27764 – Application using webkit crashes opn debug compilation

Bug 27764 - Application using webkit crashes opn debug compilation

Summary: Application using webkit crashes opn debug compilation

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-07-28 06:40 PDT by Luka Napotnik
Modified:	2010-10-28 06:11 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luka Napotnik 2009-07-28 06:40:25 PDT

I've compiled webkit with the following configure flags: --prefix=/usr --enable-debug --disable-optimizations.

git sha1 is 3f36fc466ba6817716310998f3dcef96161068bd

While the Gtk+ program that uses webkit worked if compiling without the --enable-debug and --disable-optimizations flags, it now crashes, producing the following backtrace when tryinig to visit google.com:

Program received signal SIGSEGV, Segmentation fault.
0x00007f2d6a1b43cc in JSC::JIT::compileGetByIdSlowCase (this=0x7fff73dfe400, resultVReg=1, baseVReg=-16, ident=0x2e32b48, iter=@0x7fff73dfe1c0, propertyAccessInstructionIndex=8, isMethodCheck=false)
    at JavaScriptCore/jit/JITPropertyAccess.cpp:335
335	    ASSERT(differenceBetween(coldPathBegin, call) == patchOffsetGetByIdSlowCaseCall);
(gdb) bt
#0  0x00007f2d6a1b43cc in JSC::JIT::compileGetByIdSlowCase (this=0x7fff73dfe400, resultVReg=1, baseVReg=-16, ident=0x2e32b48, iter=@0x7fff73dfe1c0, propertyAccessInstructionIndex=8, isMethodCheck=false)
    at JavaScriptCore/jit/JITPropertyAccess.cpp:335
#1  0x00007f2d6a1b4486 in JSC::JIT::emitSlow_op_get_by_id (this=0x7fff73dfe400, currentInstruction=0x2e343c0, iter=@0x7fff73dfe1c0) at JavaScriptCore/jit/JITPropertyAccess.cpp:313
#2  0x00007f2d6a1a02c7 in JSC::JIT::privateCompileSlowCases (this=0x7fff73dfe400) at JavaScriptCore/jit/JIT.cpp:350
#3  0x00007f2d6a1a22b9 in JSC::JIT::privateCompile (this=0x7fff73dfe400) at JavaScriptCore/jit/JIT.cpp:425
#4  0x00007f2d6a1e1821 in JSC::JIT::compile (globalData=0x2dfd410, codeBlock=0x2e15ac0) at ./JavaScriptCore/jit/JIT.h:339
#5  0x00007f2d6a266783 in JSC::ProgramNode::generateJITCode (this=0x2e15710, scopeChainNode=0x2e00640) at JavaScriptCore/parser/Nodes.cpp:1908
#6  0x00007f2d6a1f4f68 in JSC::ProgramNode::jitCode (this=0x2e15710, scopeChain=0x2e00640) at ./JavaScriptCore/parser/Nodes.h:1487
#7  0x00007f2d6a1e5c54 in JSC::Interpreter::execute (this=0x2dffcc0, programNode=0x2e15710, callFrame=0x2e00388, scopeChain=0x2e00640, thisObj=0x7f2d5bac0000, exception=0x7fff73dfe810)
    at JavaScriptCore/interpreter/Interpreter.cpp:630
#8  0x00007f2d6a296667 in JSC::evaluate (exec=0x2e00388, scopeChain=@0x2e00340, source=@0x7fff73dfee58, thisValue={m_ptr = 0x7f2d5bac0000}) at JavaScriptCore/runtime/Completion.cpp:67
#9  0x00007f2d6a343b89 in WebCore::ScriptController::evaluate (this=0x1918948, sourceCode=@0x7fff73dfee50) at WebCore/bindings/js/ScriptController.cpp:114
#10 0x00007f2d6a60fcf6 in WebCore::FrameLoader::executeScript (this=0x1918540, sourceCode=@0x7fff73dfee50) at WebCore/loader/FrameLoader.cpp:765
#11 0x00007f2d6a598f0a in WebCore::HTMLTokenizer::scriptExecution (this=0x194a3d0, sourceCode=@0x7fff73dfee50, state={static EntityShift = 4, m_bits = 0}) at WebCore/html/HTMLTokenizer.cpp:561
#12 0x00007f2d6a599bd1 in WebCore::HTMLTokenizer::scriptHandler (this=0x194a3d0, state={static EntityShift = 4, m_bits = 0}) at WebCore/html/HTMLTokenizer.cpp:503
#13 0x00007f2d6a59a36c in WebCore::HTMLTokenizer::parseNonHTMLText (this=0x194a3d0, src=@0x194ae70, state={static EntityShift = 4, m_bits = 128}) at WebCore/html/HTMLTokenizer.cpp:350
#14 0x00007f2d6a59d30f in WebCore::HTMLTokenizer::write (this=0x194a3d0, str=@0x7fff73dff110, appendData=true) at WebCore/html/HTMLTokenizer.cpp:1690
#15 0x00007f2d6a60eda5 in WebCore::FrameLoader::write (this=0x1918540, 
    str=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., len=3040, flush=false) at WebCore/loader/FrameLoader.cpp:1020
#16 0x00007f2d6a60eed9 in WebCore::FrameLoader::addData (this=0x1918540, 
    bytes=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:1780
#17 0x00007f2d6a166127 in WebKit::FrameLoaderClient::committedLoad (this=0x1916a40, loader=0x2dbf400, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:141
#18 0x00007f2d6a6060a6 in WebCore::FrameLoader::committedLoad (this=0x1918540, loader=0x2dbf400, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:3610
#19 0x00007f2d6a5f0bb7 in WebCore::DocumentLoader::commitLoad (this=0x2dbf400, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/DocumentLoader.cpp:361
#20 0x00007f2d6a5f0c10 in WebCore::DocumentLoader::receivedData (this=0x2dbf400, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/DocumentLoader.cpp:373
---Type <return> to continue, or q <return> to quit---
#21 0x00007f2d6a609a5d in WebCore::FrameLoader::receivedData (this=0x1918540, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:2432
#22 0x00007f2d6a61faae in WebCore::MainResourceLoader::addData (this=0x2dc3c10, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:148
#23 0x00007f2d6a626f2a in WebCore::ResourceLoader::didReceiveData (this=0x2dc3c10, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0, allAtOnce=false) at WebCore/loader/ResourceLoader.cpp:257
#24 0x00007f2d6a61eb7c in WebCore::MainResourceLoader::didReceiveData (this=0x2dc3c10, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0, allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:360
#25 0x00007f2d6a626335 in WebCore::ResourceLoader::didReceiveData (this=0x2dc3c10, 
    data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0) at WebCore/loader/ResourceLoader.cpp:411
#26 0x00007f2d6aa13d3d in gotChunkCallback (msg=0x2dc28e0, chunk=0x2dd2040, data=0x2dbe320) at WebCore/platform/network/soup/ResourceHandleSoup.cpp:303

Comment 1 Luka Napotnik 2009-07-29 00:53:51 PDT

Here is the values of local variables in JSC::JIT::compileGetByIdSlowCase()

(gdb) info locals
coldPathBegin = {m_label = {m_offset = 3223, m_used = false}}
stubCall = {m_jit = 0x7fff92e50220, m_stub = 0x7fea89215045, 
  m_returnType = JSC::JITStubCall::Value, m_argumentIndex = 3}
call = {m_jmp = {m_offset = 3261}, 
  m_flags = JSC::AbstractMacroAssembler<JSC::X86Assembler>::Call::Linkable}
__PRETTY_FUNCTION__ = "void JSC::JIT::compileGetByIdSlowCase(int, int, JSC::Identifier*, JSC::SlowCaseEntry*&, unsigned int, bool)"

Comment 2 Luka Napotnik 2009-07-29 02:27:44 PDT

I think the currentInstruction is messed up in JIT::emitSlow_op_get_by_id(). The baseVReg variable is 4294967280. This function is called by JSC::JIT::privateCompileSlowCases()

Comment 3 Csaba Osztrogonác 2010-05-12 14:57:27 PDT

Is this bug still valid or can we close it?

Comment 4 Xan Lopez 2010-10-28 06:11:38 PDT

Works fine here. Please reopen if you can still reproduce with ToT.