Bug 21234 - JavaScript crash for all pages in op_get_by_id_chain opcode
Summary: JavaScript crash for all pages in op_get_by_id_chain opcode
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P2 Critical
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-30 01:31 PDT by Michael Goffioul
Modified: 2010-03-04 02:04 PST (History)
1 user (show)

See Also:

Attachments
Remove NEXT_OPCODE calls within embedded while-loops (1.25 KB, patch)
2008-10-02 01:37 PDT, Michael Goffioul 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Goffioul 2008-09-30 01:31:23 PDT 
I have compiled WebKit/GTK (SVN from yesterday) on Windows XP with VC++ 2005. WebKit is configured to use Pango rendering and cURL networking. I am using the GtkLauncher test program and pre-defined http_proxy variable (as I am behind a proxy server).

I try to load the page http://www.lesoir.be (but the problem occur for any page containing javascript) and always a crash with the backtrace below. When the crash occur, baseObject (in Machine::privateExecute) is always 0x00000002 (as fas as I can tell, this seems to indicate the immediate jsNull value).

0 libwebkit-1.0-1.dll!JSC::JSCell::structureID()  Line 133 + 0x3 bytes
1 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012d9f4, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc6842c, JSC::ScopeChainNode * scopeChain=0x7f659050, JSC::JSValue * * exception=0x0012e598)  Line 2564 + 0xb bytes
2 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f507a00, JSC::ExecState * exec=0x0012e590, JSC::JSFunction * function=0x01b8afc0, JSC::JSObject * thisObj=0x01af2a00, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7ff442f0, JSC::JSValue * * exception=0x0012e598)  Line 986 + 0x21 bytes
3 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012e590, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...})  Line 71
4 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012e590, JSC::JSValue * functionObject=0x01b8afc0, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...})  Line 40
5 libwebkit-1.0-1.dll!JSC::functionProtoFuncApply(JSC::ExecState * exec=0x0012e590, JSC::JSObject * __formal=0x01af18a0, JSC::JSValue * thisValue=0x01b8afc0, const JSC::ArgList & args={...})  Line 114 + 0x1d bytes
6 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012e590, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc681a8, JSC::ScopeChainNode * scopeChain=0x7f6dcef0, JSC::JSValue * * exception=0x0012f134)  Line 3327 + 0x1f bytes
7 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f635280, JSC::ExecState * exec=0x0012f12c, JSC::JSFunction * function=0x01b8af40, JSC::JSObject * thisObj=0x01af2a00, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f6dcef0, JSC::JSValue * * exception=0x0012f134)  Line 986 + 0x21 bytes
8 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012f12c, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...})  Line 71
9 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012f12c, JSC::JSValue * functionObject=0x01b8af40, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af2a00, const JSC::ArgList & args={...})  Line 40
10 libwebkit-1.0-1.dll!JSC::functionProtoFuncApply(JSC::ExecState * exec=0x0012f12c, JSC::JSObject * __formal=0x01af18a0, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...})  Line 114 + 0x1d bytes
11 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012f12c, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc6814c, JSC::ScopeChainNode * scopeChain=0x7f613f00, JSC::JSValue * * exception=0x0012fcbc)  Line 3327 + 0x1f bytes
12 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f635000, JSC::ExecState * exec=0x0012fcb4, JSC::JSFunction * function=0x01b89300, JSC::JSObject * thisObj=0x01b8af40, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f613f00, JSC::JSValue * * exception=0x0012fcbc)  Line 986 + 0x21 bytes
13 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0012fcb4, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...})  Line 71
14 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x0012fcb4, JSC::JSValue * functionObject=0x01b89300, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01b8af40, const JSC::ArgList & args={...})  Line 40
15 libwebkit-1.0-1.dll!JSC::functionProtoFuncCall(JSC::ExecState * exec=0x0012fcb4, JSC::JSObject * __formal=0x01af18e0, JSC::JSValue * thisValue=0x01b89300, const JSC::ArgList & args={...})  Line 134 + 0x1d bytes
16 libwebkit-1.0-1.dll!JSC::Machine::privateExecute(JSC::Machine::ExecutionFlag flag=Normal, JSC::ExecState * exec=0x0012fcb4, JSC::RegisterFile * registerFile=0x7feb649c, JSC::Register * r=0x7fc680b8, JSC::ScopeChainNode * scopeChain=0x7f659050, JSC::JSValue * * exception=0x7ff460a8)  Line 3327 + 0x1f bytes
17 libwebkit-1.0-1.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x7f638780, JSC::ExecState * exec=0x7ff460a0, JSC::JSFunction * function=0x01b8b400, JSC::JSObject * thisObj=0x01af0000, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x7f613e80, JSC::JSValue * * exception=0x7ff460a8)  Line 986 + 0x21 bytes
18 libwebkit-1.0-1.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x7ff460a0, JSC::JSValue * thisValue=0x01af0000, const JSC::ArgList & args={...})  Line 71
19 libwebkit-1.0-1.dll!JSC::call(JSC::ExecState * exec=0x7ff460a0, JSC::JSValue * functionObject=0x01b8b400, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue * thisValue=0x01af0000, const JSC::ArgList & args={...})  Line 40
20 libwebkit-1.0-1.dll!WebCore::ScheduledAction::execute(WebCore::JSDOMWindowShell * windowShell=0x01af0000)  Line 74 + 0x21 bytes
21 libwebkit-1.0-1.dll!WebCore::JSDOMWindowBase::timerFired(WebCore::DOMWindowTimer * timer=0x00000001)  Line 1648
22 libwebkit-1.0-1.dll!WebCore::DOMWindowTimer::fired()  Line 1699
23 libwebkit-1.0-1.dll!WebCore::TimerBase::fireTimers(double fireTime=1222762294.6899381, const WTF::Vector<WebCore::TimerBase *,0> & firingTimers={...})  Line 350
24 libwebkit-1.0-1.dll!WebCore::TimerBase::sharedTimerFired()  Line 368 + 0x17 bytes
25 libwebkit-1.0-1.dll!WebCore::timeout_cb(void * __formal=0x00000000)  Line 49
Comment 1 Michael Goffioul 2008-10-02 01:37:03 PDT 
Created attachment 24011 [details]
Remove NEXT_OPCODE calls within embedded while-loops

I think I found the problem: NEXT_OPCODE translates to a simple "continue"
statement under MSVC (there's no computed goto). As a result, you can't
use NEXT_OPCODE within an embedded while-loop, as it will wrongly jump
to the nearest while-loop. I found 2 occurrences of this problem. Patch
attached. The patch is not very elegant, but it works.
Comment 2 Oliver Hunt 2010-03-04 02:04:38 PST 
This has been fixed in tot, a goto is now used:
#define NEXT_INSTRUCTION() SAMPLE(callFrame->codeBlock(), vPC); goto interpreterLoopStart