[Webkit-unassigned] [Bug 130539] New: WebKit crash @StructureIDTable::get

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 20 14:48:14 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=130539

           Summary: WebKit crash @StructureIDTable::get
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tonikitoo at webkit.org
                CC: oliver at apple.com, fpizlo at apple.com


Created an attachment (id=227338)
 --> (https://bugs.webkit.org/attachment.cgi?id=227338&action=review)
test case - load issuetest.html

Load attached test case (by Anthony Liot!)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000000027f8301e0
0x0000000103158f53 in JSC::StructureIDTable::get (this=0x112360848, structureID=796288356) at StructureIDTable.h:86
86 return table()[structureID].structure;
(gdb) bt
#0 0x0000000103158f53 in JSC::StructureIDTable::get (this=0x112360848, structureID=796288356) at StructureIDTable.h:86
#1 0x000000010315fd76 in JSC::JSCell::structure (this=0x112360fbd, vm=@0x112360570) at JSCellInlines.h:104
#2 0x0000000103164581 in JSC::JSCell::classInfo (this=0x112360fbd) at JSDestructibleObject.h:37
#3 0x000000010315b8e9 in JSC::JSCell::inherits (this=0x112360fbd, info=0x103cf7c88) at JSCellInlines.h:211
#4 0x00000001037f7465 in JSC::jsDynamicCast<JSC::JSString*, JSC::JSCell> (from=0x112360fbd) at JSCell.h:244
#5 0x00000001037f6f95 in JSC::speculationFromCell (cell=0x112360fbd) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/JavaScriptCore/bytecode/SpeculatedType.cpp:332
#6 0x00000001037f7113 in JSC::speculationFromValue (value={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4600500157, ptr = 0x112360fbd, asBits = {payload = 305532861, tag = 1}}}) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/JavaScriptCore/bytecode/SpeculatedType.cpp:357
#7 0x00000001033c435e in JSC::DFG::AbstractValue::validate (this=0x10f0dd780, value={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4600500157, ptr = 0x112360fbd, asBits = {payload = 305532861, tag = 1}}}) at DFGAbstractValue.h:212
#8 0x00000001033c398a in JSC::DFG::prepareOSREntry (exec=0x7fff5fbfcdc0, codeBlock=0x1123e18f0, bytecodeIndex=189) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:172
#9 0x000000010353aad0 in operationOptimize (exec=0x7fff5fbfcdc0, bytecodeIndex=189) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/JavaScriptCore/jit/JITOperations.cpp:1216
#10 0x0000339f358e30d7 in ?? ()
#11 0x0000339f3583c8bc in ?? ()
#12 0x0000339f3583b96b in ?? ()
#13 0x0000000103694a86 in llint_op_call ()
#14 0x0000000103694a86 in llint_op_call ()
#15 0x0000000103694a86 in llint_op_call ()
#16 0x0000000103694a86 in llint_op_call ()
#17 0x0000000103694a86 in llint_op_call ()
#18 0x0000000103694a86 in llint_op_call ()
#19 0x000000010368eb44 in callToJavaScript ()
#20 0x000000010352a46d in JSC::JITCode::execute (this=0x112397520, vm=0x10d80be00, protoCallFrame=0x7fff5fbfda28) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/JavaScriptCore/jit/JITCode.cpp:47
#21 0x000000010350ef19 in JSC::Interpreter::executeCall (this=0x11000afc0, callFrame=0x10cf9f4b0, function=0x126bf9f30, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdd08, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4303355824, ptr = 0x1007fffb0, asBits = {payload = 8388528, tag = 1}}}, args=@0x7fff5fbfdc48) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/JavaScriptCore/interpreter/Interpreter.cpp:994
#22 0x00000001031e315e in JSC::call (exec=0x10cf9f4b0, functionObject={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4945059632, ptr = 0x126bf9f30, asBits = {payload = 650092336, tag = 1}}}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdd08, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4303355824, ptr = 0x1007fffb0, asBits = {payload = 8388528, tag = 1}}}, args=@0x7fff5fbfdc48) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/JavaScriptCore/runtime/CallData.cpp:39
#23 0x00000001058ed79b in WebCore::JSMainThreadExecState::call (exec=0x10cf9f4b0, functionObject={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4945059632, ptr = 0x126bf9f30, asBits = {payload = 650092336, tag = 1}}}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdd08, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4303355824, ptr = 0x1007fffb0, asBits = {payload = 8388528, tag = 1}}}, args=@0x7fff5fbfdc48) at JSMainThreadExecState.h:55
#24 0x000000010656dd51 in WebCore::ScheduledAction::executeFunctionInContext (this=0x119a3fe40, globalObject=0x10cf9f470, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4303355824, ptr = 0x1007fffb0, asBits = {payload = 8388528, tag = 1}}}, context=0x10d01c0a0) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebCore/bindings/js/ScheduledAction.cpp:103
#25 0x000000010656d942 in WebCore::ScheduledAction::execute (this=0x119a3fe40, document=0x10d01c000) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebCore/bindings/js/ScheduledAction.cpp:124
#26 0x000000010656d7d4 in WebCore::ScheduledAction::execute (this=0x119a3fe40, context=0x10d01c0a0) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebCore/bindings/js/ScheduledAction.cpp:78
#27 0x0000000105169228 in WebCore::DOMTimer::fired (this=0x119a45180) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebCore/page/DOMTimer.cpp:182
#28 0x000000010692a29c in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x10e829880) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebCore/platform/ThreadTimers.cpp:132
#29 0x0000000106929f59 in WebCore::ThreadTimers::sharedTimerFired () at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebCore/platform/ThreadTimers.cpp:107
#30 0x000000010666c2b3 in WebCore::timerFired () at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebCore/platform/mac/SharedTimerMac.mm:133
#31 0x00007fff92500804 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ ()
#32 0x00007fff9250031d in __CFRunLoopDoTimer ()
#33 0x00007fff924e5ad9 in __CFRunLoopRun ()
#34 0x00007fff924e50e2 in CFRunLoopRunSpecific ()
#35 0x00007fff92ce2eb4 in RunCurrentEventLoopInMode ()
#36 0x00007fff92ce2c52 in ReceiveNextEventCommon ()
#37 0x00007fff92ce2ae3 in BlockUntilNextEventMatchingListInMode ()
#38 0x00007fff93678533 in _DPSNextEvent ()
#39 0x00007fff93677df2 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#40 0x00007fff9366f1a3 in -[NSApplication run] ()
#41 0x000000010144ba7f in WebKit::WebContentProcessMainDelegate::startRunLoop (this=0x7fff5fbff5c0) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebKit2/WebProcess/EntryPoint/mac/LegacyProcess/WebContentProcessMain.mm:183
#42 0x000000010144aaaf in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate> (argc=6, argv=0x7fff5fbff6e8) at ChildProcessEntryPoint.h:93
#43 0x000000010144a7fb in WebContentProcessMain (argc=6, argv=0x7fff5fbff6e8) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebKit2/WebProcess/EntryPoint/mac/LegacyProcess/WebContentProcessMain.mm:198
#44 0x0000000100000cc1 in WebKit::BootstrapMain (argc=6, argv=0x7fff5fbff6e8) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source/WebKit2/Shared/EntryPointUtilities/mac/LegacyProcess/ChildProcessMain.mm:81
#45 0x0000000100000ae2 in main (argc=6, argv=0x7fff5fbff6e8) at /Users/a1.gomes/Devel/Samsung/webcl-webkit/Source

For completeness, it works fine on stock Safari (OSX 10.9.x and 10.8.x), Firefox, Chrome.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list