RESOLVED FIXED 47136
WebSocket tests are crashing 
https://bugs.webkit.org/show_bug.cgi?id=47136
Summary WebSocket tests are crashing
Simon Fraser (smfr)
Reported 2010-10-04 17:27:49 PDT
From Adam: As you might have noticed, the WebSocket tests are crashing on Leopard and Snow Leopard. I thought for a while that this might be related to my recent move of the WebSocket tests, but looks unrelated. The crashes started with a patch that flipped off the SVN executable bit for a bunch of files, which also seems unrelated (reverting that change locally also don't seem to make a difference). Here's a reduced test case: <script> var ws = new WebSocket('ws://localhost:1111/'); </script> Just open a local HTML file containing that code and you'll crash WebKit on Snow Leopard (and presumably Leopard as well). The crash looks like some kind of heap corruption. At this point, I'd like to hand this off to someone who's more familiar with the WebSockets code. Any volunteers?
Attachments
Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2010-10-04 17:29:57 PDT
There's a heap corruption bug somewhere. When debugging, I see variable display of 'this' go bad in Xcode in the SocketStreamHandleBase() ctor. Disassembling this gives: 0x0000000103c0ad64 <+0000> push %rbp 0x0000000103c0ad65 <+0001> mov %rsp,%rbp 0x0000000103c0ad68 <+0004> mov %rdi,-0x8(%rbp) 0x0000000103c0ad6c <+0008> lea 0x1437e0d(%rip),%rax # 0x105042b80 <_ZTVN7WebCore22SocketStreamHandleBaseE> 0x0000000103c0ad73 <+0015> lea 0x10(%rax),%rdx 0x0000000103c0ad77 <+0019> mov -0x8(%rbp),%rax 0x0000000103c0ad7b <+0023> mov %rdx,(%rax) <--- 'this' gets clobbered here It's loading the vtable, but I don't know what the lea 0x10(%rax),%rdx is trying to do.
Darin Adler
Comment 2 2010-10-04 17:37:10 PDT
(In reply to comment #1) > It's loading the vtable, but I don't know what the > lea 0x10(%rax),%rdx > is trying to do. That looks to me like a multiple-inheritance pointer adjustment. Maybe we have a problem with unsafe casting to and from "this" when there is multiple inheritance involved?
Simon Fraser (smfr)
Comment 3 2010-10-04 17:43:36 PDT
The superclass certainly uses multiple inheritance: class SocketStreamHandle : public RefCounted<SocketStreamHandle>, public SocketStreamHandleBase, public AuthenticationClient { but the assembly comes from the ctor of SocketStreamHandleBase, which has virtual functions, but doesn't inherit from anything.
Simon Fraser (smfr)
Comment 4 2010-10-04 17:53:25 PDT
If I shuffle the inheritance order of SocketStreamHandle to: class SocketStreamHandle : public RefCounted<SocketStreamHandle>, public AuthenticationClient, public SocketStreamHandleBase { then things to bad in the AuthenticationClient ctor, in a similar place. Certainly looks like an issue with multiple-inheritance pointer adjustment.
Simon Fraser (smfr)
Comment 5 2010-10-04 18:08:03 PDT
The build is picking up network/qt/SocketStreamHandle.h
Simon Fraser (smfr)
Comment 6 2010-10-04 18:17:52 PDT
The project was changed inadvertently in http://trac.webkit.org/changeset/68951
Simon Fraser (smfr)
Comment 7 2010-10-04 18:23:36 PDT
http://trac.webkit.org/changeset/69057
James Robinson
Comment 8 2010-10-04 18:42:30 PDT
FFFFFFFFUUUUUUUUUUUUUUUUUU
Adam Barth
Comment 9 2010-10-04 20:23:54 PDT
Looks like we might need to trigger a world-rebuild to see this fix things on the bots.
Note You need to log in before you can comment on or make changes to this bug.