[Webkit-unassigned] [Bug 122678] Crashes inside JavaScriptCore with SIGTRAP on various websites

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 10 00:29:22 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=122678





--- Comment #1 from Sebastian Dröge (slomo) <slomo at coaxion.net>  2013-12-10 00:27:35 PST ---
Still similar crashes happen all over the place with webkitgtk 2.2.3


Program received signal SIGSEGV, Segmentation fault.
0x00007f8bbca1cbeb in ?? ()
(gdb) bt
#0  0x00007f8bbca1cbeb in ?? ()
#1  0xff00007f8c13927f in ?? ()
#2  0x0000000000000002 in ?? ()
#3  0x00007f8b48ba5db0 in ?? ()
#4  0x00007f8b48ba5db0 in ?? ()
#5  0x6c894ce789480000 in ?? ()
#6  0x0047d445c7415824 in ?? ()
#7  0x00007f8b4c21df10 in ?? ()
#8  0x00007f8c139dfe9d in get (this=0x7fffb75cd2f0)
    at ../Source/WTF/wtf/ThreadSpecific.h:148
#9  operator WTF::WTFThreadData* (this=0x7fffb75cd2f0)
    at ../Source/WTF/wtf/ThreadSpecific.h:257
#10 operator* (this=0x7fffb75cd2f0) at ../Source/WTF/wtf/ThreadSpecific.h:277
#11 wtfThreadData () at ../Source/WTF/wtf/WTFThreadData.h:145
#12 JSC::Interpreter::prepareForRepeatCall (this=0xffff000000000000, 
    functionExecutable=0x7f8bb805ee00, callFrame=0x200, 
    function=<optimized out>, argumentCountIncludingThis=<optimized out>, 
    scope=0x7fffb75cd470)
    at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:952
#13 0x00007f8c139fbcea in JSC::JITCode::execute (
    this=this at entry=0x7f8b785fa2a0, stack=0x7f8b785fa2a8, 
    stack at entry=0x7f8c01e78378, callFrame=0x7f8bb805ed08, 
    vm=vm at entry=0x7f8c000f5000) at ../Source/JavaScriptCore/jit/JITCode.cpp:46
---Type <return> to continue, or q <return> to quit---
#14 0x00007f8c139e06d5 in JSC::Interpreter::execute (this=0x7f8c01e78360, 
    closure=...) at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:1024
#15 0x00007f8c13ad4c12 in call (this=0x7fffb75cd440)
    at ../Source/JavaScriptCore/interpreter/CachedCall.h:51
#16 JSC::arrayProtoFuncForEach (exec=0x7f8bb805ecb8)
    at ../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1045
#17 0x00007f8bbbfff0e5 in ?? ()
#18 0x00007fffb75cd600 in ?? ()
#19 0x00007f8bbc773c8c in ?? ()
#20 0x588b480000000084 in ?? ()
#21 0x00007f8b4c818370 in ?? ()
#22 0x00007f8b48ba5d38 in ?? ()
#23 0x00007f8b4c99c490 in ?? ()
#24 0x00007f8b6b22dc00 in ?? ()
#25 0x00007f8c13b3f133 in memcpy (__src=<optimized out>, 
    __dest=<optimized out>, __len=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#26 growPropertyStorage (newPropertyCapacity=<optimized out>, 
    indexingPayloadSizeInBytes=18446462598732840960, hasIndexingHeader=false, 
    oldPropertyCapacity=<optimized out>, preCapacity=18446462598732840962, 
    vm=..., this=0x7f8bb805ec58, intendedOwner=<optimized out>)
    at ../Source/JavaScriptCore/runtime/ButterflyInlines.h:89
#27 growPropertyStorage (newPropertyCapacity=<optimized out>, 
---Type <return> to continue, or q <return> to quit---
    oldPropertyCapacity=<optimized out>, structure=<optimized out>, 
    intendedOwner=<optimized out>, vm=..., this=0x7f8bb805ec58)
    at ../Source/JavaScriptCore/runtime/ButterflyInlines.h:100
#28 JSC::JSObject::growOutOfLineStorage (this=<optimized out>, vm=..., 
    oldSize=<optimized out>, newSize=<optimized out>)
    at ../Source/JavaScriptCore/runtime/JSObject.cpp:2379
#29 0x00007f8bb805ec58 in ?? ()
#30 0x00007f8b51824ca0 in ?? ()
#31 0x00007f8bb805ec58 in ?? ()
#32 0x00007f8c01e78378 in ?? ()
#33 0x00007f8c139fbcea in JSC::JITCode::execute (
    this=this at entry=0x7f8c000f5000, stack=0x0, stack at entry=0x7f8c01e78378, 
    callFrame=0x0, vm=0x7f8bb805ec58, vm at entry=0x7f8c000f5000)
    at ../Source/JavaScriptCore/jit/JITCode.cpp:46
#34 0x00007f8c139e06d5 in JSC::Interpreter::execute (this=0x7f8c01e78360, 
    closure=...) at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:1024
#35 0x00007f8c13ad4c12 in call (this=0x7fffb75cd750)
    at ../Source/JavaScriptCore/interpreter/CachedCall.h:51
#36 JSC::arrayProtoFuncForEach (exec=0x7f8bb805ec08)
    at ../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1045
#37 0x00007f8bbbfff0e5 in ?? ()
#38 0xffff000000000002 in ?? ()
#39 0x00007f8c13a471e1 in llint_op_call ()
---Type <return> to continue, or q <return> to quit---
   from /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-3.0.so.0
#40 0x00007f8c13edf4e0 in ?? ()
   from /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-3.0.so.0
#41 0x0000000000000002 in ?? ()
#42 0x00007f8b593c85c0 in ?? ()
#43 0x00007f8b0000000c in ?? ()
#44 0x00007f8bbc6492c1 in ?? ()
#45 0x00007f8b985f56f0 in ?? ()
#46 0x00007fffb75cd9e0 in ?? ()
#47 0x00007f8c13b8f9a7 in execute (length=<optimized out>, 
    start=<optimized out>, input=<optimized out>, this=0x7f8bb805ec38)
    at ../Source/JavaScriptCore/yarr/YarrJIT.h:101
#48 JSC::RegExp::match (this=0x7f8bb805ec08, vm=..., s=..., startOffset=512)
    at ../Source/JavaScriptCore/runtime/RegExp.cpp:456
#49 0x00007f8b53027730 in ?? ()
#50 0x00007fffb75cda30 in ?? ()
#51 0x00007f8b6ae166c0 in ?? ()
#52 0x00007f8bb805ea00 in ?? ()
#53 0x00007fffb75cda10 in ?? ()
#54 0x00007f8b68fd34a0 in ?? ()

#55 0x00007f8c13adc3ea in JSC::call (exec=exec at entry=0x7f8b593c85d0, 
    functionObject=..., functionObject at entry=..., callType=<optimized out>, 
    callData=..., thisValue=..., args=...)
---Type <return> to continue, or q <return> to quit---
    at ../Source/JavaScriptCore/runtime/CallData.cpp:39
#56 0x00007f8c13b19979 in JSC::boundFunctionCall (exec=0x7f8b593c85d0)
    at ../Source/JavaScriptCore/runtime/JSBoundFunction.cpp:54
#57 0x00007f8bbbfff0e5 in ?? ()
#58 0x0000000000000007 in ?? ()
#59 0x00007f8bbc649493 in ?? ()
#60 0x00007f8b52c79070 in ?? ()
#61 0x000000000000000a in ?? ()
#62 0x00007f8b593c85d0 in ?? ()
#63 0x00007f8b0000000c in ?? ()
#64 0x00007f8bbc6492c1 in ?? ()
#65 0x00007f8b4bba6b90 in ?? ()
#66 0x0000000000000067 in ?? ()
#67 0x00007f8bb805e660 in ?? ()
#68 0x00007f8bb805e660 in ?? ()
#69 0x00007f8bbbfff920 in ?? ()
#70 0x00007f8c01e78378 in ?? ()
#71 0x00007f8bb805e938 in ?? ()
#72 0x0000000000000000 in ?? ()
(gdb) 
(gdb) 
(gdb) quit
A debugging session is active.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list