[Webkit-unassigned] [Bug 45457] [Qt] QtTestBrowser is crashing on www.index.hu

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 19 00:33:34 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=45457





--- Comment #11 from Andreas Kling <kling at webkit.org>  2010-10-19 00:33:32 PST ---
Running the test through 'jsc' yields some interesting valgrind output:

==19191== Conditional jump or move depends on uninitialised value(s)
==19191==    at 0x428401: JSC::BytecodeGenerator::emitOpcode(JSC::OpcodeID) (BytecodeGenerator.cpp:678)
==19191==    by 0x42741E: JSC::BytecodeGenerator::BytecodeGenerator(JSC::EvalNode*, JSC::Debugger const*, JSC::ScopeChain const&, WTF::HashMap<WTF::RefPtr<WTF::StringImpl>, JSC::SymbolTableEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::StringImpl> >, JSC::SymbolTableIndexHashTraits>*, JSC::EvalCodeBlock*) (BytecodeGenerator.cpp:485)
==19191==    by 0x463896: JSC::EvalExecutable::compileInternal(JSC::ExecState*, JSC::ScopeChainNode*) (Executable.cpp:111)
==19191==    by 0x49683F: JSC::EvalExecutable::compile(JSC::ExecState*, JSC::ScopeChainNode*) (Executable.h:207)
==19191==    by 0x532B3E: JSC::EvalCodeCache::get(JSC::ExecState*, bool, JSC::UString const&, JSC::ScopeChainNode*, JSC::JSValue&) (EvalCodeCache.h:55)
==19191==    by 0x52D91F: JSC::Interpreter::callEval(JSC::ExecState*, JSC::RegisterFile*, JSC::Register*, int, int, JSC::JSValue&) (Interpreter.cpp:410)
==19191==    by 0x56142A: cti_op_call_eval (JITStubs.cpp:3236)
==19191==    by 0x5568E9: JSC::JITThunks::tryCacheGetByID(JSC::ExecState*, JSC::CodeBlock*, JSC::ReturnAddressPtr, JSC::JSValue, JSC::Identifier const&, JSC::PropertySlot const&, JSC::StructureStubInfo*) (JITStubs.cpp:999)
==19191==    by 0x532443: JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) (JITCode.h:77)
==19191==    by 0x52F0CD: JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (Interpreter.cpp:746)
==19191==    by 0x45FF49: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (Completion.cpp:63)
==19191==    by 0x406971: runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul> const&, bool) (jsc.cpp:391)

==19191== Invalid read of size 8
==19191==    at 0x49184E: JSC::RegisterFile::end() const (RegisterFile.h:118)
==19191==    by 0x491B96: JSC::ExecState::init(JSC::CodeBlock*, JSC::Instruction*, JSC::ScopeChainNode*, JSC::ExecState*, int, JSC::JSObject*) (CallFrame.h:121)
==19191==    by 0x52F8C8: JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) (Interpreter.cpp:842)
==19191==    by 0x585723: JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (CallData.cpp:38)
==19191==    by 0x498F2B: JSC::callDefaultValueFunction(JSC::ExecState*, JSC::JSObject const*, JSC::Identifier const&) (JSObject.cpp:258)
==19191==    by 0x4990CF: JSC::JSObject::defaultValue(JSC::ExecState*, JSC::PreferredPrimitiveType) const (JSObject.cpp:279)
==19191==    by 0x40B0E6: JSC::JSObject::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const (JSObject.h:644)
==19191==    by 0x499FED: JSC::JSObject::toString(JSC::ExecState*) const (JSObject.cpp:483)
==19191==    by 0x4D2CE1: JSC::JSValue::toThisString(JSC::ExecState*) const (JSObject.h:759)
==19191==    by 0x4D0305: JSC::stringProtoFuncSubstring(JSC::ExecState*) (StringPrototype.cpp:800)
==19191==    by 0x392891A9: ???
==19191==    by 0x532443: JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) (JITCode.h:77)
==19191==  Address 0x6d9b9f0 is 0 bytes after a block of size 48 alloc'd
==19191==    at 0x4C285D8: malloc (vg_replace_malloc.c:236)
==19191==    by 0x4108FB: WTF::fastMalloc(unsigned long) (FastMalloc.cpp:250)
==19191==    by 0x407891: WTF::FastAllocBase::operator new(unsigned long) (FastAllocBase.h:121)
==19191==    by 0x491A00: JSC::ScopeChain::ScopeChain(JSC::JSObject*, JSC::JSGlobalData*, JSC::JSGlobalObject*, JSC::JSObject*) (ScopeChain.h:168)
==19191==    by 0x48C110: JSC::JSGlobalObject::init(JSC::JSObject*) (JSGlobalObject.cpp:132)
==19191==    by 0x40C20D: JSC::JSGlobalObject::JSGlobalObject() (JSGlobalObject.h:171)
==19191==    by 0x404C00: GlobalObject::GlobalObject(WTF::Vector<JSC::UString, 0ul> const&) (jsc.cpp:152)
==19191==    by 0x40754C: jscmain(int, char**, JSC::JSGlobalData*) (jsc.cpp:528)
==19191==    by 0x4065EE: main (jsc.cpp:348)

It finally dies with this assertion:
ASSERTION FAILED: callerFrame == noCaller() || callerFrame->removeHostCallFrameFlag()->registerFile()->end() >= this
(../../../JavaScriptCore/interpreter/CallFrame.h:121 void JSC::ExecState::init(JSC::CodeBlock*, JSC::Instruction*, JSC::ScopeChainNode*, JSC::CallFrame*, int, JSC::JSObject*))

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list