24326 – WebKit Gtk built with gcc4.4 and -O2 crashes and has layout issues

RESOLVED DUPLICATE of bug 25033 24326

WebKit Gtk built with gcc4.4 and -O2 crashes and has layout issues

https://bugs.webkit.org/show_bug.cgi?id=24326

Summary WebKit Gtk built with gcc4.4 and -O2 crashes and has layout issues

Martin Sourada

Reported 2009-03-03 09:54:59 PST

JS crashes and layout has issues when WebKit/GTK is built with gcc4.4 with -O2 option (recently made default on Fedora Rawhide). Here's an example of the layout issues: http://www.declera.com/~yaneti/webkit-gcc-rend.png Here's a backtrace from JS crash from midori: #0 WTF::dtoa (d=63232, ndigits=<value optimized out>, decpt=<value optimized out>, sign=<value optimized out>, rve=<value optimized out>) at JavaScriptCore/wtf/dtoa.cpp:2170 #1 0x00002aaaab3e76e3 in JSC::UString::from (d=0) at JavaScriptCore/runtime/UString.cpp:929 #2 0x00002aaaab43484c in jscyyparse (globalPtr=<value optimized out>) at JavaScriptCore/parser/Grammar.y:318 #3 0x00002aaaab43b1b7 in JSC::Parser::parse (this=0x2aaab65f4240, globalData=0x2aaab65ff400, errLine=0x7fffffff01dc, errMsg=0x7fffffff01d0) at JavaScriptCore/parser/Parser.cpp:58 #4 0x00002aaaab43b28f in JSC::Parser::reparseInPlace (this=0x4, globalData=0x40eee000, functionBodyNode=0x2aaab74acc60) at JavaScriptCore/parser/Parser.cpp:77 #5 0x00002aaaab43bbfb in JSC::FunctionBodyNode::generateBytecode (this=0x2aaab74acc60, scopeChainNode=0x2aaab49bc618) at JavaScriptCore/parser/Nodes.cpp:2617 #6 0x00002aaaab38f282 in JSC::FunctionBodyNode::bytecode () at JavaScriptCore/parser/Nodes.h:2194 #7 JSC::Interpreter::privateExecute (this=0x2aaab6601b00, flag=<value optimized out>, registerFile=<value optimized out>, callFrame=0x2aaab6657048, exception=<value optimized out>) at JavaScriptCore/interpreter/Interpreter.cpp:3290 #8 0x00002aaaab39180b in JSC::Interpreter::execute (this=0x2aaab6601b00, programNode=0x2aaac448e510, callFrame=0x2aaab6b9c808, scopeChain=<value optimized out>, thisObj=<value optimized out>, exception=<value optimized out>) at JavaScriptCore/interpreter/Interpreter.cpp:870 #9 0x00002aaaab43d401 in JSC::evaluate (exec=0x2aaab6b9c808, scopeChain=@0x2aaab6b9c7c0, source=@0x7fffffffd260, thisValue=<value optimized out>) at JavaScriptCore/runtime/Completion.cpp:67 #10 0x00002aaaaad8e14b in WebCore::ScriptController::evaluate (this=0x2aaaabbb6bd8, sourceCode=@0x7fffffffd260) at WebCore/bindings/js/ScriptController.cpp:114 #11 0x00002aaaaafe8f9b in WebCore::FrameLoader::executeScript (this=0x2aaaabbb6850, sourceCode=@0x7fffffffd260) at WebCore/loader/FrameLoader.cpp:781 #12 0x00002aaaaaf867da in WebCore::HTMLTokenizer::scriptExecution (this=0x2aaab6637800, sourceCode=@0x7fffffffd260, state=<value optimized out>) at WebCore/html/HTMLTokenizer.cpp:563 #13 0x00002aaaaaf86ebf in WebCore::HTMLTokenizer::notifyFinished (this=0x2aaab6637800) at WebCore/html/HTMLTokenizer.cpp:1986 #14 0x00002aaaaafbe4cc in WebCore::CachedScript::checkNotify (this=0x2aaab6c42200) at WebCore/loader/CachedScript.cpp:108 #15 0x00002aaaab00cb7d in WebCore::Loader::Host::didFinishLoading (this=0x2aaab6c2dc60, loader=0x2aaab48e1500) at WebCore/loader/loader.cpp:304 #16 0x00002aaaaaffbb7f in WebCore::SubresourceLoader::didFinishLoading (this=0x2aaab48e1500) at WebCore/loader/SubresourceLoader.cpp:183 #17 0x00002aaaab1af93e in finishedCallback (session=<value optimized out>, msg=0x1560450, data=<value optimized out>) at WebCore/platform/network/soup/ResourceHandleSoup.cpp:285 #18 0x0000003164a320a4 in final_finished (req=0x1560450, user_data=<value optimized out>) at soup-session-async.c:329 #19 0x000000314de0b8ee in IA__g_closure_invoke (closure=0x151bce0, return_value=0x0, n_param_values=1, param_values=0x1577800, invocation_hint=0x7fffffffd5e0) at gclosure.c:767 #20 0x000000314de22527 in signal_emit_unlocked_R (node=0x158bb40, detail=<value optimized out>, instance=<value optimized out>, emission_return=<value optimized out>, ---Type <return> to continue, or q <return> to quit--- instance_and_params=<value optimized out>) at gsignal.c:3314 #21 0x000000314de232de in IA__g_signal_emit_valist (instance=0x1560450, signal_id=<value optimized out>, detail=0, var_args=0x7fffffffd7d0) at gsignal.c:2977 #22 0x000000314de23873 in IA__g_signal_emit (instance=0x4, signal_id=1089396736, detail=2147483648) at gsignal.c:3034 #23 0x0000003164a296b5 in soup_message_io_finished (msg=0x1560450) at soup-message-io.c:172 #24 0x000000314de0b8ee in IA__g_closure_invoke (closure=0x1511b70, return_value=0x0, n_param_values=1, param_values=0x1616400, invocation_hint=0x7fffffffda00) at gclosure.c:767 #25 0x000000314de21ef8 in signal_emit_unlocked_R (node=0x176d610, detail=<value optimized out>, instance=<value optimized out>, emission_return=<value optimized out>, instance_and_params=<value optimized out>) at gsignal.c:3244 #26 0x000000314de232de in IA__g_signal_emit_valist (instance=0x14ffb30, signal_id=<value optimized out>, detail=0, var_args=0x7fffffffdbf0) at gsignal.c:2977 #27 0x000000314de23873 in IA__g_signal_emit (instance=0x4, signal_id=1089396736, detail=2147483648) at gsignal.c:3034 #28 0x0000003164a33da2 in socket_read_watch (chan=<value optimized out>, cond=0, user_data=0x14ffb30) at soup-socket.c:1049 #29 0x000000314d23812e in g_main_dispatch (context=<value optimized out>) at gmain.c:1814 #30 IA__g_main_context_dispatch (context=0x6ad630) at gmain.c:2367 #31 0x000000314d23b888 in g_main_context_iterate (context=0x6ad630, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at gmain.c:2448 #32 0x000000314d23bd25 in IA__g_main_loop_run (loop=0x7faf40) at gmain.c:2656 #33 0x0000003154744a57 in IA__gtk_main () at gtkmain.c:1205 #34 0x000000000041c028 in main () Downstream bug at https://bugzilla.redhat.com/show_bug.cgi?id=488112 and related bug at https://bugzilla.redhat.com/show_bug.cgi?id=488163 I am able to reproduce these issues on r41071 (but it seems older/newer revisions are affected as well). It looks like building without -O2 makes these issues dissapear.

Attachments
Add attachment proposed patch, testcase, etc.

Martin Sourada

Comment 1 2009-03-03 10:04:52 PST

Note, that one of the pages that bring instant crash to me is http://jisho.org/

Mamoru Tasaka

Comment 2 2009-03-06 05:13:16 PST

As I wrote in RH bug https://bugzilla.redhat.com/show_bug.cgi?id=488112 this seems aliasing issue. Actually compiling libJavaScriptCore.a with -fno-strict-aliasing seems to fix this issue. When compiled with -O2 (Fedora uses -O2 by default and -O2 implies -fstrict-aliasing), log messages show some warnings related to aliasing issue. Note that currently nspr has similar issue: https://bugzilla.redhat.com/show_bug.cgi?id=487844

Xan Lopez

Comment 3 2009-04-05 13:58:35 PDT

Sorry, I opened a bug about this without realizing there was already one. I've attached a patch there, so I'll close this one as duplicate. *** This bug has been marked as a duplicate of 25033 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 25033

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS Linux

Product WebKit

Component WebKitGTK

Assignee

Nobody

Reported

2009-03-03 09:54 PST

Modified

2009-04-05 13:58 PDT History

CC List

0 users

URL

Keywords

Depends on

Blocks