108815 – [Qt] JSC a oversize block related crash

Bug 108815 - [Qt] JSC a oversize block related crash

Summary: [Qt] JSC a oversize block related crash

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	QtWebkit23 103747
	Show dependency tree / graph

Reported:	2013-02-04 04:23 PST by honda
Modified:	2013-02-05 03:24 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description honda 2013-02-04 04:23:51 PST

When accessing a gmail web site, sooner or later,  qtwebkit 2.3 related browsers (quppzila, arora, etc) crash.
Gdb said that this crash occurs in the following path:

SlotVisitor::copyLater()
m_shared.m_copiedSpace->pin(CopiedSpace::oversizeBlockFor(ptr))
CopiedBlock::pin() 
m_workList.clear() HERE!!.

Clearly memory corruptions happened in oversized blocks beofore clear() deallocation.
After some investigation, I found that the change set 138067 clearly explains its cause, and
the change sets 137961 and 138067 resolve the issue completely.

Taking the importance of these change sets into account, they are better to be included
in the current qtwebkit 2.3.

Comment 1 Allan Sandfeld Jensen 2013-02-04 05:28:33 PST

https://codereview.qt-project.org/#change,46660
and
https://codereview.qt-project.org/#change,46666

Comment 2 Allan Sandfeld Jensen 2013-02-05 03:24:13 PST

Thanks for the report. Great stuff. It has been pushed to Qt 5.0, and I will try to integrate it to QtWebKit 2.3 beta2.