Better backtrace: Thread 1 (Thread 0x2b83fd43fec0 (LWP 31556)): #0 0x00002b83f3d7eea5 in waitpid () from /lib/libpthread.so.0 No symbol table info available. #1 0x00002b83f4b3d4f6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #2 0x00002b83f4b3d808 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #3 0x00002b83fddb94b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so No symbol table info available. #4 <signal handler called> No symbol table info available. #5 0x00002b83f39a685b in KJS::stringProtoFuncIndexOf (exec=0x7fffb78a7750, thisObj=0x2b83ff8a0180, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.h:510 s = {m_rep = {m_ptr = 0x7fffb78a7490}} len = <value optimized out> a0 = <value optimized out> a1 = <value optimized out> u2 = {m_rep = {m_ptr = 0x2b83fe709660}} dpos = <value optimized out> #6 0x00002b83f3984e49 in KJS::JSObject::call (this=0x2b83ff8a0180, exec=0x7fffb78a7750, thisObj=0x7fffb78a74b0, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 4 #7 0x00002b83f3998ae3 in KJS::FunctionCallDotNode::evaluate (this=0x2b83fe708aa0, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:1500 No locals. #8 0x00002b83f3990f43 in KJS::EqualNode::evaluateToBoolean (this=0x2b83fe709620, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3121 No locals. #9 0x00002b83f3990a1d in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709600, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:3371 b = <value optimized out> #10 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709560, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #11 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe7094c0, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #12 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709420, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #13 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709b80, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #14 0x00002b83f39909ee in KJS::LogicalAndNode::evaluateToBoolean (this=0x2b83fe709ae0, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3369 b = <value optimized out> #15 0x00002b83f395d8ce in KJS::LogicalNotNode::evaluateToBoolean (this=<value optimized out>, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:2382 No locals. #16 0x00002b83f398cbc2 in KJS::DoWhileNode::execute (this=0x2b83fe6f5360, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:4089 statementValue = (class KJS::JSValue *) 0x2b83ff8a02c0 b = <value optimized out> value = (class KJS::JSValue *) 0x2b83ff8a02c0 #17 0x00002b83f395b46a in KJS::BlockNode::execute (this=0x2b83fe62be38, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #18 0x00002b83f398c9b9 in KJS::ForNode::execute (this=0x2b83fe61f000, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:4164 b = <value optimized out> statementValue = (class KJS::JSValue *) 0x7fffb78a7750 value = (class KJS::JSValue *) 0x0 #19 0x00002b83f395b46a in KJS::BlockNode::execute (this=0x2b83fe706240, exec=0x7fffb78a7750) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #20 0x00002b83f39ae94f in KJS::FunctionImp::callAsFunction (this=0x2b83ff331b00, exec=0x7fffb78a7980, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b83ff330000, m_exception = 0x0, m_propertyNames = 0x2b83fe6cfdc0, m_emptyList = 0x2b83f3d5ebe0, m_callingExec = 0x7fffb78a7980, m_scopeNode = 0x2b83fe706240, m_function = 0x2b83ff331b00, m_arguments = 0x7fffb78a7850, m_activation = 0x2b83fe64d4e8, m_localStorage = 0x2b83fe64d518, m_scopeChain = {_node = 0x7fffb78a77a8}, m_inlineScopeChainNode = { next = 0x2b83fe704948, object = 0x2b83fe64d4e8, refCount = 2}, m_variableObject = 0x2b83fe64d4e8, m_thisValue = 0x2b83ff330000, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 1, m_switchDepth = 0, m_codeType = KJS::FunctionCode, m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b83fe6ed690}, <No data fields>} result = <value optimized out> #21 0x00002b83f3984e49 in KJS::JSObject::call (this=0x2b83ff8a0180, exec=0x7fffb78a7750, thisObj=0x7fffb78a74b0, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 4 #22 0x00002b83f3997910 in KJS::ScopedVarFunctionCallNode::evaluate (this=0x2b83fe6f5480, exec=0x7fffb78a7980) at JavaScriptCore/kjs/nodes.cpp:1322 No locals. #23 0x00002b83f398fe2e in KJS::AssignLocalVarNode::evaluate (this=0x2b83fe6f6050, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3559 v = <value optimized out> #24 0x00002b83f398cdee in KJS::ExprStatementNode::execute (this=0x2b83fe6f6028, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3998 value = (class KJS::JSValue *) 0x0 #25 0x00002b83f395b46a in KJS::BlockNode::execute (this=0x2b83fe6ed480, exec=0x7fffb78a7980) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #26 0x00002b83f39ae94f in KJS::FunctionImp::callAsFunction (this=0x2b83ff331780, exec=0x7fffb78a7bd0, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b83ff330000, m_exception = 0x0, m_propertyNames = 0x2b83fe6cfdc0, m_emptyList = 0x2b83f3d5ebe0, m_callingExec = 0x7fffb78a7bd0, m_scopeNode = 0x2b83fe6ed480, m_function = 0x2b83ff331780, m_arguments = 0x7fffb78a7a90, m_activation = 0x2b83fe64d278, m_localStorage = 0x2b83fe64d2a8, m_scopeChain = {_node = 0x7fffb78a79d8}, m_inlineScopeChainNode = { next = 0x2b83fe704948, object = 0x2b83fe64d278, refCount = 2}, m_variableObject = 0x2b83fe64d278, m_thisValue = 0x2b83ff330000, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode, m_completionType = KJS::Normal, m_breakOrContinueTarget = 0x2b83ff330000}, <No data fields>} result = <value optimized out> #27 0x00002b83f3984e49 in KJS::JSObject::call (this=0x2b83ff8a0180, exec=0x7fffb78a7750, thisObj=0x7fffb78a74b0, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 4 #28 0x00002b83f39b9c01 in KJS::NonLocalVarFunctionCallNode::evaluate (this=0x2b83ff586360, exec=0x7fffb78a7bd0) at JavaScriptCore/kjs/nodes.cpp:1141 No locals. #29 0x00002b83f398cdee in KJS::ExprStatementNode::execute (this=0x2b83ff5f0618, exec=0x2b83ff8a0180) at JavaScriptCore/kjs/nodes.cpp:3998 value = (class KJS::JSValue *) 0x0 #30 0x00002b83f395b46a in KJS::BlockNode::execute (this=0x2b83ff4fb000, exec=0x7fffb78a7bd0) at JavaScriptCore/kjs/nodes.cpp:3951 No locals. #31 0x00002b83f39ae94f in KJS::FunctionImp::callAsFunction (this=0x2b83ff33ae80, exec=0x2b83fe6cec38, thisObj=<value optimized out>, args=<value optimized out>) at JavaScriptCore/kjs/function.cpp:77 newExec = {<KJS::ExecState> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_globalObject = 0x2b83ff330000, m_exception = 0x0, m_propertyNames = 0x2b83fe6cfdc0, m_emptyList = 0x2b83f3d5ebe0, m_callingExec = 0x2b83fe6cec38, m_scopeNode = 0x2b83ff4fb000, m_function = 0x2b83ff33ae80, m_arguments = 0x7fffb78a7d00, m_activation = 0x2b83fe64d008, m_localStorage = 0x2b83fe64d038, m_scopeChain = {_node = 0x7fffb78a7c28}, m_inlineScopeChainNode = { next = 0x2b83ff4e7168, object = 0x2b83fe64d008, refCount = 2}, m_variableObject = 0x2b83fe64d008, m_thisValue = 0x2b83ff33ad80, m_labelStack = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, tos = 0x0}, m_iterationDepth = 0, m_switchDepth = 0, m_codeType = KJS::FunctionCode, m_completionType = 11139, m_breakOrContinueTarget = 0x2b83ff6dbdc0}, <No data fields>} result = <value optimized out> #32 0x00002b83f3984e49 in KJS::JSObject::call (this=0x2b83ff8a0180, exec=0x7fffb78a7750, thisObj=0x7fffb78a74b0, args=@0x7fffb78a74b0) at JavaScriptCore/kjs/object.cpp:96 ret = (class KJS::JSValue *) 0x0 depth = 4 #33 0x00002b83f36516d2 in WebCore::JSAbstractEventListener::handleEvent (this=0x2b83ff53fd40, ele=0x2b83ff6dbdc0, isWindowEvent=false) at WebCore/bindings/js/kjs_events.cpp:101 thisObj = (class KJS::JSObject *) 0x2b83ff33ad80 args = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_vector = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<KJS::JSValue*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x7fffb78a7d18, m_capacity = 8}, static m_inlineBufferSize = <optimized out>, m_inlineBuffer = "\200¬3ÿ\203+\000\000p\177\212·ÿ\177\000\000\aV\212ó\203+\000\000 \227]ÿ\203+\000\000ðB\226ó\203+\000\000\000\000\000\000\000\000\000\000\210±dþ\203+\000\000P©dþ\203+\000"}}, m_isInMarkSet = false} retval = <value optimized out> listener = (class KJS::JSObject *) 0x2b83ff33ae80 window = (class WebCore::JSDOMWindow *) 0x2b83ff330000 frame = <value optimized out> scriptProxy = <value optimized out> globalObject = (class KJS::JSGlobalObject *) 0x2b83ff330000 exec = (class KJS::ExecState *) 0x2b83fe6cec38 handleEventFuncValue = <value optimized out> handleEventFunc = <value optimized out> #34 0x00002b83f36cb2f5 in WebCore::EventTarget::handleLocalEvents (this=<value optimized out>, referenceNode=<value optimized out>, evt=0x2b83ff6dbdc0, useCapture=false) at WebCore/dom/EventTarget.cpp:307 listenersCopy = {impl = {d = {m_ptr = 0x2b83fe69d3c0}}} #35 0x00002b83f36cb0d7 in WebCore::EventTarget::dispatchGenericEvent (this=0x2b83ff4e3908, referenceNode=0x2b83ff4e38c0, e=<value optimized out>, tempEvent=true) at WebCore/dom/EventTarget.cpp:205 nodeChain = {impl = {head = 0x2b83ff4e7090, tail = 0x2b83fe716378, cur = 0x2b83ff4e7090, nodeCount = 10, deleteItem = 0x2b83f36cb770 <WebCore::DeprecatedPtrList<WebCore::Node>::deleteFunc(void*)>, iterators = 0x7fffb78a7f20}, del_item = false} it = {impl = {list = 0x7fffb78a7ee0, node = 0x2b83fe716378, next = 0x0, prev = 0x0}} data = (void *) 0x0 eventTargetNode = (class WebCore::EventTargetNode *) 0x2b83ff4e38c0 frame = <value optimized out> #36 0x00002b83f36cc7b3 in WebCore::EventTargetNode::dispatchEvent (this=<value optimized out>, e=<value optimized out>, ec=@0x7fffb78a80cc, tempEvent=80) at WebCore/dom/EventTargetNode.cpp:118 eventTarget = (class WebCore::EventTargetNode *) 0x2b83ff4e38c0 #37 0x00002b83f36ccada in WebCore::EventTargetNode::dispatchMouseEvent (this=0x2b83ff4e38c0, eventType=@0x2b83f3d39868, button=<value optimized out>, detail=1, pageX=446, pageY=1071, screenX=450, screenY=455, ctrlKey=false, altKey=false, shiftKey=false, metaKey=false, isSimulated=false, relatedTargetArg=0x0, underlyingEvent=@0x7fffb78a8160) at WebCore/dom/EventTargetNode.cpp:287 ec = 0 swallowEvent = <value optimized out> #38 0x00002b83f36cd168 in WebCore::EventTargetNode::dispatchMouseEvent (this=0x2b83ff4e38c0, event=@0x7fffb78a82c0, eventType=@0x2b83f3d39868, detail=1, relatedTarget=0x0) at WebCore/dom/EventTargetNode.cpp:204 button = 29872 #39 0x00002b83f381eaa2 in WebCore::EventHandler::dispatchMouseEvent (this=0x2b83fe61c9f0, eventType=@0x2b83f3d39868, targetNode=<value optimized out>, cancelable=<value optimized out>, clickCount=1, mouseEvent=@0x7fffb78a82c0, setUnder=<value optimized out>) at WebCore/page/EventHandler.cpp:1262 swallowEvent = <value optimized out> #40 0x00002b83f38200bf in WebCore::EventHandler::handleMouseReleaseEvent (this=0x2b83fe61c9f0, mouseEvent=@0x7fffb78a82c0) at WebCore/page/EventHandler.cpp:1084 mev = {m_event = {m_position = {m_x = 446, m_y = 391}, m_globalPosition = {m_x = 450, m_y = 455}, m_button = WebCore::LeftButton, m_eventType = WebCore::MouseEventReleased, m_clickCount = 0, m_shiftKey = false, m_ctrlKey = false, m_altKey = false, m_metaKey = false, m_timestamp = 228561197, m_modifierFlags = 3079308896}, m_hitTestResult = {m_innerNode = {m_ptr = 0x2b83ff4e38c0}, m_innerNonSharedNode = {m_ptr = 0x2b83ff4e38c0}, m_point = {m_x = 446, m_y = 1071}, m_localPoint = {m_x = 38, m_y = 12}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}}} targetNode = <value optimized out> subframe = <value optimized out> swallowMouseUpEvent = false swallowClickEvent = <value optimized out> swallowMouseReleaseEvent = <value optimized out> #41 0x00002b83f3571209 in webkit_web_view_button_release_event (widget=0x66e3b0, event=0x871ac0) at WebKit/gtk/webkit/webkitwebview.cpp:359 priv = (WebKitWebViewPrivate *) 0x66e430 focusedFrame = (class WebCore::Frame *) 0x2b83fe61d228 #42 0x00002b83f44204df in _gtk_marshal_BOOLEAN__BOXED (closure=0x6358c0, return_value=0x7fffb78a8580, n_param_values=<value optimized out>, param_values=0x7fffb78a8660, invocation_hint=<value optimized out>, marshal_data=0x2b83f3571190) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmarshalers.c:84 data1 = (gpointer) 0x66e3b0 data2 = (gpointer) 0x7fffb78a74b0 v_return = <value optimized out> __PRETTY_FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED" #43 0x00002b83f489bb5f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #44 0x00002b83f48af9d8 in ?? () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #45 0x00002b83f48b0d16 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #46 0x00002b83f48b13b3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #47 0x00002b83f4527925 in gtk_widget_event_internal (widget=0x66e3b0, event=0x871ac0) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkwidget.c:4678 signal_num = <value optimized out> return_val = 0 #48 0x00002b83f44197f2 in IA__gtk_propagate_event (widget=0x66e3b0, event=0x871ac0) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:2336 tmp = (GtkWidget *) 0x6da2c0 handled_event = <value optimized out> __PRETTY_FUNCTION__ = "IA__gtk_propagate_event" #49 0x00002b83f441a795 in IA__gtk_main_do_event (event=0x871ac0) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1556 event_widget = (GtkWidget *) 0x66e3b0 grab_widget = (GtkWidget *) 0x66e3b0 window_group = (GtkWindowGroup *) 0x6da2c0 rewritten_event = (GdkEvent *) 0x0 tmp_list = <value optimized out> __PRETTY_FUNCTION__ = "IA__gtk_main_do_event" #50 0x00002b83f51e414c in gdk_event_dispatch (source=<value optimized out>, callback=<value optimized out>, user_data=<value optimized out>) at /build/buildd/gtk+2.0-2.12.9/gdk/x11/gdkevents-x11.c:2351 display = <value optimized out> event = (GdkEvent *) 0x871ac0 #51 0x00002b83f4b0a0b2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #52 0x00002b83f4b0d356 in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #53 0x00002b83f4b0d617 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #54 0x00002b83f441ab63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 tmp_list = (GList *) 0x62a8b0 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x661280 loop = (GMainLoop *) 0x884460 #55 0x0000000000401eab in main (argc=2, argv=0x7fffb78a8d58) at WebKitTools/GtkLauncher/main.c:200 vbox = (GtkWidget *) 0x62a8b0 uri = <value optimized out>

FWIW, building without -O2 leads to a webkit that doesn't crash

It also happens on the Qt port.

It doesn't happen on x86

I can reproduce a crash that looks very similar to this while running SunSpider at http://webkit.org/perf/sunspider-0.9/sunspider.html in WebKitGtk on x86_64. I'll see if I can debug and track down the issue.

Simpler steps to reproduce: WebKitBuild/Release/Programs/testkjs -f SunSpider/tmp/sunspider-test-prefix.js -f SunSpider/tests/string-tagcloud.js

Ok, I think I've tracked down the problem: Collector::markCurrentThreadConservatively uses setjmp to force registers onto the stack. The setjmp implementation for x86-64 in glibc is the following: 0x00007f5f7d0c5e00 <__sigsetjmp+0>: mov %rbx,(%rdi) 0x00007f5f7d0c5e03 <__sigsetjmp+3>: mov %rbp,%rax 0x00007f5f7d0c5e06 <__sigsetjmp+6>: xor %fs:0x30,%rax 0x00007f5f7d0c5e0f <__sigsetjmp+15>: rol $0x11,%rax 0x00007f5f7d0c5e13 <__sigsetjmp+19>: mov %rax,0x8(%rdi) 0x00007f5f7d0c5e17 <__sigsetjmp+23>: mov %r12,0x10(%rdi) 0x00007f5f7d0c5e1b <__sigsetjmp+27>: mov %r13,0x18(%rdi) 0x00007f5f7d0c5e1f <__sigsetjmp+31>: mov %r14,0x20(%rdi) 0x00007f5f7d0c5e23 <__sigsetjmp+35>: mov %r15,0x28(%rdi) 0x00007f5f7d0c5e27 <__sigsetjmp+39>: lea 0x8(%rsp),%rdx 0x00007f5f7d0c5e2c <__sigsetjmp+44>: xor %fs:0x30,%rdx 0x00007f5f7d0c5e35 <__sigsetjmp+53>: rol $0x11,%rdx 0x00007f5f7d0c5e39 <__sigsetjmp+57>: mov %rdx,0x30(%rdi) 0x00007f5f7d0c5e3d <__sigsetjmp+61>: mov (%rsp),%rax 0x00007f5f7d0c5e41 <__sigsetjmp+65>: xor %fs:0x30,%rax 0x00007f5f7d0c5e4a <__sigsetjmp+74>: rol $0x11,%rax 0x00007f5f7d0c5e4e <__sigsetjmp+78>: mov %rax,0x38(%rdi) 0x00007f5f7d0c5e52 <__sigsetjmp+82>: jmpq 0x7f5f7d0c5e60 Two important things to note: only a subset of registers are saved, and several of those that are saved are mangled (xor'd with a magic value, then rotated left) to not look pointer-like. I suspect this may explain many, if not all, of the x86-64 specific crashers.

0xb7e4dcb0 <_setjmp+0>: xor %eax,%eax 0xb7e4dcb2 <_setjmp+2>: mov 0x4(%esp),%edx 0xb7e4dcb6 <_setjmp+6>: mov %ebx,(%edx) 0xb7e4dcb8 <_setjmp+8>: mov %esi,0x4(%edx) 0xb7e4dcbb <_setjmp+11>: mov %edi,0x8(%edx) 0xb7e4dcbe <_setjmp+14>: lea 0x4(%esp),%ecx 0xb7e4dcc2 <_setjmp+18>: xor %gs:0x18,%ecx 0xb7e4dcc9 <_setjmp+25>: rol $0x9,%ecx 0xb7e4dccc <_setjmp+28>: mov %ecx,0x10(%edx) 0xb7e4dccf <_setjmp+31>: mov (%esp),%ecx 0xb7e4dcd2 <_setjmp+34>: xor %gs:0x18,%ecx 0xb7e4dcd9 <_setjmp+41>: rol $0x9,%ecx 0xb7e4dcdc <_setjmp+44>: mov %ecx,0x14(%edx) 0xb7e4dcdf <_setjmp+47>: mov %ebp,0xc(%edx) 0xb7e4dce2 <_setjmp+50>: mov %eax,0x18(%edx) 0xb7e4dce5 <_setjmp+53>: ret i386 looks to have similar pointer-mangling behaviour in setjmp, so perhaps we should consider applying the fix for this to i386 too.

Ok, looks like I misspoke. It looks like GCC on Linux is ordering the local variables differently inside Collector::markCurrentThreadConservatively, which causes the address of dummy to no longer be that of the top of the stack. This means that markStackObjectsConservatively is effectively not scanning the registers at all.

It's usually not a good idea to depend on relative position of variables on the stack when using optimization. This also explains why it doesn't happen without optimization, as the stack is left alone.

Yup, definitely a bad idea to depend on it as the compiler is free to structure stack frames as it sees fit. I'm working on a fix which should be a lot less fragile than the current situation, though it still won't be quite perfect in this regard.

Had two different thoughts on how to solve this: <http://rafb.net/p/77WoeV92.txt> and <http://rafb.net/p/x6jxG810.txt>. Neither is 100% guaranteed to be portable and correct, but I can't think of any other method that is. I need to think on this further before deciding which should be reviewed.

*** Bug 18369 has been marked as a duplicate of this bug. ***

*** Bug 18368 has been marked as a duplicate of this bug. ***

*** Bug 18366 has been marked as a duplicate of this bug. ***

(In reply to comment #12) > Had two different thoughts on how to solve this: > <http://rafb.net/p/77WoeV92.txt> and <http://rafb.net/p/x6jxG810.txt>. Neither > is 100% guaranteed to be portable and correct, but I can't think of any other > method that is. I need to think on this further before deciding which should > be reviewed. FWIW, all the crashes I reported on amd64 (bugs 18366 to 18369) that had different backtraces are solved with both these patches.

Thanks for verifying that Mike! I had suspected that would be the case.

Created attachment 20464 [details] Patch

Created attachment 20465 [details] Patch

Comment on attachment 20465 [details] Patch r=me

Landed in r31787.

FWIW, I don't know yet if this is related, but I got a crash with gcc-4.3 with the following backtrace: [Thread debugging using libthread_db enabled] [New Thread 0x2ad6586adec0 (LWP 13452)] 0x00002ad64efedea5 in waitpid () from /lib/libpthread.so.0 #0 0x00002ad64efedea5 in waitpid () from /lib/libpthread.so.0 #1 0x00002ad64fdac5a6 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0 #2 0x00002ad64fdac8b8 in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0 #3 0x00002ad6590274b3 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so #4 <signal handler called> #5 0x00002ad64ebbe584 in KJS::JSGlobalObject::getOwnPropertySlot () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #6 0x00002ad64e88e0ad in WebCore::JSDOMWindow::customGetOwnPropertySlot () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #7 0x00002ad64e81c979 in WebCore::JSDOMWindow::getOwnPropertySlot () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #8 0x00002ad64ec081d2 in KJS::AssignResolveNode::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #9 0x00002ad64ec07cae in KJS::ExprStatementNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #10 0x00002ad64ebcaefd in KJS::BlockNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #11 0x00002ad64ec2544a in KJS::ProgramNode::execute () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #12 0x00002ad64ec1f879 in KJS::Interpreter::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #13 0x00002ad64e8a3511 in WebCore::KJSProxy::evaluate () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #14 0x00002ad64ea38608 in WebCore::FrameLoader::executeScript () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #15 0x00002ad64ea01995 in WebCore::HTMLTokenizer::scriptExecution () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #16 0x00002ad64ea04ce9 in WebCore::HTMLTokenizer::scriptHandler () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #17 0x00002ad64ea053e8 in WebCore::HTMLTokenizer::parseSpecial () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #18 0x00002ad64ea070f0 in WebCore::HTMLTokenizer::parseTag () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #19 0x00002ad64ea07987 in WebCore::HTMLTokenizer::write () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #20 0x00002ad64ea01e68 in WebCore::HTMLTokenizer::notifyFinished () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #21 0x00002ad64ea1a60c in WebCore::CachedScript::checkNotify () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #22 0x00002ad64ea1ab22 in WebCore::CachedScript::data () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #23 0x00002ad64ea463fc in WebCore::Loader::Host::didFinishLoading () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #24 0x00002ad64ea56653 in WebCore::SubresourceLoader::didFinishLoading () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #25 0x00002ad64eb79fb7 in WebCore::ResourceHandleManager::downloadTimerCallback () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #26 0x00002ad64eacb203 in WebCore::TimerBase::fireTimers () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #27 0x00002ad64eacb2be in WebCore::TimerBase::sharedTimerFired () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #28 0x00002ad64e7e2a12 in WebCore::timeout_cb () from /home/mh/git/webkit/.libs/libwebkit-1.0.so.1 #29 0x00002ad64fd790f2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #30 0x00002ad64fd7c396 in ?? () from /usr/lib/libglib-2.0.so.0 #31 0x00002ad64fd7c657 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #32 0x00002ad64f689b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 #33 0x0000000000401eeb in main () This happens both with r31789 and r31722 + the patch from r31787 (which means it's not a regression since r31722). I doubt this patch to be responsible, though just to make sure, I will try a build without it. Please tell me if I should file a new bug with this information right now or if you think it is yet the same issue raising on a different form with gcc 4.3.

btw, you don't even need to start the test to get this (new) crash

Confirmed. This crashes with plain r31722.

Please file a new bug report on that Mike.

Already did ;) Bug 18430

*** Bug 18108 has been marked as a duplicate of this bug. ***