[Webkit-unassigned] [Bug 16204] New: Heap corruption in JS on ARM
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 30 04:39:25 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=16204
Summary: Heap corruption in JS on ARM
Product: WebKit
Version: 525+ (Nightly build)
Platform: Other
OS/Version: Mac OS X 10.4
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: dacarson at gmail.com
CC: mjs at apple.com, klobag at gmail.com
If I build everything with -O2, I will get the crash when loading
cnn.com or nytimes.com in either of the following two places.
1. line 529 of object.h inherits(..), which is called from nodes.cpp
line 899. We are using rev 27453.
2. line 637 of string_object.cpp. See following for the stack trace.
When it crashes, the vptr of the JSObject, baseObj/thisObj in 1) and
res in 2), is 0x0.
Here is memory map for case 1)
(gdb) p *baseObj
$2 = {<KJS::JSCell> = {<KJS::JSValue> = {<WTFNoncopyable::Noncopyable>
= {<No data fields>}, _vptr.JSValue = 0x0}, <No data fields>},
_prop = {<WTFNoncopyable::Noncopyable> = {<No data fields>},
m_singleEntryKey = 0xfffffe20, m_u = {singleEntryValue = 0x0,
table = 0x0}, m_singleEntryAttributes = 0, m_getterSetterFlag =
false, m_usingTable = false}, _proto = 0x42e359e0}
(gdb) x/8w baseObj
0x42e403c0: 0x00000000 0xfffffe20 0x00000000 0x00000000
0x42e403d0: 0x42e359e0 0x42e42120 0x00000000 0x00000000
Here is stack trace for case 2)
[Switching to Thread 566]
0xaa2bb53c in KJS::StringProtoFunc::callAsFunction (this=<value
optimized out>, exec=0x107ff01c, thisObj=<value optimized out>,
args=<value optimized out>)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/string_object.cpp:637
637 res->put(exec, i, jsString(u.substr(p0, pos-p0)));
Current language: auto; currently c++
(gdb) bt
#0 0xaa2bb53c in KJS::StringProtoFunc::callAsFunction (this=<value
optimized out>, exec=0x107ff01c, thisObj=<value optimized out>,
args=<value optimized out>) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/string_object.cpp:637
#1 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x43394440, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#2 0xaa2c8a80 in KJS::FunctionCallDotNode::evaluate (this=0x7b9530,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:899
#3 0xaa2c4b1a in KJS::AssignResolveNode::evaluate (this=0x7b9548,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2295
#4 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7b9560,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#5 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#6 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff01c) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#7 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#8 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395be0,
exec=0x107ff334, thisObj=<value optimized out>, args=@0x107ff0cc)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#9 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#10 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x7cb140, exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#11 0xaa2c8974 in KJS::FunctionCallDotNode::evaluate (this=0x7cb190,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:874
#12 0xaa2c4b1a in KJS::AssignResolveNode::evaluate (this=0x7cb1a8,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2295
#13 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7cb1c0,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#14 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#15 0xaa2c3024 in KJS::IfNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2754
#16 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#17 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff334) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#18 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#19 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395ba0,
exec=0x107ff594, thisObj=<value optimized out>, args=@0x107ff3e4)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#20 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#21 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x780e38, exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#22 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x780e50,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#23 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#24 0xaa2c3024 in KJS::IfNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2754
#25 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#26 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff594) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#27 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#28 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395e80,
exec=0x107ff7ac, thisObj=<value optimized out>, args=@0x107ff644)
---Type <return> to continue, or q <return> to quit---
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#29 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#30 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x780a80, exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#31 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x780a98,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#32 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#33 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x1b4,
exec=0x107ff7ac) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#34 0xaa29ca6e in KJS::FunctionImp::execute (this=<value optimized
out>, exec=0x43394400) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:252
#35 0xaa2cf2fc in KJS::FunctionImp::callAsFunction (this=0x43395ec0,
exec=0x107ffa50, thisObj=<value optimized out>, args=@0x107ff85c)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/function.cpp:93
#36 0xaa2b33ce in KJS::JSObject::call (this=0x1bca, exec=0x107fee1c,
thisObj=0x42d60000, args=@0xaa38d888)
at libs/WebKitLib/WebKit/JavaScriptCore/kjs/object.cpp:95
#37 0xaa2c8724 in KJS::FunctionCallResolveNode::evaluate
(this=0x7d0cf8, exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:767
#38 0xaa2c3086 in KJS::ExprStatementNode::execute (this=0x7d0d10,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2718
#39 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#40 0xaa2bedb0 in KJS::TryNode::execute (this=0x7d0ed8,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3405
#41 0xaa29d104 in KJS::BlockNode::execute (this=<value optimized out>,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:2653
#42 0xaa2beb6a in KJS::FunctionBodyNode::execute (this=0x107ffa50,
exec=0x107ffa50) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/nodes.cpp:3612
#43 0xaa2ce844 in KJS::Interpreter::evaluate (this=0x1d2ac0,
sourceURL=@0x0, startingLineNumber=<value optimized out>,
code=0xafe0e25c,
codeLength=7978448, thisV=0xc0000000) at
libs/WebKitLib/WebKit/JavaScriptCore/kjs/interpreter.cpp:379
#44 0xaa04c0fa in WebCore::KJSProxy::evaluate (this=0x1c7068,
filename=<value optimized out>, baseLine=0, str=@0x107ffbe8)
at libs/WebKitLib/WebKit/WebCore/bindings/js/kjs_proxy.cpp:87
#45 0xaa15004a in WebCore::FrameLoader::executeScript (this=0x188e68,
URL=@0x107ffbec, baseLine=0, script=@0x107ffbe8)
at libs/WebKitLib/WebKit/WebCore/loader/FrameLoader.cpp:762
#46 0xaa12fb22 in WebCore::HTMLTokenizer::scriptExecution
(this=0x216c00, str=@0x107ffc50, state={static EntityShift = 4, m_bits
= 4194304},
scriptURL=<value optimized out>, baseLine=0) at
libs/WebKitLib/WebKit/WebCore/html/HTMLTokenizer.cpp:552
#47 0xaa131040 in WebCore::HTMLTokenizer::notifyFinished
(this=0x216c00, res=<value optimized out>)
at libs/WebKitLib/WebKit/WebCore/html/HTMLTokenizer.cpp:1784
#48 0xaa13a36a in WebCore::CachedScript::checkNotify (this=0x5fc080)
at libs/WebKitLib/WebKit/WebCore/loader/CachedScript.cpp:93
#49 0xaa13a4b0 in WebCore::CachedScript::data (this=0x5fc080,
data=<value optimized out>, allDataReceived=<value optimized out>)
at libs/WebKitLib/WebKit/WebCore/loader/CachedScript.cpp:83
#50 0xaa16303a in WebCore::Loader::didFinishLoading (this=0x187704,
loader=0x415748) at
libs/WebKitLib/WebKit/WebCore/loader/loader.cpp:119
#51 0xaa157304 in WebCore::SubresourceLoader::didFinishLoading
(this=0x415748) at
libs/WebKitLib/WebKit/WebCore/loader/SubresourceLoader.cpp:193
#52 0xaa155ce2 in WebCore::ResourceLoader::didFinishLoading
(this=0x1bca) at
libs/WebKitLib/WebKit/WebCore/loader/ResourceLoader.cpp:361
#53 0xaa1ae024 in android_webcore_resourceloader_nativeFinished
(env=<value optimized out>, obj=<value optimized out>)
---Type <return> to continue, or q <return> to quit---
at
libs/WebKitLib/WebKit/WebCore/platform/android/jni/android_webcore_resource_loader.cpp:259
#54 0xad00a3e8 in invoke () at dalvik/vm/arch/arm/CallEABI.S:221
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list