[Webkit-unassigned] [Bug 29954] New: Webkit SIGBUS when destroying old page (closing tab or simply reloading a web page)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 1 01:14:04 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=29954

           Summary: Webkit SIGBUS when destroying old page (closing tab or
                    simply reloading a web page)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: michael.heide at student.uni-siegen.de


I'm trying to use webkit with a Loongson 2F machine (Fuloong 2F)
(MIPS64 N32 with Loongson specific instructions).
I'm using Gentoo Linux and I tried arora (qt-webkit 4.5.2-r1) and 
midori (webkit-gtk 1.1.10). Both are crashing with the similar Bus Error
when closing tabs or loading a new web page in an old tab (i.e. clicking
on a link). Middleclicking a link, i.e. open in a new tab, is working fine.
backtraces:

(midori, webkit-gtk)
Program received signal SIGBUS, Bus error.
[Switching to Thread 0x2fc28eb0 (LWP 1181)]
0x2c6ed84c in WebCore::TimerBase::setNextFireTime (this=0x111a0364, newTime=0)
    at WebCore/platform/Timer.cpp:302
302     WebCore/platform/Timer.cpp: No such file or directory.
        in WebCore/platform/Timer.cpp
Current language:  auto; currently c++
(gdb) bt
#0  0x2c6ed84c in WebCore::TimerBase::setNextFireTime (this=0x111a0364, 
    newTime=0) at WebCore/platform/Timer.cpp:302
#1  0x2c6ecf94 in WebCore::TimerBase::stop (this=0x111a0364)
    at WebCore/platform/Timer.cpp:197
#2  0x2c6ecb10 in ~TimerBase (this=0x111a0364)
    at WebCore/platform/Timer.cpp:180
#3  0x2c94a2fc in ~Timer (this=0x111a0364) at ./WebCore/platform/Timer.h:90
#4  0x2c943250 in ~RenderTextControlSingleLine (this=0x111a02c4)
    at WebCore/rendering/RenderTextControlSingleLine.cpp:70
#5  0x2c8f0708 in WebCore::RenderObject::arenaDelete (this=0x111a02c4, 
[...]

(arora, qt-webkit)
Program received signal SIGBUS, Bus error.
[Switching to Thread 0x2aace200 (LWP 6063)]
0x2b5ab47c in WebCore::TimerBase::setNextFireTime ()
   from /usr/lib/qt4/libQtWebKit.so.4
(gdb) bt
#0  0x2b5ab47c in WebCore::TimerBase::setNextFireTime ()
   from /usr/lib/qt4/libQtWebKit.so.4
#1  0x2b5ab124 in WebCore::TimerBase::stop ()
   from /usr/lib/qt4/libQtWebKit.so.4
#2  0x2b5aaec0 in WebCore::TimerBase::~TimerBase ()
   from /usr/lib/qt4/libQtWebKit.so.4
#3  0x2b728218 in WebCore::Timer<WebCore::RenderTextControlSingleLine>::~Timer
    () from /usr/lib/qt4/libQtWebKit.so.4
#4  0x2b722550 in
WebCore::RenderTextControlSingleLine::~RenderTextControlSingleLine () from
/usr/lib/qt4/libQtWebKit.so.4
#5  0x2b6dcd1c in WebCore::RenderObject::arenaDelete ()
   from /usr/lib/qt4/libQtWebKit.so.4
#6  0x2b6dca48 in WebCore::RenderObject::destroy ()
   from /usr/lib/qt4/libQtWebKit.so.4
[...]

(If you tell me I can upload longer backtraces or other gdb outputs)

The bus error occurs while reading the value in m_nextFireTime:
"double oldTime = m_nextFireTime;" -> SIGBUS. I'm not a developer
so I cannot debug it by myself, but I added the following at the beginning 
of void TimerBase::setNextFireTime(double newTime):
printf(" m_nextFireTimeAddress:%i \n",&m_nextFireTime); fflush(stdout);
printf(" m_nextFireTime:%e \n",m_nextFireTime); fflush(stdout);

Webkit now prints many of those messages, as long as I do not close a tab or
load a new page in an existing tab. It seems there are many timers destroyed 
successfully. But if I close a tab or simply click a link in an existing web 
page which opens in the current window, the last line printed before
SIGBUS is m_nextFireTimeAddress:xxx. The address printed is always near 
all those adresses printed before, so for me it seems it could be a valid one.
(btw: it's a 32 bit binary, but the kernel is 64bit. Is "%i" right then??)
But while many addresses printed without crashing webkit are printed multiple 
times, the crashing one I cannot find upwards.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list