Bug 138722 - JavaScriptCore assertion crash when access http://www.tmall.com/go/market/promotion-act/nsxy9-h5.php
Summary: JavaScriptCore assertion crash when access http://www.tmall.com/go/market/pro...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Android Android
: P2 Major
Assignee: Nobody
URL: http://www.tmall.com/go/market/promot...
Keywords: Gtk
Depends on:
Blocks:
 
Reported: 2014-11-13 18:11 PST by grainsan
Modified: 2014-11-25 02:14 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description grainsan 2014-11-13 18:11:36 PST 
I use GTK 2.4.3 version webkit engine in armV7 Android platform, when access  http://www.tmall.com/go/market/promotion-act/nsxy9-h5.php this webpage it always cause a assertion, it seems a JSCell pointer is NULL. And this value is from DFG register, do you know how to fix this bug? Thanks.

  
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 3022]
0xb5402f9e in WTFCrash () at TGL/thirdparty/webkit-2.4/Source/WTF/wtf/Assertions.cpp:333
333         *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0xb5402f9e in WTFCrash () at TGL/thirdparty/webkit-2.4/Source/WTF/wtf/Assertions.cpp:333
#1  0xb515e7ac in methodTable (this=<optimized out>) at TGL/thirdparty/webkit-2.4/Source/JavaScriptCore/runtime/JSCellInlines.h:160
#2  JSC::JSValue::put (this=0xb302e6e8, exec=0xb0944958, propertyName=<optimized out>, value=..., slot=...)
    at TGL/thirdparty/webkit-2.4/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703
#3  0xb5220a0a in JSC::putByVal (callFrame=0xfffffffb, baseValue=..., subscript=..., value=...) at TGL/thirdparty/webkit-2.4/Source/JavaScriptCore/jit/JITOperations.cpp:478
#4  0xb52226b8 in JSC::operationPutByVal (exec=0xb0944958, encodedBaseValue=<optimized out>, encodedSubscript=-18516814096, encodedValue=-18617586880)
    at TGL/thirdparty/webkit-2.4/Source/JavaScriptCore/jit/JITOperations.cpp:542
#5  0xaf0d8b30 in ?? ()
#6  0xaf0d8b30 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) disas WTFCrash
Dump of assembler code for function WTFCrash():
   0xb5402f88 <+0>:     push    {r3, lr}
   0xb5402f8a <+2>:     ldr     r3, [pc, #24]   ; (0xb5402fa4 <WTFCrash()+28>)
   0xb5402f8c <+4>:     add     r3, pc
   0xb5402f8e <+6>:     ldr     r0, [r3, #0]
   0xb5402f90 <+8>:     cbz     r0, 0xb5402f94 <WTFCrash()+12>
   0xb5402f92 <+10>:    blx     r0
   0xb5402f94 <+12>:    movw    r2, #48879      ; 0xbeef
   0xb5402f98 <+16>:    movt    r2, #48045      ; 0xbbad
   0xb5402f9c <+20>:    movs    r1, #0
=> 0xb5402f9e <+22>:    str     r1, [r2, #0]
   0xb5402fa0 <+24>:    blx     r1
   0xb5402fa2 <+26>:    pop     {r3, pc}
   0xb5402fa4 <+28>:    andeq   r8, r3, r8, lsr #1
End of assembler dump.
(gdb) i r
r0             0x0      0
r1             0x0      0
r2             0xbbadbeef       3148725999
r3             0xb543b038       3041112120
r4             0xaa4e2b40       2857249600
r5             0xfffffffb       4294967291
r6             0xb302e6e8       3003311848
r7             0xb302e6a8       3003311784
r8             0xb302e6f8       3003311864
r9             0xac3d14b0       2889684144
r10            0xb0944958       2962508120
r11            0xfffffffb       4294967291
r12            0xb53e3b48       3040754504
sp             0xb302e690       0xb302e690
lr             0xb515e7ad       -1256855635
pc             0xb5402f9e       0xb5402f9e <WTFCrash()+22>
cpsr           0x60030030       1610809392
(gdb) l
328     {
329         if (globalHook)
330             globalHook();
331
332         WTFReportBacktrace();
333         *(int *)(uintptr_t)0xbbadbeef = 0;
334         // More reliable, but doesn't say BBADBEEF.
335     #if COMPILER(CLANG)
336         __builtin_trap();
337     #else
Comment 1 Zhang Ji Peng 2014-11-25 02:14:05 PST 
This is a [GTK][Stable] 2.4.3  version  bug.