Bug 83139

Summary: [Qt] REGRESSION(r113141): All tests assert on 32 bit debug mode
Product: WebKit Reporter: Csaba Osztrogonác <ossy>
Component: Tools / TestsAssignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Critical CC: fpizlo, ggaren, ossy, zherczeg
Priority: P1 Keywords: Qt, QtTriaged
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 79668, 82670    
Attachments:
Description Flags
Patch ggaren: review+

Description Csaba Osztrogonác 2012-04-04 03:52:06 PDT
I'm bisecting manually which revision caused it.

Here is the gdb backtrace in debug mode:

Program received signal SIGSEGV, Segmentation fault.
0xf4cc415a in JSC::JSValue::asCell (this=0xf1158d70) at ../../../../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:295
295             ASSERT(isCell());
(gdb) bt
#0  0xf4cc415a in JSC::JSValue::asCell (this=0xf1158d70) at ../../../../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:295
#1  0xf4f16b36 in JSC::WeakImplAccessor<JSC::Weak<JSC::Bindings::RuntimeObject>, JSC::Bindings::RuntimeObject>::get (this=0x80f73e8) at ../../../../Source/JavaScriptCore/heap/PassWeak.h:110
#2  0xf4f1661c in JSC::Bindings::Instance::createRuntimeObject (this=0x80f73c8, exec=0xecf7fcb4) at ../../../../Source/WebCore/bridge/jsc/BridgeJSC.cpp:93
#3  0xf4cc9c2e in QWebFrame::addToJavaScriptWindowObject (this=0x81029d0, name=..., object=0x811e8d8, ownership=QScriptEngine::QtOwnership) at ../../../Source/WebKit/qt/Api/qwebframe.cpp:697
#4  0xf4cc9a73 in QWebFrame::addToJavaScriptWindowObject (this=0x81029d0, name=..., object=0x811e8d8) at ../../../Source/WebKit/qt/Api/qwebframe.cpp:649
#5  0x0805e722 in WebCore::DumpRenderTree::initJSObjects (this=0xffffd1e4) at /home/oszi/WebKit/Tools/DumpRenderTree/qt/DumpRenderTreeQt.cpp:748
#6  0x0807039c in WebCore::DumpRenderTree::qt_static_metacall (_o=0xffffd1e4, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xffffcdbc) at moc_DumpRenderTreeQt.cpp:81
#7  0xf1ad1af4 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/local/Trolltech/Qt-4.8.0/lib/libQtCore.so.4
#8  0xf4ccfc03 in QWebFrame::javaScriptWindowObjectCleared (this=0x81029d0) at ./moc_qwebframe.cpp:187
#9  0xf4cc8d7a in QWebFramePrivate::didClearWindowObject (this=0x80fc900) at ../../../Source/WebKit/qt/Api/qwebframe.cpp:490
#10 0xf4d2de1c in WebCore::FrameLoaderClientQt::dispatchDidClearWindowObjectInWorld (this=0x81038c0, world=0x8108a88) at ../../../Source/WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:766
#11 0xf555fe07 in WebCore::FrameLoader::dispatchDidClearWindowObjectInWorld (this=0x8104754, world=0x8108a88) at ../../../../Source/WebCore/loader/FrameLoader.cpp:3145
#12 0xf4ecede2 in WebCore::ScriptController::initScript (this=0x8104a78, world=0x8108a88) at ../../../../Source/WebCore/bindings/js/ScriptController.cpp:223
#13 0xf4cc5855 in WebCore::ScriptController::windowShell (this=0x8104a78, world=0x8108a88) at ../../../Source/WebCore/bindings/js/ScriptController.h:75
#14 0xf4e6c3ba in WebCore::toJSDOMWindow (frame=0x81046e0, world=0x8108a88) at ../../../../Source/WebCore/bindings/js/JSDOMWindowBase.cpp:231
#15 0xf4d2179f in DumpRenderTreeSupportQt::resetInternalsObject (frame=0x81029d0) at ../../../Source/WebKit/qt/WebCoreSupport/DumpRenderTreeSupportQt.cpp:1186
#16 0x0805b13a in WebCore::WebPage::resetSettings (this=0xef501148) at /home/oszi/WebKit/Tools/DumpRenderTree/qt/DumpRenderTreeQt.cpp:209
#17 0x0805cdb2 in WebCore::DumpRenderTree::resetToConsistentStateBeforeTesting (this=0xffffd1e4, url=...) at /home/oszi/WebKit/Tools/DumpRenderTree/qt/DumpRenderTreeQt.cpp:533
#18 0x0805d425 in WebCore::DumpRenderTree::open (this=0xffffd1e4, url=...) at /home/oszi/WebKit/Tools/DumpRenderTree/qt/DumpRenderTreeQt.cpp:596
#19 0x0805e4d0 in WebCore::DumpRenderTree::processLine (this=0xffffd1e4, input=...) at /home/oszi/WebKit/Tools/DumpRenderTree/qt/DumpRenderTreeQt.cpp:726
#20 0x0805de56 in WebCore::DumpRenderTree::processArgsLine (this=0xffffd1e4, args=...) at /home/oszi/WebKit/Tools/DumpRenderTree/qt/DumpRenderTreeQt.cpp:676
#21 0x08070048 in main (argc=2, argv=0xffffd384) at /home/oszi/WebKit/Tools/DumpRenderTree/qt/main.cpp:252
Comment 1 Csaba Osztrogonác 2012-04-04 04:32:31 PDT
I got it with manual bisecting, http://trac.webkit.org/changeset/113141 is the culprit.

Could you check and fix it, please?
Comment 2 Geoffrey Garen 2012-04-04 09:02:32 PDT
Looks like there's a mismatch between how 32-bit and 64-bit treat JSValue(nullptr). Working on a fix...
Comment 3 Geoffrey Garen 2012-04-04 10:11:43 PDT
Created attachment 135617 [details]
Patch
Comment 4 Geoffrey Garen 2012-04-04 10:12:18 PDT
Comment on attachment 135617 [details]
Patch

Sam reviewed this.
Comment 5 Geoffrey Garen 2012-04-04 10:17:37 PDT
Committed r113209: <http://trac.webkit.org/changeset/113209>