[Webkit-unassigned] [Bug 82383] New: Crash Firing Signals Through QtWebKit Bridge
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 27 14:45:45 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=82383
Summary: Crash Firing Signals Through QtWebKit Bridge
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows 7
Status: UNCONFIRMED
Severity: Major
Priority: P2
Component: WebKit Qt
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: rcumming at ea.com
Created an attachment (id=134141)
--> (https://bugs.webkit.org/attachment.cgi?id=134141&action=review)
Test Qt project that will demonstrate the crash on startup
Firing signals from a Qt object through the QtWebKit bridge will frequently cause a crash if the attached function is non-trivial. The use of Function.apply seems to reliably cause a crash. The following JavaScript snippet assumes there is an object called "signalTest" added using QWebFrame::addToJavaScriptWindowObject() that emits fired() whenever fire() is called:
var proxy = function(fn, context) {
return function() {
return fn.apply(context);
}
}
var proxiedFunction = proxy(function() {
alert("Hello, world!");
}, window);
// This works
proxiedFunction();
signalTest.fired.connect(proxiedFunction);
// CRASHES HERE
signalTest.fire();
The crash seems to come from JIT generated code trying to read from 0xffffffc0 with the following stack trace:
0f091444()
QtWebKitd4.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile, JSC::ExecState * callFrame, JSC::JSGlobalData * globalData) Line 77 + 0x22 bytes C++
QtWebKitd4.dll!JSC::Interpreter::executeCall(JSC::ExecState * callFrame, JSC::JSObject * function, JSC::CallType callType, const JSC::CallData & callData, JSC::JSValue thisValue, const JSC::ArgList & args) Line 838 + 0x2a bytes C++
QtWebKitd4.dll!JSC::call(JSC::ExecState * exec, JSC::JSValue functionObject, JSC::CallType callType, const JSC::CallData & callData, JSC::JSValue thisValue, const JSC::ArgList & args) Line 38 + 0x3c bytes C++
QtWebKitd4.dll!JSC::Bindings::QtConnectionObject::execute(void * * argv) Line 1863 + 0x6f bytes C++
QtWebKitd4.dll!JSC::Bindings::QtConnectionObject::qt_metacall(QMetaObject::Call _c, int _id, void * * _a) Line 1809 C++
QtCored4.dll!QMetaObject::metacall(QObject * object, QMetaObject::Call cl, int idx, void * * argv) Line 238 C++
The disassembly around the crash looks like:
0F0913DA call cti_op_call_arityCheck (3E876B0h)
0F0913DF mov edi,eax
0F0913E1 jmp 0F090004
0F0913E6 add byte ptr [eax],al
0F0913E8 pop ecx
0F0913E9 mov dword ptr [edi-10h],ecx
0F0913EC mov dword ptr [edi-8],182092A0h
0F0913F3 lea edx,[edi+98h]
0F0913F9 cmp dword ptr ds:[0BF927F0h],edx
0F0913FF jb 0F091DDC
0F091405 mov dword ptr [edi],0
0F09140B mov dword ptr [edi+4],0FFFFFFFCh
0F091412 mov dword ptr [edi+8],0
0F091419 mov dword ptr [edi+0Ch],0FFFFFFFCh
0F091420 mov dword ptr [edi+8],0
0F091427 mov dword ptr [edi+0Ch],0FFFFFFFAh
0F09142E mov dword ptr [edi],0
0F091434 mov dword ptr [edi+4],0FFFFFFFAh
0F09143B mov ecx,dword ptr [edi-18h]
0F09143E mov ecx,dword ptr [ecx+10h]
0F091441 mov ecx,dword ptr [ecx+34h] <=== CRASH
0F091444 mov eax,dword ptr [ecx-40h]
The attached Qt project demonstrates the problem by reliably crashing on startup. I built it with a fresh install of Qt SDK 1.2 against Qt 4.8.0 using MSVC 2010 SP1
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list