27764 – Application using webkit crashes opn debug compilation

RESOLVED WORKSFORME 27764

Application using webkit crashes opn debug compilation

https://bugs.webkit.org/show_bug.cgi?id=27764

Summary Application using webkit crashes opn debug compilation

Luka Napotnik

Reported 2009-07-28 06:40:25 PDT

I've compiled webkit with the following configure flags: --prefix=/usr --enable-debug --disable-optimizations. git sha1 is 3f36fc466ba6817716310998f3dcef96161068bd While the Gtk+ program that uses webkit worked if compiling without the --enable-debug and --disable-optimizations flags, it now crashes, producing the following backtrace when tryinig to visit google.com: Program received signal SIGSEGV, Segmentation fault. 0x00007f2d6a1b43cc in JSC::JIT::compileGetByIdSlowCase (this=0x7fff73dfe400, resultVReg=1, baseVReg=-16, ident=0x2e32b48, iter=@0x7fff73dfe1c0, propertyAccessInstructionIndex=8, isMethodCheck=false) at JavaScriptCore/jit/JITPropertyAccess.cpp:335 335 ASSERT(differenceBetween(coldPathBegin, call) == patchOffsetGetByIdSlowCaseCall); (gdb) bt #0 0x00007f2d6a1b43cc in JSC::JIT::compileGetByIdSlowCase (this=0x7fff73dfe400, resultVReg=1, baseVReg=-16, ident=0x2e32b48, iter=@0x7fff73dfe1c0, propertyAccessInstructionIndex=8, isMethodCheck=false) at JavaScriptCore/jit/JITPropertyAccess.cpp:335 #1 0x00007f2d6a1b4486 in JSC::JIT::emitSlow_op_get_by_id (this=0x7fff73dfe400, currentInstruction=0x2e343c0, iter=@0x7fff73dfe1c0) at JavaScriptCore/jit/JITPropertyAccess.cpp:313 #2 0x00007f2d6a1a02c7 in JSC::JIT::privateCompileSlowCases (this=0x7fff73dfe400) at JavaScriptCore/jit/JIT.cpp:350 #3 0x00007f2d6a1a22b9 in JSC::JIT::privateCompile (this=0x7fff73dfe400) at JavaScriptCore/jit/JIT.cpp:425 #4 0x00007f2d6a1e1821 in JSC::JIT::compile (globalData=0x2dfd410, codeBlock=0x2e15ac0) at ./JavaScriptCore/jit/JIT.h:339 #5 0x00007f2d6a266783 in JSC::ProgramNode::generateJITCode (this=0x2e15710, scopeChainNode=0x2e00640) at JavaScriptCore/parser/Nodes.cpp:1908 #6 0x00007f2d6a1f4f68 in JSC::ProgramNode::jitCode (this=0x2e15710, scopeChain=0x2e00640) at ./JavaScriptCore/parser/Nodes.h:1487 #7 0x00007f2d6a1e5c54 in JSC::Interpreter::execute (this=0x2dffcc0, programNode=0x2e15710, callFrame=0x2e00388, scopeChain=0x2e00640, thisObj=0x7f2d5bac0000, exception=0x7fff73dfe810) at JavaScriptCore/interpreter/Interpreter.cpp:630 #8 0x00007f2d6a296667 in JSC::evaluate (exec=0x2e00388, scopeChain=@0x2e00340, source=@0x7fff73dfee58, thisValue={m_ptr = 0x7f2d5bac0000}) at JavaScriptCore/runtime/Completion.cpp:67 #9 0x00007f2d6a343b89 in WebCore::ScriptController::evaluate (this=0x1918948, sourceCode=@0x7fff73dfee50) at WebCore/bindings/js/ScriptController.cpp:114 #10 0x00007f2d6a60fcf6 in WebCore::FrameLoader::executeScript (this=0x1918540, sourceCode=@0x7fff73dfee50) at WebCore/loader/FrameLoader.cpp:765 #11 0x00007f2d6a598f0a in WebCore::HTMLTokenizer::scriptExecution (this=0x194a3d0, sourceCode=@0x7fff73dfee50, state={static EntityShift = 4, m_bits = 0}) at WebCore/html/HTMLTokenizer.cpp:561 #12 0x00007f2d6a599bd1 in WebCore::HTMLTokenizer::scriptHandler (this=0x194a3d0, state={static EntityShift = 4, m_bits = 0}) at WebCore/html/HTMLTokenizer.cpp:503 #13 0x00007f2d6a59a36c in WebCore::HTMLTokenizer::parseNonHTMLText (this=0x194a3d0, src=@0x194ae70, state={static EntityShift = 4, m_bits = 128}) at WebCore/html/HTMLTokenizer.cpp:350 #14 0x00007f2d6a59d30f in WebCore::HTMLTokenizer::write (this=0x194a3d0, str=@0x7fff73dff110, appendData=true) at WebCore/html/HTMLTokenizer.cpp:1690 #15 0x00007f2d6a60eda5 in WebCore::FrameLoader::write (this=0x1918540, str=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., len=3040, flush=false) at WebCore/loader/FrameLoader.cpp:1020 #16 0x00007f2d6a60eed9 in WebCore::FrameLoader::addData (this=0x1918540, bytes=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:1780 #17 0x00007f2d6a166127 in WebKit::FrameLoaderClient::committedLoad (this=0x1916a40, loader=0x2dbf400, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:141 #18 0x00007f2d6a6060a6 in WebCore::FrameLoader::committedLoad (this=0x1918540, loader=0x2dbf400, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:3610 #19 0x00007f2d6a5f0bb7 in WebCore::DocumentLoader::commitLoad (this=0x2dbf400, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/DocumentLoader.cpp:361 #20 0x00007f2d6a5f0c10 in WebCore::DocumentLoader::receivedData (this=0x2dbf400, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/DocumentLoader.cpp:373 ---Type <return> to continue, or q <return> to quit--- #21 0x00007f2d6a609a5d in WebCore::FrameLoader::receivedData (this=0x1918540, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040) at WebCore/loader/FrameLoader.cpp:2432 #22 0x00007f2d6a61faae in WebCore::MainResourceLoader::addData (this=0x2dc3c10, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:148 #23 0x00007f2d6a626f2a in WebCore::ResourceLoader::didReceiveData (this=0x2dc3c10, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0, allAtOnce=false) at WebCore/loader/ResourceLoader.cpp:257 #24 0x00007f2d6a61eb7c in WebCore::MainResourceLoader::didReceiveData (this=0x2dc3c10, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0, allAtOnce=false) at WebCore/loader/MainResourceLoader.cpp:360 #25 0x00007f2d6a626335 in WebCore::ResourceLoader::didReceiveData (this=0x2dc3c10, data=0x7fff73dff940 "p,500)};\nwindow._gjp && _gjp()</script><style>td{line-height:.8em;}.gac_m td{line-height:17px;}form{margin-bottom:20px;}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c}.q{color:#00c}.ts td{p"..., length=3040, lengthReceived=0) at WebCore/loader/ResourceLoader.cpp:411 #26 0x00007f2d6aa13d3d in gotChunkCallback (msg=0x2dc28e0, chunk=0x2dd2040, data=0x2dbe320) at WebCore/platform/network/soup/ResourceHandleSoup.cpp:303

Attachments
Add attachment proposed patch, testcase, etc.

Luka Napotnik

Comment 1 2009-07-29 00:53:51 PDT

Here is the values of local variables in JSC::JIT::compileGetByIdSlowCase() (gdb) info locals coldPathBegin = {m_label = {m_offset = 3223, m_used = false}} stubCall = {m_jit = 0x7fff92e50220, m_stub = 0x7fea89215045, m_returnType = JSC::JITStubCall::Value, m_argumentIndex = 3} call = {m_jmp = {m_offset = 3261}, m_flags = JSC::AbstractMacroAssembler<JSC::X86Assembler>::Call::Linkable} __PRETTY_FUNCTION__ = "void JSC::JIT::compileGetByIdSlowCase(int, int, JSC::Identifier*, JSC::SlowCaseEntry*&, unsigned int, bool)"

Luka Napotnik

Comment 2 2009-07-29 02:27:44 PDT

I think the currentInstruction is messed up in JIT::emitSlow_op_get_by_id(). The baseVReg variable is 4294967280. This function is called by JSC::JIT::privateCompileSlowCases()

Csaba Osztrogonác

Comment 3 2010-05-12 14:57:27 PDT

Is this bug still valid or can we close it?

Xan Lopez

Comment 4 2010-10-28 06:11:38 PDT

Works fine here. Please reopen if you can still reproduce with ToT.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WORKSFORME

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2009-07-28 06:40 PDT

Modified

2010-10-28 06:11 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks