Bug 119803 - [Windows] html5test.com Crashes WebKit (JSC Stacktrace)
Summary: [Windows] html5test.com Crashes WebKit (JSC Stacktrace)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on: 119812
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-14 10:30 PDT by Brent Fulgham
Modified: 2013-11-18 10:33 PST (History)
8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2013-08-14 10:30:47 PDT 
Visiting the website http://html5test.com using WinLauncher on Windows crashes with the following stacktrace:

In release we crash as follows:

>	JavaScriptCore.dll!JSC::JSCell::methodTable()  Line 157	C++
 	JavaScriptCore.dll!JSC::errorDescriptionForValue(JSC::ExecState * exec, JSC::JSValue v)  Line 110 + 0x8 bytes	C++
 	JavaScriptCore.dll!JSC::createError(JSC::ExecState * exec, JSC::JSObject * (JSC::ExecState *, const WTF::String &)* errorFactory, JSC::JSValue value, const WTF::String & message)  Line 115 + 0x24 bytes	C++
 	JavaScriptCore.dll!JSC::createNotAnObjectError(JSC::ExecState * exec, JSC::JSValue value)  Line 139 + 0x28 bytes	C++
 	JavaScriptCore.dll!JSC::JSValue::synthesizePrototype(JSC::ExecState * exec)  Line 111 + 0xe bytes	C++
 	JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName, JSC::PropertySlot & slot)  Line 637	C++
 	JavaScriptCore.dll!JSC::getByVal(JSC::ExecState * callFrame, JSC::JSValue baseValue, JSC::JSValue subscript, JSC::ReturnAddressPtr returnAddress)  Line 1544 + 0x2b bytes	C++
 	JavaScriptCore.dll!cti_op_get_by_val_generic(void * * args)  Line 1605	C++
 	0b8307d0()	
 	JavaScriptCore.dll!JSC::JITCode::execute(JSC::JSStack * stack, JSC::ExecState * callFrame, JSC::VM * vm)  Line 46 + 0x20 bytes	C++
 	JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj)  Line 851 + 0x2d bytes	C++
 	JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException)  Line 85	C++
 	WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception)  Line 74 + 0x1b bytes	C++
 	WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld * world)  Line 142 + 0x34 bytes	C++
 	WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode)  Line 158 + 0x40 bytes	C++
 	WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode)  Line 316 + 0x16 bytes	C++
 	WebKit.dll!WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner> * timer)  Line 121 + 0x2a5 bytes	C++
 	WebKit.dll!WebCore::Timer<WebCore::Settings>::fired()  Line 114 + 0xb bytes	C++
 	WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal()  Line 132	C++
 	WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam)  Line 111	C++
 	user32.dll!_InternalCallWinProc@20()  + 0x23 bytes	
 	user32.dll!_UserCallWinProcCheckWow@36()  + 0xbd bytes	
 	user32.dll!_DispatchMessageWorker@8()  + 0xf8 bytes	
 	user32.dll!_DispatchMessageW@4()  + 0x10 bytes	
 	CoreFoundation.dll!__CFRunLoopRun(__CFRunLoop * rl, __CFRunLoopMode * rlm, double seconds, unsigned char stopAfterHandle, __CFRunLoopMode * previousMode)  Line 42292	C++
 	CoreFoundation.dll!CFRunLoopRunSpecific(__CFRunLoop * rl, const __CFString * modeName, double seconds, unsigned char returnAfterSourceHandled)  Line 42413 + 0x12 bytes	C++
 	CoreFoundation.dll!CFRunLoopRun()  Line 42440 + 0x1d bytes	C++
 	WinLauncher.dll!dllLauncherEntryPoint(HINSTANCE__ * __formal, HINSTANCE__ * __formal, HINSTANCE__ * __formal, int nCmdShow)  Line 456	C++
 	WinLauncher.exe!004018b8() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for WinLauncher.exe]	
 	msvcr100.dll!_free()  + 0x1c bytes	
 	msvcr100.dll!__wsetenvp()  + 0xa2 bytes	
 	msvcr100.dll!___wgetmainargs()  + 0x53 bytes	
 	WinLauncher.exe!004024c9() 	
 	WinLauncher.exe!00402636() 	
 	kernel32.dll!@BaseThreadInitThunk@12()  + 0xe bytes	
 	ntdll.dll!___RtlUserThreadStart@8()  + 0x27 bytes	
 	ntdll.dll!__RtlUserThreadStart@8()  + 0x1b bytes	


In debug we hit this assert:

>	WTF.dll!WTFCrash()  Line 342	C++
 	JavaScriptCore.dll!JSC::JSValue::synthesizePrototype(JSC::ExecState * exec)  Line 110 + 0x3a bytes	C++
 	JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName, JSC::PropertySlot & slot)  Line 636 + 0xc bytes	C++
 	JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName)  Line 625 + 0x18 bytes	C++
 	JavaScriptCore.dll!JSC::getByVal(JSC::ExecState * callFrame, JSC::JSValue baseValue, JSC::JSValue subscript, JSC::ReturnAddressPtr returnAddress)  Line 1544 + 0x1c bytes	C++
 	JavaScriptCore.dll!cti_op_get_by_val_generic(void * * args)  Line 1604 + 0x21 bytes	C++
 	JavaScriptCore.dll!@cti_handle_watchdog_timer@4()  + 0xef bytes	C++
 	JavaScriptCore.dll!JSC::JITCode::execute(JSC::JSStack * stack, JSC::ExecState * callFrame, JSC::VM * vm)  Line 46 + 0x1e bytes	C++
 	JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj)  Line 851 + 0x36 bytes	C++
 	JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException)  Line 85	C++
 	WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception)  Line 74 + 0x1e bytes	C++
 	WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld * world)  Line 142 + 0x23 bytes	C++
 	WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode)  Line 158 + 0x16 bytes	C++
 	WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode)  Line 316 + 0x17 bytes	C++
 	WebKit.dll!WebCore::ScriptElement::execute(WebCore::CachedScript * cachedScript)  Line 337 + 0x15 bytes	C++
 	WebKit.dll!WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner> * timer)  Line 122	C++
 	WebKit.dll!WebCore::Timer<WebCore::PingLoader>::fired()  Line 114 + 0x19 bytes	C++
 	WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal()  Line 132	C++
 	WebKit.dll!WebCore::ThreadTimers::sharedTimerFired()  Line 106	C++
 	WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam)  Line 99 + 0x6 bytes	C++
 	user32.dll!_InternalCallWinProc@20()  + 0x23 bytes	
 	user32.dll!_UserCallWinProcCheckWow@36()  + 0xbd bytes	
 	user32.dll!_DispatchMessageWorker@8()  + 0xf8 bytes	
 	user32.dll!_DispatchMessageW@4()  + 0x10 bytes	
 	CoreFoundation.dll!__CFRunLoopRun(__CFRunLoop * rl, __CFRunLoopMode * rlm, double seconds, unsigned char stopAfterHandle, __CFRunLoopMode * previousMode)  Line 42292	C++
 	CoreFoundation.dll!CFRunLoopRunSpecific(__CFRunLoop * rl, const __CFString * modeName, double seconds, unsigned char returnAfterSourceHandled)  Line 42413 + 0x12 bytes	C++
 	CoreFoundation.dll!CFRunLoopRun()  Line 42440 + 0x1d bytes	C++
 	WinLauncher.dll!dllLauncherEntryPoint(HINSTANCE__ * __formal, HINSTANCE__ * __formal, HINSTANCE__ * __formal, int nCmdShow)  Line 456	C++
 	WinLauncher.exe!004012ca() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for WinLauncher.exe]	
 	ntdll.dll!_RtlpHeapAddListEntry@24()  + 0xc16 bytes	
 	ntdll.dll!@RtlpFreeHeap@16()  + 0x20c bytes
Comment 1 Radar WebKit Bug Importer 2013-08-14 10:31:21 PDT 
<rdar://problem/14736881>
Comment 2 Saleem Abdulrasool 2013-08-20 23:35:31 PDT 
Reproduces with WebKit(GTK+) 2.1.4 on Linux.
Comment 3 Eduardo Lima Mitev 2013-09-13 03:15:58 PDT 
I get similar stacktrace 100% of the times while browsing http://2012.beercamp.com on ARM Linux, with WebKitGTK 2.1.4:

#0  0xb5dab09c in JSC::errorDescriptionForValue(JSC::ExecState*, JSC::JSValue) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#1  0xb5dab5ae in JSC::createError(JSC::ExecState*, JSC::JSObject* (*)(JSC::ExecState*, WTF::String const&), JSC::JSValue, WTF::String const&) ()
   from /usr/lib/libjavascriptcoregtk-3.0.so.0
#2  0xb5dab668 in JSC::createNotAnObjectError(JSC::ExecState*, JSC::JSValue) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#3  0xb5df72f8 in JSC::JSValue::synthesizePrototype(JSC::ExecState*) const () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#4  0xb5c8a316 in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#5  0xb5d1f500 in JSC::getByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::ReturnAddressPtr) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#6  0xb5d22bbc in JITStubThunked_op_get_by_val_generic () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#7  0xb5d1ef28 in cti_op_get_by_val_generic () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#8  0xa872f8a0 in ?? ()
#9  0xa872f8a0 in ?? ()

Sorry about the missing symbols, have not managed to get a build with full symbols yet.
Comment 4 Brent Fulgham 2013-11-18 10:33:38 PST 
This crash was corrected by other JSC work.