[webkit-help] Memory corruption with webkit using JIT
Sharma, Rupali
rupsharma at ea.com
Thu Jul 23 10:46:59 PDT 2015
Hello,
We are seeing an access violation exception, on our PC-32 bit version of EAWebKit Demo (which is using JIT) on a 3d-demo i.e. http://deanm.github.com/pre3d/monster.html
We've seen the same crash on WinCairo, however it doesn't happen on our PS4 version of EAWebKitDemo, which doesn't use JIT. So that points the corruption happening within JSC. Looking at the heap stats from debugger, we don't see any leaks, and that is the reason, we are more sure about it being an invalid write, most probably overwriting the guard fill.
We don't see the crash with older WebKit build, which was too old (WebKit-r157437) though. Our present webkit is build - 179714 of the trunk. Are you aware of the memory corruption issues with JIT?
Although it's way ahead than the point of interest, but here is the call stack of the crash on WinCairo debug build:
00 0018ee74 0a8e4759 WTF!WTFCrash+0x21 [c:\cygwin\home\rupsharma\archives\179714\source\wtf\wtf\assertions.cpp @ 321]
01 0018ee98 0a90fe80 JavaScriptCore!JSC::PropertyTable::reinsert+0xa9 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\propertymaphashtable.h @ 484]
02 0018eec8 0a90cecf JavaScriptCore!JSC::PropertyTable::rehash+0x110 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\propertymaphashtable.h @ 512]
03 0018ef04 0a906b0d JavaScriptCore!JSC::PropertyTable::add+0xbf [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\propertymaphashtable.h @ 356]
04 0018ef5c 0a903141 JavaScriptCore!JSC::Structure::add+0x12d [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\structure.cpp @ 902]
05 0018ef8c 0a839222 JavaScriptCore!JSC::Structure::addPropertyTransition+0x221 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\structure.cpp @ 422]
06 0018f014 0a882369 JavaScriptCore!JSC::JSObject::putDirectInternal<0>+0x572 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\jsobject.h @ 1392]
07 0018f0c0 0a5a15b8 JavaScriptCore!JSC::JSObject::put+0x229 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\jsobject.cpp @ 356]
08 0018f0e8 0a7205fa JavaScriptCore!JSC::JSValue::put+0x78 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\jscjsvalueinlines.h @ 750]
09 0018f154 0a71b109 JavaScriptCore!putByVal+0x17a [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\jit\jitoperations.cpp @ 476]
0a 0018f1e8 11c33a35 JavaScriptCore!operationPutByVal+0x259 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\jit\jitoperations.cpp @ 533]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0b 0018f358 0a9b1e8b 0x11c33a35
0c 0018f3b0 0a80f604 JavaScriptCore!llint_entry+0x425f [C:\Debug_WinCairo\bin32\Debug_WinCairo\obj32\JavaScriptCore\DerivedSources\LowLevelInterpreterWin.asm @ 7119]
0d 0018f3f8 114c023d JavaScriptCore!slow_path_enter+0x114 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\commonslowpaths.cpp @ 520]
0e 0018f448 0a9ada99 0x114c023d
0f 0018f4a4 0a70c599 JavaScriptCore!vmEntryToJavaScript+0x109 [C:\Debug_WinCairo\bin32\Debug_WinCairo\obj32\JavaScriptCore\DerivedSources\LowLevelInterpreterWin.asm @ 110]
10 0018f500 0a6e71e2 JavaScriptCore!JSC::JITCode::execute+0xd9 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\jit\jitcode.cpp @ 77]
11 0018f604 0a801fce JavaScriptCore!JSC::Interpreter::executeCall+0x3e2 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\interpreter\interpreter.cpp @ 978]
12 0018f630 0a802027 JavaScriptCore!JSC::call+0x7e [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\calldata.cpp @ 39]
*** WARNING: Unable to verify checksum for WebKit.dll
13 0018f678 047f7dc4 JavaScriptCore!JSC::call+0x47 [c:\cygwin\home\rupsharma\archives\179714\source\javascriptcore\runtime\calldata.cpp @ 44]
14 0018f6bc 0479a24e WebKit!WebCore::JSMainThreadExecState::call+0x54 [c:\cygwin\home\rupsharma\archives\179714\source\webcore\bindings\js\jsmainthreadexecstate.h @ 56]
15 0018f7e0 0479a4a2 WebKit!WebCore::ScheduledAction::executeFunctionInContext+0x1de [c:\cygwin\home\rupsharma\archives\179714\source\webcore\bindings\js\scheduledaction.cpp @ 104]
16 0018f820 04799f76 WebKit!WebCore::ScheduledAction::execute+0xf2 [c:\cygwin\home\rupsharma\archives\179714\source\webcore\bindings\js\scheduledaction.cpp @ 126]
17 0018f830 0536d9a4 WebKit!WebCore::ScheduledAction::execute+0x36 [c:\cygwin\home\rupsharma\archives\179714\source\webcore\bindings\js\scheduledaction.cpp @ 79]
18 0018f904 051fc8c5 WebKit!WebCore::DOMTimer::fired+0x1f4 [c:\cygwin\home\rupsharma\archives\179714\source\webcore\page\domtimer.cpp @ 369]
19 0018f93c 051fc766 WebKit!WebCore::ThreadTimers::sharedTimerFiredInternal+0x155 [c:\cygwin\home\rupsharma\archives\179714\source\webcore\platform\threadtimers.cpp @ 132]
1a 0018f944 05793d1f WebKit!WebCore::ThreadTimers::sharedTimerFired+0x16 [c:\cygwin\home\rupsharma\archives\179714\source\webcore\platform\threadtimers.cpp @ 108]
1b 0018f950 755962fa WebKit!WebCore::TimerWindowWndProc+0xaf [c:\cygwin\home\rupsharma\archives\179714\source\webcore\platform\win\sharedtimerwin.cpp @ 92]
1c 0018f97c 75596d3a user32!InternalCallWinProc+0x23
1d 0018f9f4 755977c4 user32!UserCallWinProcCheckWow+0x109
1e 0018fa54 7559788a user32!DispatchMessageWorker+0x3bc
1f 0018fa64 046cbd6d user32!DispatchMessageW+0xf
*** WARNING: Unable to verify checksum for WinLauncher.dll
20 0018fa8c 1000ab25 WebKit!WebKitMessageLoop::run+0x6d [c:\cygwin\home\rupsharma\archives\179714\source\webkit\win\webkitmessageloop.cpp @ 96]
21 0018fb58 1000cfc8 WinLauncher_10000000!wWinMain+0x625 [c:\cygwin\home\rupsharma\archives\179714\tools\winlauncher\winmain.cpp @ 168]
*** WARNING: Unable to verify checksum for WinLauncher.exe
*** ERROR: Module load completed but symbols could not be loaded for WinLauncher.exe
22 0018fb70 004014ab WinLauncher_10000000!dllLauncherEntryPoint+0x18 [c:\cygwin\home\rupsharma\archives\179714\tools\winlauncher\common.cpp @ 832]
23 0018ff3c 00404203 WinLauncher+0x14ab
*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll -
24 0018ff88 76d2337a WinLauncher+0x4203
25 0018ff94 773392e2 kernel32!BaseThreadInitThunk+0x12
26 0018ffd4 773392b5 ntdll!__RtlUserThreadStart+0x70
27 0018ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
Thanks,
Rupali
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-help/attachments/20150723/4f71e321/attachment-0001.html>
More information about the webkit-help
mailing list