RESOLVED DUPLICATE of bug 18367 18108
REGRESSION (r29508): Various KJS functions segfault on GTK build
https://bugs.webkit.org/show_bug.cgi?id=18108
Summary REGRESSION (r29508): Various KJS functions segfault on GTK build
Jasper Bryant-Greene
Reported 2008-03-26 03:05:37 PDT
http://code.google.com/ is an example of a page which displays the KJS crashes. I have seen the following three functions segfault on the above page using a current GTK release build: KJS::stringProtoFuncReplace KJS::stringProtoFuncIndexOf KJS::regExpProtoFuncTest None of these segfaults can be reproduced with a debug build. I'd be keen to hear from others who can reproduce this bug on GTK. We've managed to reproduce it on two systems here using both Juniper and GtkLauncher.
Attachments
valgrind log (734.94 KB, text/plain)
2008-04-09 01:36 PDT, Luca Bruno
no flags
Jasper Bryant-Greene
Comment 1 2008-03-26 03:07:03 PDT
We've now seen KJS::PropertyMap::insert segfault too. Are the KJS sources generated at all? Perhaps the GTK+ autotools build system is not generating them correctly?
Michael Fincham
Comment 2 2008-03-26 03:13:18 PDT
CCing myself on this one, mostly out of interest.
Jasper Bryant-Greene
Comment 3 2008-03-26 15:54:18 PDT
I think the compiler is inlining something into the offending functions, so we probably only have a problem in one place. Valgrind reports: ==13224== Conditional jump or move depends on uninitialised value(s) ==13224== at 0x618C7BC: KJS::Collector::markStackObjectsConservatively(void*, void*) (collector.cpp:501) ==13224== by 0x618D219: KJS::Collector::markCurrentThreadConservatively() (collector.cpp:548) ==13224== by 0x6196888: KJS::Collector::collect() (collector.cpp:936) ==13224== by 0x61EC824: void* KJS::Collector::heapAllocate<(KJS::Collector::HeapType)0>(unsigned long) (collector.cpp:245) ==13224== by 0x5E81ABA: WebCore::createAnchorWrapper(KJS::ExecState*, WTF::PassRefPtr<WebCore::HTMLElement>) (JSHTMLElementWrapperFactory.cpp:236) ==13224== by 0x5E82712: WebCore::createJSHTMLWrapper(KJS::ExecState*, WTF::PassRefPtr<WebCore::HTMLElement>) (JSHTMLElementWrapperFactory.cpp:269) ==13224== by 0x5E86B95: WebCore::toJS(KJS::ExecState*, WebCore::Node*) (JSNodeCustom.cpp:177) ==13224== by 0x5E0FF66: WebCore::jsDocumentPrototypeFunctionCreateElement(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (JSNode.h:72) ==13224== by 0x61B4378: KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (object.cpp:96) ==13224== by 0x61C9A48: KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) (nodes.cpp:1500) ==13224== by 0x61C98C3: KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) (nodes.cpp:1475) ==13224== by 0x61BE2FD: KJS::ExprStatementNode::execute(KJS::ExecState*) (nodes.cpp:3999) I don't even pretend to understand the JSCore code fully, but Collector::markCurrentThreadConservatively seems to call Collector::markStackObjectsConservatively with a pointer-to-an-uninitialized-pointer as the first argument...
Jasper Bryant-Greene
Comment 4 2008-03-26 15:59:43 PDT
GDB backtrace for completeness: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fabce7e87c0 (LWP 13758)] 0x00007fabcd3cb715 in KJS::stringProtoFuncMatch (exec=0x7fffd681b320, thisObj=0x7fabc16e0000, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.h:510 510 for (const ClassInfo *ci = classInfo(); ci; ci = ci->parentClass) Current language: auto; currently c++ (gdb) bt #0 0x00007fabcd3cb715 in KJS::stringProtoFuncMatch (exec=0x7fffd681b320, thisObj=0x7fabc16e0000, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.h:510 #1 0x00007fabcd3ce379 in KJS::JSObject::call (this=0x7fabc16e0000, exec=0x7fffd681b320, thisObj=0x7fffd681b0b0, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.cpp:96 #2 0x00007fabcd3e3a49 in KJS::FunctionCallDotNode::evaluate (this=0x7fabc1b6b640, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.cpp:1500 #3 0x00007fabcd3de0ee in KJS::ArgumentListNode::evaluateList (this=0x7fabc1b6c3a0, exec=0x7fffd681b320, list=@0x7fffd681b1c0) at JavaScriptCore/kjs/nodes.cpp:1011 #4 0x00007fabcd3e26ec in KJS::ScopedVarFunctionCallNode::evaluate (this=0x7fabc1d1ddb0, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.h:695 #5 0x00007fabcd3d82fe in KJS::ExprStatementNode::execute (this=0x7fabc1b6b5f0, exec=0x7fabc16e0000) at JavaScriptCore/kjs/nodes.cpp:3999 #6 0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1d1e310, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.cpp:3952 #7 0x00007fabcd3d7ec9 in KJS::ForNode::execute (this=0x7fabc2438a20, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.cpp:4165 #8 0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1b646c0, exec=0x7fffd681b320) at JavaScriptCore/kjs/nodes.cpp:3952 #9 0x00007fabcd3f733f in KJS::FunctionImp::callAsFunction (this=0x7fabce632b00, exec=0x7fffd681b6a0, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 #10 0x00007fabcd3ce379 in KJS::JSObject::call (this=0x7fabc16e0000, exec=0x7fffd681b320, thisObj=0x7fffd681b0b0, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.cpp:96 #11 0x00007fabcd3ff55c in KJS::FunctionCallBracketNode::evaluate (this=0x7fabc1a43be0, exec=0x7fffd681b6a0) at JavaScriptCore/kjs/nodes.cpp:1451 #12 0x00007fabcd3db10e in KJS::AssignLocalVarNode::evaluate (this=0x7fabc1a43bb8, exec=0x7fabc16e0000) at JavaScriptCore/kjs/nodes.cpp:3559 #13 0x00007fabcd3d829e in KJS::VarStatementNode::execute (this=0x7fabc1a43b90, exec=0x7fabc16e0000) at JavaScriptCore/kjs/nodes.cpp:4015 #14 0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1a042d8, exec=0x7fffd681b6a0) at JavaScriptCore/kjs/nodes.cpp:3952 #15 0x00007fabcd3b85c8 in KJS::TryNode::execute (this=0x7fabc1a47400, exec=0x7fabc16e0000) at JavaScriptCore/kjs/nodes.cpp:4572 #16 0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1a041f8, exec=0x7fffd681b6a0) at JavaScriptCore/kjs/nodes.cpp:3952 #17 0x00007fabcd3a370a in KJS::BlockNode::execute (this=0x7fabc1a4bd80, exec=0x7fffd681b6a0) at JavaScriptCore/kjs/nodes.cpp:3952 #18 0x00007fabcd3f733f in KJS::FunctionImp::callAsFunction (this=0x7fabce631c80, exec=0x7fabc24c1c38, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 #19 0x00007fabcd3ce379 in KJS::JSObject::call (this=0x7fabc16e0000, exec=0x7fffd681b320, thisObj=0x7fffd681b0b0, args=@0x7fffd681b0b0) at JavaScriptCore/kjs/object.cpp:96 #20 0x00007fabcd0a9af9 in WebCore::ScheduledAction::execute (this=0x7fabc19d6320, window=0x7fabce630000) at WebCore/bindings/js/ScheduledAction.cpp:75 #21 0x00007fabcd092aa1 in WebCore::JSDOMWindowBase::timerFired (this=0x7fabce630000, timer=0x7fabc1b16ce8) at WebCore/bindings/js/JSDOMWindowBase.cpp:1398 #22 0x00007fabcd092b9c in WebCore::DOMWindowTimer::fired (this=0x7fabc16e0000) at WebCore/bindings/js/JSDOMWindowBase.cpp:1434 #23 0x00007fabcd2b5ca3 in WebCore::TimerBase::fireTimers (fireTime=1206572345.092078, firingTimers=@0x7fffd681ba00) at WebCore/platform/Timer.cpp:347 #24 0x00007fabcd2b5d5b in WebCore::TimerBase::sharedTimerFired () at WebCore/platform/Timer.cpp:368 #25 0x00007fabccfebb62 in timeout_cb () at WebCore/platform/gtk/SharedTimerGtk.cpp:48 #26 0x00007fabcafc594b in ?? () from /usr/lib/libglib-2.0.so.0 #27 0x00007fabcafc5222 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #28 0x00007fabcafc84d6 in ?? () from /usr/lib/libglib-2.0.so.0 #29 0x00007fabcafc8797 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #30 0x00007fabcc9ecee3 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #31 0x0000000000404416 in main ()
kappasolaris
Comment 5 2008-03-27 02:47:57 PDT
(11:46:42) jasperbg: physrules: would you mind indicating on http://bugs.webkit.org/show_bug.cgi?id=18108 that the issue does not occur on your compiler? Doesn't crash for me on OpenSolaris b85, compiler: Sun Studio 12 (latest patches)
Luca Bruno
Comment 6 2008-04-04 12:48:18 PDT
I've gcc 4.1.2/amd64 and crashed. Another guy using 4.0/x86 and crashed. People using 4.2 doesn't experience crash. Would this mean it's a gcc < 4.2 bug maybe?
Kazuo Teramoto
Comment 7 2008-04-06 13:37:16 PDT
I got a segfault on KJS too, with x86_64 and using gcc 4.3, using a today snapshot from git, my bt: 1. #0 0x00002b2cf65c8af4 in KJS::JSGlobalObject::getOwnPropertySlot () 2. from /usr/lib/libwebkit-1.0.so.1 3. #1 0x00002b2cf622c02d in WebCore::JSDOMWindow::customGetOwnPropertySlot () 4. from /usr/lib/libwebkit-1.0.so.1 5. #2 0x00002b2cf61ba8a9 in WebCore::JSDOMWindow::getOwnPropertySlot () 6. from /usr/lib/libwebkit-1.0.so.1 7. #3 0x00002b2cf6579772 in KJS::ResolveNode::evaluate () 8. from /usr/lib/libwebkit-1.0.so.1 9. #4 0x00002b2cf6594a38 in KJS::AssignDotNode::evaluate () 10. from /usr/lib/libwebkit-1.0.so.1 11. #5 0x00002b2cf658b96e in KJS::ExprStatementNode::execute () 12. from /usr/lib/libwebkit-1.0.so.1 13. #6 0x00002b2cf654c80d in KJS::BlockNode::execute () 14. from /usr/lib/libwebkit-1.0.so.1 15. #7 0x00002b2cf65a74ba in KJS::ProgramNode::execute () 16. from /usr/lib/libwebkit-1.0.so.1 17. #8 0x00002b2cf65a18f9 in KJS::Interpreter::evaluate () 18. from /usr/lib/libwebkit-1.0.so.1 19. #9 0x00002b2cf6241491 in WebCore::KJSProxy::evaluate () 20. from /usr/lib/libwebkit-1.0.so.1 21. #10 0x00002b2cf63d4388 in WebCore::FrameLoader::executeScript () 22. from /usr/lib/libwebkit-1.0.so.1 23. #11 0x00002b2cf639fc15 in WebCore::HTMLTokenizer::scriptExecution () 24. from /usr/lib/libwebkit-1.0.so.1 25. #12 0x00002b2cf63a2f69 in WebCore::HTMLTokenizer::scriptHandler () 26. from /usr/lib/libwebkit-1.0.so.1 27. #13 0x00002b2cf63a3668 in WebCore::HTMLTokenizer::parseSpecial () 28. from /usr/lib/libwebkit-1.0.so.1 29. #14 0x00002b2cf63a5370 in WebCore::HTMLTokenizer::parseTag () 30. from /usr/lib/libwebkit-1.0.so.1 31. #15 0x00002b2cf63a5c07 in WebCore::HTMLTokenizer::write () 32. from /usr/lib/libwebkit-1.0.so.1 33. #16 0x00002b2cf63c77e8 in WebCore::FrameLoader::write () 34. from /usr/lib/libwebkit-1.0.so.1 35. #17 0x00002b2cf63bb689 in WebCore::DocumentLoader::commitLoad () 36. from /usr/lib/libwebkit-1.0.so.1 37. #18 0x00002b2cf63ee2c3 in WebCore::ResourceLoader::didReceiveData () 38. from /usr/lib/libwebkit-1.0.so.1 39. #19 0x00002b2cf63e6406 in WebCore::MainResourceLoader::didReceiveData () 40. from /usr/lib/libwebkit-1.0.so.1 41. #20 0x00002b2cf650cbf3 in WebCore::writeCallback () 42. from /usr/lib/libwebkit-1.0.so.1 43. #21 0x00002b2cf91e5e62 in Curl_client_write () from /usr/lib/libcurl.so.4 44. #22 0x00002b2cf92002b8 in inflate_stream () from /usr/lib/libcurl.so.4 45. #23 0x00002b2cf9200592 in Curl_unencode_gzip_write () 46. from /usr/lib/libcurl.so.4 47. #24 0x00002b2cf91fab4c in Curl_readwrite () from /usr/lib/libcurl.so.4 48. #25 0x00002b2cf91fe4fc in multi_runsingle () from /usr/lib/libcurl.so.4 49. #26 0x00002b2cf91fed8b in curl_multi_perform () from /usr/lib/libcurl.so.4 50. #27 0x00002b2cf650f65c in WebCore::ResourceHandleManager::downloadTimerCallback 51. () from /usr/lib/libwebkit-1.0.so.1 52. #28 0x00002b2cf64608f3 in WebCore::TimerBase::fireTimers () 53. from /usr/lib/libwebkit-1.0.so.1 54. #29 0x00002b2cf64609ae in WebCore::TimerBase::sharedTimerFired () 55. from /usr/lib/libwebkit-1.0.so.1 56. #30 0x00002b2cf6180922 in WebCore::timeout_cb () 57. from /usr/lib/libwebkit-1.0.so.1 58. #31 0x00002b2cf833b6da in g_main_context_dispatch () 59. from /usr/lib/libglib-2.0.so.0 60. #32 0x00002b2cf833edd0 in g_main_context_iterate () 61. from /usr/lib/libglib-2.0.so.0 62. #33 0x00002b2cf833f29d in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 63. #34 0x00002b2cf6aaf447 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 64. #35 0x0000000000402160 in main ()
Luca Bruno
Comment 8 2008-04-07 05:12:15 PDT
It seems to me that every crash belong to UString usage (operator+, copying, etc.). The crash that shows this on top is the first here: http://bugs.webkit.org/show_bug.cgi?id=18280 I please anyone to duplicate these 2 bugs.
Luca Bruno
Comment 9 2008-04-08 02:48:57 PDT
*** Bug 17378 has been marked as a duplicate of this bug. ***
Luca Bruno
Comment 10 2008-04-08 02:50:06 PDT
*** Bug 18185 has been marked as a duplicate of this bug. ***
Luca Bruno
Comment 11 2008-04-08 02:50:35 PDT
*** Bug 18280 has been marked as a duplicate of this bug. ***
Luca Bruno
Comment 12 2008-04-08 05:07:12 PDT
Ok i found it with git bisect. svn r29508 commit 5902380fbd1bfcd1c88459ca1714020c478009ea It has been a very long time but no one did really care about the crash.
Luca Bruno
Comment 13 2008-04-09 01:36:14 PDT
Created attachment 20423 [details] valgrind log I'm currently working on that commit and run valgrind: LD_LIBRARY_PATH=WebKitBuild/Release/lib/ G_SLICE=always-malloc G_DEBUG=gc-friendly valgrind --tool=memcheck --leak-check=full --leak-resolution=high --num-callers=20 WebKitBuild/Release/WebKitTools/GtkLauncher/GtkLauncher http://acid3.acidtests.org Notice that using valgrind i don't experience the crash.
Mike Hommey
Comment 14 2008-04-10 13:09:48 PDT
Take a look at bug 18367, especially https://bugs.webkit.org/show_bug.cgi?id=18367#c12 It looks like to be the same root cause, and possible fix.
Mark Rowe (bdash)
Comment 15 2008-04-10 21:00:41 PDT
I'm pretty sure this is the same underlying issue as bug 18367.
Jan Alonzo
Comment 16 2008-04-13 18:48:16 PDT
Marking bug as duplicate of http://bugs.webkit.org/show_bug.cgi?id=18367. Please reopen if this still happen or if you think it's not related to 18367. Thanks. *** This bug has been marked as a duplicate of 18367 ***
Note You need to log in before you can comment on or make changes to this bug.