[Webkit-unassigned] [Bug 93373] New: ARM JIT causes segmentation fault

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Aug 7 09:05:22 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=93373

           Summary: ARM JIT causes segmentation fault
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rm4dfthings at gmail.com


WebkitGtk-1.8.1 (GTK2) crashes during the loading of the following page: http://itv.ard.de/ardepg/index.php

Caught signal 11 (at 0x65646f76, invalid address) 

Platform is with the ARMv6TEJ processor. Webkit is built with the enabled JIT. If JIT is disabled there is no crash so I assume that there is some bug in JIT port for ARM. Setting optimization level does not make any difference.

Backtrace:

(gdb) bt
#0  0x31c62568 in JSC::PropertyTable::find (this=0x65646f6e, key=@0x7edce348: 0x46039f20) 
#1  0x31c630a8 in JSC::Structure::get (this=0x4809d6a0, globalData=..., propertyName=...) 
#2  0x31c63158 in JSC::JSObject::getDirectLocation (this=0x48094344, globalData=..., propertyName=...)
#3  0x31d71a84 in inlineGetOwnPropertySlot (this=<optimized out>, exec=<optimized out>, propertyName=..., slot=...)
#4  fastGetOwnPropertySlot (this=<optimized out>, exec=<optimized out>, propertyName=..., slot=...) 
#5  JSC::JSValue::get (this=0x7edce558, exec=0x478bf108, propertyName=..., slot=...) 
#6  0x31dd82a4 in JSC::JITStubThunked_op_get_by_id_self_fail (args=0x7edce5c8) 
#7  0x31dc2028 in cti_op_get_by_id_self_fail () 
#8  0x31dc2028 in cti_op_get_by_id_self_fail () 
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Registers info:

(gdb) info registers 
r0             0xc4df83    12902275
r1             0x65646f6e    1701080942
r2             0x7edce348    2128405320
r3             0x65646f6e    1701080942
r4             0x65646f6e    1701080942
r5             0x200    512
r6             0x768b8    485560
r7             0x45f916c0    1173952192
r8             0x31dc2020    836509728
r9             0x0    0
r10            0x320b32a0    839594656
r11            0x7edce324    2128405284
r12            0x7edce2d0    2128405200
sp             0x7edce2f0    0x7edce2f0
lr             0x31c617a0    835065760
pc             0x31c62568    0x31c62568 <JSC::PropertyTable::find(WTF::StringImpl* const&)+80>
cpsr           0x60000010    1610612752

Obviously "this" pointer in instance of PropertyTable class has invalid value. I tried to go deeper in debugging to find out how those instances are created, but that ends in JIT code generated for ARM and that is unfortunately out of my knowledge. Please ask for any additional info you need.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list