119803 – [Windows] html5test.com Crashes WebKit (JSC Stacktrace)

RESOLVED FIXED 119803

[Windows] html5test.com Crashes WebKit (JSC Stacktrace)

https://bugs.webkit.org/show_bug.cgi?id=119803

Summary [Windows] html5test.com Crashes WebKit (JSC Stacktrace)

Brent Fulgham

Reported 2013-08-14 10:30:47 PDT

Visiting the website http://html5test.com using WinLauncher on Windows crashes with the following stacktrace: In release we crash as follows: > JavaScriptCore.dll!JSC::JSCell::methodTable() Line 157 C++ JavaScriptCore.dll!JSC::errorDescriptionForValue(JSC::ExecState * exec, JSC::JSValue v) Line 110 + 0x8 bytes C++ JavaScriptCore.dll!JSC::createError(JSC::ExecState * exec, JSC::JSObject * (JSC::ExecState *, const WTF::String &)* errorFactory, JSC::JSValue value, const WTF::String & message) Line 115 + 0x24 bytes C++ JavaScriptCore.dll!JSC::createNotAnObjectError(JSC::ExecState * exec, JSC::JSValue value) Line 139 + 0x28 bytes C++ JavaScriptCore.dll!JSC::JSValue::synthesizePrototype(JSC::ExecState * exec) Line 111 + 0xe bytes C++ JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName, JSC::PropertySlot & slot) Line 637 C++ JavaScriptCore.dll!JSC::getByVal(JSC::ExecState * callFrame, JSC::JSValue baseValue, JSC::JSValue subscript, JSC::ReturnAddressPtr returnAddress) Line 1544 + 0x2b bytes C++ JavaScriptCore.dll!cti_op_get_by_val_generic(void * * args) Line 1605 C++ 0b8307d0() JavaScriptCore.dll!JSC::JITCode::execute(JSC::JSStack * stack, JSC::ExecState * callFrame, JSC::VM * vm) Line 46 + 0x20 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj) Line 851 + 0x2d bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException) Line 85 C++ WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception) Line 74 + 0x1b bytes C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld * world) Line 142 + 0x34 bytes C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode) Line 158 + 0x40 bytes C++ WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 316 + 0x16 bytes C++ WebKit.dll!WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner> * timer) Line 121 + 0x2a5 bytes C++ WebKit.dll!WebCore::Timer<WebCore::Settings>::fired() Line 114 + 0xb bytes C++ WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 132 C++ WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 111 C++ user32.dll!_InternalCallWinProc@20() + 0x23 bytes user32.dll!_UserCallWinProcCheckWow@36() + 0xbd bytes user32.dll!_DispatchMessageWorker@8() + 0xf8 bytes user32.dll!_DispatchMessageW@4() + 0x10 bytes CoreFoundation.dll!__CFRunLoopRun(__CFRunLoop * rl, __CFRunLoopMode * rlm, double seconds, unsigned char stopAfterHandle, __CFRunLoopMode * previousMode) Line 42292 C++ CoreFoundation.dll!CFRunLoopRunSpecific(__CFRunLoop * rl, const __CFString * modeName, double seconds, unsigned char returnAfterSourceHandled) Line 42413 + 0x12 bytes C++ CoreFoundation.dll!CFRunLoopRun() Line 42440 + 0x1d bytes C++ WinLauncher.dll!dllLauncherEntryPoint(HINSTANCE__ * __formal, HINSTANCE__ * __formal, HINSTANCE__ * __formal, int nCmdShow) Line 456 C++ WinLauncher.exe!004018b8() [Frames below may be incorrect and/or missing, no symbols loaded for WinLauncher.exe] msvcr100.dll!_free() + 0x1c bytes msvcr100.dll!__wsetenvp() + 0xa2 bytes msvcr100.dll!___wgetmainargs() + 0x53 bytes WinLauncher.exe!004024c9() WinLauncher.exe!00402636() kernel32.dll!@BaseThreadInitThunk@12() + 0xe bytes ntdll.dll!___RtlUserThreadStart@8() + 0x27 bytes ntdll.dll!__RtlUserThreadStart@8() + 0x1b bytes In debug we hit this assert: > WTF.dll!WTFCrash() Line 342 C++ JavaScriptCore.dll!JSC::JSValue::synthesizePrototype(JSC::ExecState * exec) Line 110 + 0x3a bytes C++ JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName, JSC::PropertySlot & slot) Line 636 + 0xc bytes C++ JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, JSC::PropertyName propertyName) Line 625 + 0x18 bytes C++ JavaScriptCore.dll!JSC::getByVal(JSC::ExecState * callFrame, JSC::JSValue baseValue, JSC::JSValue subscript, JSC::ReturnAddressPtr returnAddress) Line 1544 + 0x1c bytes C++ JavaScriptCore.dll!cti_op_get_by_val_generic(void * * args) Line 1604 + 0x21 bytes C++ JavaScriptCore.dll!@cti_handle_watchdog_timer@4() + 0xef bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::JSStack * stack, JSC::ExecState * callFrame, JSC::VM * vm) Line 46 + 0x1e bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj) Line 851 + 0x36 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException) Line 85 C++ WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception) Line 74 + 0x1e bytes C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld * world) Line 142 + 0x23 bytes C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode) Line 158 + 0x16 bytes C++ WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 316 + 0x17 bytes C++ WebKit.dll!WebCore::ScriptElement::execute(WebCore::CachedScript * cachedScript) Line 337 + 0x15 bytes C++ WebKit.dll!WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner> * timer) Line 122 C++ WebKit.dll!WebCore::Timer<WebCore::PingLoader>::fired() Line 114 + 0x19 bytes C++ WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 132 C++ WebKit.dll!WebCore::ThreadTimers::sharedTimerFired() Line 106 C++ WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 99 + 0x6 bytes C++ user32.dll!_InternalCallWinProc@20() + 0x23 bytes user32.dll!_UserCallWinProcCheckWow@36() + 0xbd bytes user32.dll!_DispatchMessageWorker@8() + 0xf8 bytes user32.dll!_DispatchMessageW@4() + 0x10 bytes CoreFoundation.dll!__CFRunLoopRun(__CFRunLoop * rl, __CFRunLoopMode * rlm, double seconds, unsigned char stopAfterHandle, __CFRunLoopMode * previousMode) Line 42292 C++ CoreFoundation.dll!CFRunLoopRunSpecific(__CFRunLoop * rl, const __CFString * modeName, double seconds, unsigned char returnAfterSourceHandled) Line 42413 + 0x12 bytes C++ CoreFoundation.dll!CFRunLoopRun() Line 42440 + 0x1d bytes C++ WinLauncher.dll!dllLauncherEntryPoint(HINSTANCE__ * __formal, HINSTANCE__ * __formal, HINSTANCE__ * __formal, int nCmdShow) Line 456 C++ WinLauncher.exe!004012ca() [Frames below may be incorrect and/or missing, no symbols loaded for WinLauncher.exe] ntdll.dll!_RtlpHeapAddListEntry@24() + 0xc16 bytes ntdll.dll!@RtlpFreeHeap@16() + 0x20c bytes

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2013-08-14 10:31:21 PDT

<rdar://problem/14736881>

Saleem Abdulrasool

Comment 2 2013-08-20 23:35:31 PDT

Reproduces with WebKit(GTK+) 2.1.4 on Linux.

Eduardo Lima Mitev

Comment 3 2013-09-13 03:15:58 PDT

I get similar stacktrace 100% of the times while browsing http://2012.beercamp.com on ARM Linux, with WebKitGTK 2.1.4: #0 0xb5dab09c in JSC::errorDescriptionForValue(JSC::ExecState*, JSC::JSValue) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #1 0xb5dab5ae in JSC::createError(JSC::ExecState*, JSC::JSObject* (*)(JSC::ExecState*, WTF::String const&), JSC::JSValue, WTF::String const&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #2 0xb5dab668 in JSC::createNotAnObjectError(JSC::ExecState*, JSC::JSValue) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #3 0xb5df72f8 in JSC::JSValue::synthesizePrototype(JSC::ExecState*) const () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #4 0xb5c8a316 in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #5 0xb5d1f500 in JSC::getByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::ReturnAddressPtr) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #6 0xb5d22bbc in JITStubThunked_op_get_by_val_generic () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #7 0xb5d1ef28 in cti_op_get_by_val_generic () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #8 0xa872f8a0 in ?? () #9 0xa872f8a0 in ?? () Sorry about the missing symbols, have not managed to get a build with full symbols yet.

Brent Fulgham

Comment 4 2013-11-18 10:33:38 PST

This crash was corrected by other JSC work.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2013-08-14 10:30 PDT

Modified

2013-11-18 10:33 PST History

CC List

8 users Show

URL

Keywords InRadar

Depends on

119812

Blocks

Dependencies

tree graph