Bug 49968 - [Qt] Crash loading webpage http://www.justicaeleitoral.gov.br
Summary: [Qt] Crash loading webpage http://www.justicaeleitoral.gov.br
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P1 Normal
Assignee: Nobody
URL: http://www.justicaeleitoral.gov.br
Keywords: Qt, QtTriaged
Depends on:
Blocks:
 
Reported: 2010-11-23 04:46 PST by Thiago Macieira
Modified: 2011-02-23 05:36 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thiago Macieira 2010-11-23 04:46:56 PST 
QtWebKit commit: f532679ca11914b453e22342f2ae5e9f790ce47a (follows 6e15c3404d15a8ab72242152ec966e5e388161a2)

Steps to reproduce:
1. Load webpage in QtWebKit-based browser (reproduced with demo browser and KDE webkitpart)
2. Wait for crash

Result:
 Crash

Expected result:
 Webpage displayed

Crash backtrace:
#0  0xb77adc53 in WTF::RefPtr<JSC::FunctionParameters>::operator=(WTF::PassRefPtr<JSC::FunctionParameters> const&) ()
   from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#1  0xb77acc47 in JSC::FunctionBodyNode::finishParsing(WTF::PassRefPtr<JSC::FunctionParameters>, JSC::Identifier const&) ()
   from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#2  0xb76e33eb in JSC::FunctionExecutable::compile(JSC::ExecState*, JSC::ScopeChainNode*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#3  0xb76b82a9 in JSC::FunctionExecutable::bytecode(JSC::ExecState*, JSC::ScopeChainNode*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#4  0xb76e37e7 in JSC::FunctionExecutable::generateJITCode(JSC::ExecState*, JSC::ScopeChainNode*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#5  0xb76b8329 in JSC::FunctionExecutable::jitCode(JSC::ExecState*, JSC::ScopeChainNode*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#6  0xb76c176e in cti_op_call_JSFunction () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#7  0xaf9200d1 in ?? ()
#8  0xb76b7fdb in JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) ()
   from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#9  0xb76a33b0 in JSC::Interpreter::execute(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#10 0xb76f70ce in JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue, JSC::ArgList const&) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#11 0xb76d5201 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) ()
   from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#12 0xb6f27d4b in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) ()
   from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#13 0xb7066af5 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1u>&) ()
   from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#14 0xb706685f in WebCore::EventTarget::fireEventListeners(WebCore::Event*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#15 0xb70793bd in WebCore::Node::handleLocalEvents(WebCore::Event*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#16 0xb7079ba1 in WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#17 0xb7079708 in WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#18 0xb7040f17 in WebCore::Document::finishedParsing() () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#19 0xb71989e1 in WebCore::HTMLParser::finished() () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#20 0xb71b4eda in WebCore::HTMLTokenizer::end() () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#21 0xb71b4bfd in WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#22 0xb71b650c in WebCore::HTMLTokenizer::executeExternalScriptsIfReady() () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#23 0xb71b61a1 in WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#24 0xb7209091 in WebCore::CachedScript::checkNotify() () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#25 0xb7209016 in WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#26 0xb723cb45 in WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#27 0xb724eb3f in WebCore::SubresourceLoader::didFinishLoading() () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#28 0xb724d38c in WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#29 0xb747572d in WebCore::QNetworkReplyHandler::finish() () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#30 0xb7477c0c in WebCore::QNetworkReplyHandler::qt_metacall(QMetaObject::Call, int, void**) () from /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4
#31 0xb5aa5c0a in QMetaObject::metacall (object=0xb8210260, cl=QMetaObject::InvokeMetaMethod, idx=5, argv=0xbfffd4fc)
    at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qmetaobject.cpp:237
#32 0xb5abab63 in QMetaObject::activate (sender=0xb81814b0, m=0xb6a41eec, local_signal_index=1, argv=0x0)
    at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qobject.cpp:3283
#33 0xb69e193d in QNetworkReply::finished (this=0xb81814b0) at /home/tmacieir/obj/troll/qt-4.7/src/network/.moc/debug-shared/moc_qnetworkreply.cpp:152
#34 0xb697097b in QNetworkReplyImplPrivate::finished (this=0xb823a428) at /home/tmacieir/src/troll/qt-4.7/src/network/access/qnetworkreplyimpl.cpp:657
#35 0xb695338a in QNetworkAccessBackend::finished (this=0xb8234308) at /home/tmacieir/src/troll/qt-4.7/src/network/access/qnetworkaccessbackend.cpp:297
#36 0xb695c63d in QNetworkAccessHttpBackend::finished (this=0xb8234308) at /home/tmacieir/src/troll/qt-4.7/src/network/access/qnetworkaccesshttpbackend.cpp:338
#37 0xb696056f in QNetworkAccessHttpBackend::copyFinished (this=0xb8234308, dev=0xb8159230)
    at /home/tmacieir/src/troll/qt-4.7/src/network/access/qnetworkaccesshttpbackend.cpp:914
#38 0xb696f648 in QNetworkReplyImplPrivate::handleNotifications (this=0xb823a428)
    at /home/tmacieir/src/troll/qt-4.7/src/network/access/qnetworkreplyimpl.cpp:377
#39 0xb6971862 in QNetworkReplyImpl::event (this=0xb81814b0, e=0xb824a558) at /home/tmacieir/src/troll/qt-4.7/src/network/access/qnetworkreplyimpl.cpp:867
#40 0xb5d922f8 in QApplicationPrivate::notify_helper (this=0xb8006e60, receiver=0xb81814b0, e=0xb824a558)
    at /home/tmacieir/src/troll/qt-4.7/src/gui/kernel/qapplication.cpp:4462
#41 0xb5d8fa88 in QApplication::notify (this=0xbfffdea8, receiver=0xb81814b0, e=0xb824a558)
    at /home/tmacieir/src/troll/qt-4.7/src/gui/kernel/qapplication.cpp:3862
#42 0xb5a9de6d in QCoreApplication::notifyInternal (this=0xbfffdea8, receiver=0xb81814b0, event=0xb824a558)
    at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qcoreapplication.cpp:731
#43 0xb5aa1953 in QCoreApplication::sendEvent (receiver=0xb81814b0, event=0xb824a558)
    at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qcoreapplication.h:215
#44 0xb5a9ef37 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0xb8006f58)
    at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qcoreapplication.cpp:1372
#45 0xb5a9ebef in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0)
    at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qcoreapplication.cpp:1265
#46 0xb5ad834c in QCoreApplication::sendPostedEvents () at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qcoreapplication.h:220
#47 0xb5ad6b00 in postEventSourceDispatch (s=0xb800a720) at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qeventdispatcher_glib.cpp:277
#48 0xb533ccbe in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#49 0xb53409f8 in ?? () from /usr/lib/libglib-2.0.so.0
#50 0xb5340b9e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#51 0xb5ad7b78 in QEventDispatcherGlib::processEvents (this=0xb8007230, flags=...)
    at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qeventdispatcher_glib.cpp:422
#52 0xb5e6e716 in QGuiEventDispatcherGlib::processEvents (this=0xb8007230, flags=...)
    at /home/tmacieir/src/troll/qt-4.7/src/gui/kernel/qguieventdispatcher_glib.cpp:204
#53 0xb5a9b22b in QEventLoop::processEvents (this=0xbfffde3c, flags=...) at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qeventloop.cpp:149
#54 0xb5a9b370 in QEventLoop::exec (this=0xbfffde3c, flags=...) at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qeventloop.cpp:201
#55 0xb5a9e55f in QCoreApplication::exec () at /home/tmacieir/src/troll/qt-4.7/src/corelib/kernel/qcoreapplication.cpp:1008
#56 0xb5d8f696 in QApplication::exec () at /home/tmacieir/src/troll/qt-4.7/src/gui/kernel/qapplication.cpp:3736
#57 0xb7f16ae5 in main (argc=2, argv=0xbfffdf84) at /home/tmacieir/src/troll/qt-4.7/demos/browser/main.cpp:51

Valgrind is very long. Distinct portions:
==15110== Conditional jump or move depends on uninitialised value(s)
==15110==    at 0x54A7AFD: cti_vm_lazyLinkCall (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0xCDA009E: ???
==15110==    by 0x549DFDA: JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x5488BB5: JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54C03C8: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D170A4: WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D172B7: WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D363C8: WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4F94D2F: WebCore::HTMLTokenizer::scriptExecution(WebCore::ScriptSourceCode const&, WebCore::HTMLTokenizer::State) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4F9C3EB: WebCore::HTMLTokenizer::executeExternalScriptsIfReady() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4F9C1A0: WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4FEF090: WebCore::CachedScript::checkNotify() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)

==15110== Conditional jump or move depends on uninitialised value(s)
==15110==    at 0x54BC016: JSC::isPossibleCell(void*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BC07C: JSC::Heap::markConservatively(JSC::MarkStack&, void*, void*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BC1AF: JSC::Heap::markCurrentThreadConservativelyInternal(JSC::MarkStack&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BC1E6: JSC::Heap::markCurrentThreadConservatively(JSC::MarkStack&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BC207: JSC::Heap::markStackObjectsConservatively(JSC::MarkStack&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BC5C2: JSC::Heap::markRoots() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BCBBC: JSC::Heap::reset() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BBC59: JSC::Heap::allocate(unsigned int) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x49E9EAD: JSC::JSCell::operator new(unsigned int, JSC::JSGlobalData*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54A7BEF: cti_op_push_activation (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0xE6590C0: ???
==15110==    by 0x549DFDA: JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)

==15110== Conditional jump or move depends on uninitialised value(s)
==15110==    at 0x54BC016: JSC::isPossibleCell(void*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BC07C: JSC::Heap::markConservatively(JSC::MarkStack&, void*, void*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BCE57: JSC::RegisterFile::markCallFrames(JSC::MarkStack&, JSC::Heap*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BC5EC: JSC::Heap::markRoots() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BCBBC: JSC::Heap::reset() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BBC59: JSC::Heap::allocate(unsigned int) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x49E9EAD: JSC::JSCell::operator new(unsigned int, JSC::JSGlobalData*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54A7BEF: cti_op_push_activation (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0xE6590C0: ???
==15110==    by 0x549DFDA: JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x5488BB5: JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54C03C8: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)

==15110== Conditional jump or move depends on uninitialised value(s)
==15110==    at 0x54A1851: JSC::WeakGCPtr<JSC::JSPropertyNameIterator>::get() const (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54A0BCB: JSC::Structure::enumerationCache() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54AF6E8: cti_op_get_pnames (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0xE6518AB: ???
==15110==    by 0x549DFDA: JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x5488BB5: JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54C03C8: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D170A4: WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D172B7: WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D363C8: WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4F94D2F: WebCore::HTMLTokenizer::scriptExecution(WebCore::ScriptSourceCode const&, WebCore::HTMLTokenizer::State) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4F9C3EB: WebCore::HTMLTokenizer::executeExternalScriptsIfReady() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)

==15110== Conditional jump or move depends on uninitialised value(s)
==15110==    at 0x54BBBAA: JSC::Heap::allocate(unsigned int) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x49E9EAD: JSC::JSCell::operator new(unsigned int, JSC::JSGlobalData*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54A4A5C: cti_op_add (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0xE6459BF: ???
==15110==    by 0x549DFDA: JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x5488BB5: JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54C03C8: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D170A4: WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D172B7: WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4D363C8: WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4F94D2F: WebCore::HTMLTokenizer::scriptExecution(WebCore::ScriptSourceCode const&, WebCore::HTMLTokenizer::State) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x4F9C3EB: WebCore::HTMLTokenizer::executeExternalScriptsIfReady() (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)

[many other frames]

Crash:
==15110== Invalid read of size 4
==15110==    at 0x5593C53: WTF::RefPtr<JSC::FunctionParameters>::operator=(WTF::PassRefPtr<JSC::FunctionParameters> const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x5592C46: JSC::FunctionBodyNode::finishParsing(WTF::PassRefPtr<JSC::FunctionParameters>, JSC::Identifier const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54C93EA: JSC::FunctionExecutable::compile(JSC::ExecState*, JSC::ScopeChainNode*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x549E2A8: JSC::FunctionExecutable::bytecode(JSC::ExecState*, JSC::ScopeChainNode*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54C97E6: JSC::FunctionExecutable::generateJITCode(JSC::ExecState*, JSC::ScopeChainNode*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x549E328: JSC::FunctionExecutable::jitCode(JSC::ExecState*, JSC::ScopeChainNode*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54A776D: cti_op_call_JSFunction (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0xCDA0050: ???
==15110==    by 0x549DFDA: JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54893AF: JSC::Interpreter::execute(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue*) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54DD0CD: JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue, JSC::ArgList const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==    by 0x54BB200: JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)
==15110==  Address 0x30 is not stack'd, malloc'd or (recently) free'd
Comment 1 Thiago Macieira 2010-11-23 04:52:06 PST 
Repeating the valgrind run with --track-origins, for the first set of errors, they all report:

==15490==  Uninitialised value was created by a stack allocation
==15490==    at 0x54A7B98: cti_op_push_activation (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)

For a second set of reports before the crash:

==15490==  Uninitialised value was created by a stack allocation
==15490==    at 0x54BC1BC: JSC::Heap::markCurrentThreadConservatively(JSC::MarkStack&) (in /home/tmacieir/obj/troll/qt-4.7/lib/libQtWebKit.so.4.7.1)

The crash block has no origin.

However, the time between the two blocks and the final block (the crash) is quite big.
Comment 2 Benjamin Poulain 2011-01-30 04:53:52 PST 
Please follow http://trac.webkit.org/wiki/QtWebKitBugs when reporing bugs here (missing Qt keyword).

I cannot reproduce with trunk on Mac.
Comment 3 Alexis Menard (darktears) 2011-02-23 05:36:53 PST 
I cannot reproduce on Linux too.

Trunk : r79433