
#19 0x401ccc8c in IA__gtk_main () at gtkmain.c:1256
#20 0x000248d8 in main ()

Hope that helps !
Comment 6 Jean Louis 2012-02-20 00:21:27 PST 
Hi,

Have you a track, an idea ?

Can I do others tests ?

Regards, JL.
Comment 7 Jean Louis 2012-03-12 05:27:48 PDT 
Hi,

have you track about the fault around the line 

if (!!m_alternative)

Regards, JL.
Comment 8 Filip Pizlo 2012-03-13 02:12:24 PDT 
This looks vaguely like a bug that I fixed ages ago.  Am I correct to assume you're on r101488?  Can you try a more recent revision?
Comment 9 Jean Louis 2012-03-13 07:54:22 PDT 
Hi Filip,

Yes, I am on r101488.

Unfortunately, I can't test newer revision because the angstrom distribution doesn't have newer (they have precompiled libraries in packages to install) and I try but actually can't cross compile libwebkitgtk without errors from the git sources.

Could you tell me the revision or the JSC file(s) concerned by your fix ?

Regards, JL.


(In reply to comment #8)
> This looks vaguely like a bug that I fixed ages ago.  Am I correct to assume you're on r101488?  Can you try a more recent revision?