RESOLVED FIXED Bug 26390
WebKitGtk+/JavaScriptCore segfault on a specific page when built with gcc 4.4 
https://bugs.webkit.org/show_bug.cgi?id=26390
Summary WebKitGtk+/JavaScriptCore segfault on a specific page when built with gcc 4.4
Adrian Bunk
Reported 2009-06-14 14:28:39 PDT
- Liferea 1.6 or Midori 0.1.7 - WebKitGtk+ 1.1.9 built with the gcc/g++ 4.4.0-6 from Debian unstable (works when built with gcc 4.3) - go to http://freakonomics.blogs.nytimes.com/2008/08/19/are-the-fbis-probabilities-about-dna-matches-crazy/ Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ff936e747f0 (LWP 4418)] JSC::RegExp::match (this=0x7ff924d3dd80, s=@0x7fff7ed16ff0, startOffset=0, ovector=0x4) at ../JavaScriptCore/wtf/OwnArrayPtr.h:55 55 void safeDelete() { typedef char known[sizeof(T) ? 1 : -1]; if (sizeof(known)) delete [] m_ptr; } Current language: auto; currently c++ (gdb) bt #0 JSC::RegExp::match (this=0x7ff924d3dd80, s=@0x7fff7ed16ff0, startOffset=0, ovector=0x4) at ../JavaScriptCore/wtf/OwnArrayPtr.h:55 #1 0x00007ff932d0de0e in JSC::RegExpConstructor::performMatch ( this=0x7ff926be1b00, r=0x7ff924d3dd80, s=@0x7fff7ed16ff0, startOffset=22, position=@0x7ff926905660, length=@0x6, ovector=0x0) at ../JavaScriptCore/runtime/RegExpConstructor.cpp:125 #2 0x00007ff932d5b225 in JSC::RegExpObject::match (this=0x7ff924a090c0, exec=<value optimized out>, args=<value optimized out>) at ../JavaScriptCore/runtime/RegExpObject.cpp:147 #3 0x00007ff932d5b409 in JSC::RegExpObject::test (this=0x7ff924a9bc90, exec=0x17, args=@0x16) at ../JavaScriptCore/runtime/RegExpObject.cpp:112 #4 0x00007ff932d5b48c in regExpProtoFuncTest (exec=0x7ff924f65718, thisValue= {m_ptr = 0x7ff924a090c0}, args=@0x7ff926905660) at ../JavaScriptCore/runtime/RegExpPrototype.cpp:63 #5 0x00007ff936db42f4 in ?? () #6 0x00007ff924f656d0 in ?? () #7 0x0000000000000001 in ?? () #8 0x0000000000000000 in ?? ()
Attachments
trace with JIT disabled (5.08 KB, text/plain)
2009-06-15 08:22 PDT, Adrian Bunk 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Adrian Bunk
Comment 1 2009-06-15 08:22:33 PDT
Created attachment 31291 [details] trace with JIT disabled First of all, I forgot to mention that I'm on amd64. With JIT disabled, there's this different trace.
Adrian Bunk
Comment 2 2009-08-11 04:39:42 PDT
Just checked the status of this issue: Crashes still happen with 1.1.10. No crashes with 1.1.11 and 1.1.12. It seems whatever caused it was fixed in WebKitGTK+ 1.1.11.
Note You need to log in before you can comment on or make changes to this bug.