119141 – REGRESSION(FTL?): Crashes in plugin tests

Bug 119141 - REGRESSION(FTL?): Crashes in plugin tests

Summary: REGRESSION(FTL?): Crashes in plugin tests

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P1 Critical
Assignee:	Oliver Hunt

URL:
Keywords:	Gtk, InRadar, LayoutTestFailure, Regression

Depends on:
Blocks:

Reported:	2013-07-26 04:35 PDT by Zan Dobersek
Modified:	2013-07-26 14:20 PDT (History)
CC List:	12 users (show)

See Also:

Attachments
Patch (16.01 KB, patch) 2013-07-26 14:00 PDT, Oliver Hunt	msaboff: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Zan Dobersek 2013-07-26 04:35:47 PDT

There are assertions appearing in plugin tests on at least the GTK and Qt builders. These started to appear during/after the FTL merging.
The assertions occur in ScriptCallStack::at, due to the ScriptCallFrame vector being empty.
http://trac.webkit.org/browser/trunk/Source/WebCore/inspector/ScriptCallStack.cpp#L55

Crash log for DumpRenderTree (pid 15884):

[New LWP 15884]
[New LWP 15906]
[New LWP 15908]
[New LWP 15907]
[New LWP 15910]
[New LWP 15909]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Debug/Programs/D'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007ff5156a8349 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:339
339	    *(int *)(uintptr_t)0xbbadbeef = 0;

...

Thread 1 (Thread 0x7ff504fef900 (LWP 15884)):
#0  0x00007ff5156a8349 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:339
#1  0x00007ff5115efcc2 in WebCore::ScriptCallStack::at (this=0x25e2980, index=0) at ../../Source/WebCore/inspector/ScriptCallStack.cpp:55
#2  0x00007ff5116fbf83 in WebCore::internalAddMessage (page=0x1edbf00, type=WebCore::LogMessageType, level=WebCore::LogMessageLevel, state=0x7ff4c1a0f060, prpArguments=..., acceptNoArguments=false, printTrace=false) at ../../Source/WebCore/page/Console.cpp:80
#3  0x00007ff5116fc510 in WebCore::Console::log (this=0x1ea2810, state=0x7ff4c1a0f060, arguments=...) at ../../Source/WebCore/page/Console.cpp:131
#4  0x00007ff511b4742a in WebCore::jsConsolePrototypeFunctionLog (exec=0x7ff4c1a0f060) at DerivedSources/WebCore/JSConsole.cpp:208
#5  0x00007ff5154d50b9 in JSC::Interpreter::executeCall (this=0x2560a60, callFrame=0x7ff4c116f8e0, function=0x7ff4c10cedf0, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:934
#6  0x00007ff5155af633 in JSC::call (exec=0x7ff4c116f8e0, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39
#7  0x00007ff510ff34e2 in _NPN_Invoke (npp=0x25ddd48, o=0x25e1570, methodName=0x25e0650, args=0x7fff10341f10, argCount=1, result=0x7fff10341ef0) at ../../Source/WebCore/bridge/NP_jsobject.cpp:237
#8  0x00007ff4c3678542 in pluginLogWithWindowObject (windowObject=0x25e1240, instance=0x25ddd48, message=0x7fff10341f90 "PLUGIN: NPP_SetWindow: 800 200") at ../../Tools/DumpRenderTree/TestNetscapePlugIn/PluginObject.cpp:53
#9  0x00007ff4c36786f7 in pluginLogWithArguments (instance=0x25ddd48, format=0x7ff4c3680392 "NPP_SetWindow: %d %d", args=0x7fff103427d8) at ../../Tools/DumpRenderTree/TestNetscapePlugIn/PluginObject.cpp:78
#10 0x00007ff4c36787b9 in pluginLog (instance=0x25ddd48, format=0x7ff4c3680392 "NPP_SetWindow: %d %d") at ../../Tools/DumpRenderTree/TestNetscapePlugIn/PluginObject.cpp:87
#11 0x00007ff4c367d3fd in NPP_SetWindow (instance=0x25ddd48, window=0x25ddd58) at ../../Tools/DumpRenderTree/TestNetscapePlugIn/main.cpp:352
#12 0x00007ff512134f90 in WebCore::PluginView::setNPWindowIfNeeded (this=0x25ddb10) at ../../Source/WebCore/plugins/gtk/PluginViewGtk.cpp:520
#13 0x00007ff512133743 in WebCore::PluginView::updatePluginWidget (this=0x25ddb10) at ../../Source/WebCore/plugins/gtk/PluginViewGtk.cpp:152
#14 0x00007ff5121362bb in WebCore::PluginView::platformStart (this=0x25ddb10) at ../../Source/WebCore/plugins/gtk/PluginViewGtk.cpp:876
#15 0x00007ff5117bd979 in WebCore::PluginView::start (this=0x25ddb10) at ../../Source/WebCore/plugins/PluginView.cpp:274
#16 0x00007ff5117bd59b in WebCore::PluginView::startOrAddToUnstartedList (this=0x25ddb10) at ../../Source/WebCore/plugins/PluginView.cpp:231
#17 0x00007ff5117bd4a9 in WebCore::PluginView::init (this=0x25ddb10) at ../../Source/WebCore/plugins/PluginView.cpp:209
#18 0x00007ff512134c40 in WebCore::PluginView::setParent (this=0x25ddb10, parent=0x1ef6b40) at ../../Source/WebCore/plugins/gtk/PluginViewGtk.cpp:468
#19 0x00007ff511f1a95f in WebCore::ScrollView::addChild (this=0x1ef6b40, prpChild=...) at ../../Source/WebCore/platform/ScrollView.cpp:72
#20 0x00007ff5119c90bf in WebCore::moveWidgetToParentSoon (child=0x25ddb10, parent=0x1ef6b40) at ../../Source/WebCore/rendering/RenderWidget.cpp:81
#21 0x00007ff5119c9a76 in WebCore::RenderWidget::setWidget (this=0x25d22d8, widget=...) at ../../Source/WebCore/rendering/RenderWidget.cpp:213
#22 0x00007ff511966cc8 in WebCore::RenderPart::setWidget (this=0x25d22d8, widget=...) at ../../Source/WebCore/rendering/RenderPart.cpp:57
#23 0x00007ff5116c2fbd in WebCore::SubframeLoader::loadPlugin (this=0x1ee61d8, pluginElement=0x25ae110, url=..., mimeType=..., paramNames=..., paramValues=..., useFallback=false) at ../../Source/WebCore/loader/SubframeLoader.cpp:465
#24 0x00007ff5116c184b in WebCore::SubframeLoader::requestPlugin (this=0x1ee61d8, ownerElement=0x25ae110, url=..., mimeType=..., paramNames=..., paramValues=..., useFallback=false) at ../../Source/WebCore/loader/SubframeLoader.cpp:160
#25 0x00007ff5116c1ed4 in WebCore::SubframeLoader::requestObject (this=0x1ee61d8, ownerElement=0x25ae110, url=..., frameName=..., mimeType=..., paramNames=..., paramValues=...) at ../../Source/WebCore/loader/SubframeLoader.cpp:235
#26 0x00007ff5113f6434 in WebCore::HTMLEmbedElement::updateWidget (this=0x25ae110, pluginCreationOption=WebCore::CreateAnyWidgetType) at ../../Source/WebCore/html/HTMLEmbedElement.cpp:170
#27 0x00007ff511758e3a in WebCore::FrameView::updateWidget (this=0x1ef6b40, object=0x25d22d8) at ../../Source/WebCore/page/FrameView.cpp:2685
#28 0x00007ff511759087 in WebCore::FrameView::updateWidgets (this=0x1ef6b40) at ../../Source/WebCore/page/FrameView.cpp:2725
#29 0x00007ff511759452 in WebCore::FrameView::performPostLayoutTasks (this=0x1ef6b40) at ../../Source/WebCore/page/FrameView.cpp:2800
#30 0x00007ff51175429f in WebCore::FrameView::layout (this=0x1ef6b40, allowSubtree=true) at ../../Source/WebCore/page/FrameView.cpp:1380
#31 0x00007ff5111b8956 in WebCore::Document::implicitClose (this=0x2570340) at ../../Source/WebCore/dom/Document.cpp:2454
#32 0x00007ff511675eb9 in WebCore::FrameLoader::checkCallImplicitClose (this=0x1ee61b0) at ../../Source/WebCore/loader/FrameLoader.cpp:844
#33 0x00007ff511675c24 in WebCore::FrameLoader::checkCompleted (this=0x1ee61b0) at ../../Source/WebCore/loader/FrameLoader.cpp:787
#34 0x00007ff511675962 in WebCore::FrameLoader::finishedParsing (this=0x1ee61b0) at ../../Source/WebCore/loader/FrameLoader.cpp:720
#35 0x00007ff5111bfc2d in WebCore::Document::finishedParsing (this=0x2570340) at ../../Source/WebCore/dom/Document.cpp:4417
#36 0x00007ff511475e35 in WebCore::HTMLConstructionSite::finishedParsing (this=0x254a518) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:348
#37 0x00007ff5114a9f67 in WebCore::HTMLTreeBuilder::finished (this=0x254a500) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2926
#38 0x00007ff51147cebe in WebCore::HTMLDocumentParser::end (this=0x25487a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:756
#39 0x00007ff51147cfab in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x25487a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:767
#40 0x00007ff51147bbe2 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x25487a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:211
#41 0x00007ff51147cfee in WebCore::HTMLDocumentParser::attemptToEnd (this=0x25487a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:779
#42 0x00007ff51147d0a5 in WebCore::HTMLDocumentParser::finish (this=0x25487a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:828
#43 0x00007ff51166e321 in WebCore::DocumentWriter::end (this=0x254ac50) at ../../Source/WebCore/loader/DocumentWriter.cpp:248
#44 0x00007ff51165ed18 in WebCore::DocumentLoader::finishedLoading (this=0x254abb0, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:402
#45 0x00007ff51165ea86 in WebCore::DocumentLoader::notifyFinished (this=0x254abb0, resource=0x2564ae0) at ../../Source/WebCore/loader/DocumentLoader.cpp:344
#46 0x00007ff511642c7a in WebCore::CachedResource::checkNotify (this=0x2564ae0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:369
#47 0x00007ff511642d50 in WebCore::CachedResource::finishLoading (this=0x2564ae0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:385
#48 0x00007ff51163f85c in WebCore::CachedRawResource::finishLoading (this=0x2564ae0, data=0x256b020) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:94
#49 0x00007ff5116c44b4 in WebCore::SubresourceLoader::didFinishLoading (this=0x2565050, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:282
#50 0x00007ff5116bab47 in WebCore::ResourceLoader::didFinishLoading (this=0x2565050, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:488
#51 0x00007ff511f0fe52 in WebCore::readCallback (asyncResult=0x256a9f0, data=0x254c6e0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1331
#52 0x00007ff50fcd0eb8 in async_ready_callback_wrapper () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#53 0x00007ff50fcfd22e in g_task_return_now () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#54 0x00007ff50fcfd258 in complete_in_idle_cb () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#55 0x00007ff50fb1f70c in g_idle_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#56 0x00007ff50fb1cfb1 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#57 0x00007ff50fb1dd08 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#58 0x00007ff50fb1defa in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#59 0x00007ff50fb1e323 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#60 0x00007ff510447fcf in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#61 0x00000000004a1e4f in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:769
#62 0x00000000004a151e in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:552
#63 0x00000000004a4855 in main (argc=2, argv=0x7fff10344558) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1519

Comment 1 Csaba Osztrogonác 2013-07-26 04:44:47 PDT

https://trac.webkit.org/changeset/153218 touched the ScriptCallStack 
code, so maybe r153218 caused this regression.

Comment 2 Csaba Osztrogonác 2013-07-26 05:19:11 PDT

Maybe it would be same crashes on Mac and EFL too ... but plugins tests are
skipped on these platforms:
- Mac: https://bugs.webkit.org/show_bug.cgi?id=113915

Oh, I see that only EFL-WK1 skip plugin tests, they crashes
on EFL-WK2 too: http://build.webkit.org/results/EFL%20Linux%2064-bit%20Release%20WK2/r153370%20%289733%29/results.html

Comment 3 Geoffrey Garen 2013-07-26 12:17:42 PDT

Until we figure out Bug 113915, I think the right fix is to disable those tests.

Comment 4 Geoffrey Garen 2013-07-26 12:22:01 PDT

Actually, Oliver pointed out that this crash is distinct from the crashes caused by linking LLVM. We just didn't see it before because the plug-in tests were disabled.

Comment 5 Geoffrey Garen 2013-07-26 12:22:16 PDT

<rdar://problem/14562843>

Comment 6 Zan Dobersek 2013-07-26 12:32:33 PDT

Was actually just debugging this.

In WebCore::createScriptCallStack(JSC::ExecState*s, size_t), the call frame stack consists only of the console.log frame (i.e. 'log@[native code]'). However, this frame is stepped over in the for loop initialization[1], causing the returned call frame vector to be empty.


[1] http://trac.webkit.org/browser/trunk/Source/WebCore/bindings/js/ScriptCallStackFactory.cpp#L83

Comment 7 Oliver Hunt 2013-07-26 13:05:21 PDT

Working through this one right now

Comment 8 Oliver Hunt 2013-07-26 14:00:27 PDT

Created attachment 207552 [details]
Patch

Comment 9 Oliver Hunt 2013-07-26 14:20:09 PDT

Committed r153383: <http://trac.webkit.org/changeset/153383>