[webkit-help] segfault when destroying JS function

Luka Napotnik luka.napotnik at gmail.com
Sun Nov 1 23:19:13 PST 2009 

Hello.

I have a C program that binds a JS function to WebKit (gtk+ r47882). Now
when I run the program for some time it segfaults. I checked it under
valgrind and get the following backtrace:

============================
==6195== Invalid write of size 8
==6195==    at 0x815D694: JSC::JIT::unlinkCall(JSC::CallLinkInfo*) (in
/usr/lib/libwebkit-1.0.so.2.9.0)
==6195==    by 0x819A977: JSC::CodeBlock::unlinkCallers() (in
/usr/lib/libwebkit-1.0.so.2.9.0)
==6195==    by 0x820723B: JSC::JSFunction::~JSFunction() (in
/usr/lib/libwebkit-1.0.so.2.9.0)
==6195==    by 0x8285386: unsigned long JSC::Heap::sweep<(JSC::HeapType)0>()
(in /usr/lib/libwebkit-1.0.so.2.9.0)
==6195==    by 0x823A1B7: JSC::Heap::collect() (in
/usr/lib/libwebkit-1.0.so.2.9.0)
==6195==    by 0x85CF421: WebCore::ThreadTimers::fireTimers(double,
WTF::Vector<WebCore::TimerBase*, 0ul> const&) (in
/usr/lib/libwebkit-1.0.so.2.9.0)
==6195==    by 0x85CF4CA: WebCore::ThreadTimers::sharedTimerFiredInternal()
(in /usr/lib/libwebkit-1.0.so.2.9.0)
==6195==    by 0x8863611: WebCore::timeout_cb(void*) (in
/usr/lib/libwebkit-1.0.so.2.9.0)
==6195==    by 0xB16C889: g_main_context_dispatch (gmain.c:1960)
==6195==    by 0xB170217: g_main_context_iterate (gmain.c:2591)
==6195==    by 0xB17070C: g_main_loop_run (gmain.c:2799)
==6195==    by 0x9109BC6: gtk_main (gtkmain.c:1205)
==6195==  Address 0x193b7b7b is not stack'd, malloc'd or (recently) free'd
[Mon Nov  2 07:57:18 2009]
========================================================


It seems that the JS function was destroyed before the destructor for
JSC::JSFunction was called. I should mention I re-bind the same function
because sometimes the page changes and the binding is lost. But sometimes
the page stays and I bind over the existing binding. Can this be the reason
that leads to the segfault? Doesn't WebKit destroy the function if I bind it
over?

Greets,
Luka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-help/attachments/20091102/b4cfdca9/attachment.html>

More information about the webkit-help mailing list