[Webkit-unassigned] [Bug 138722] New: JavaScriptCore assertion crash when access http://www.tmall.com/go/market/promotion-act/nsxy9-h5.php
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 13 18:11:36 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=138722
Bug ID: 138722
Summary: JavaScriptCore assertion crash when access
http://www.tmall.com/go/market/promotion-act/nsxy9-h5.
php
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Android
OS: Android
Status: NEW
Severity: Major
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: grainsan at 126.com
I use GTK 2.4.3 version webkit engine in armV7 Android platform, when access http://www.tmall.com/go/market/promotion-act/nsxy9-h5.php this webpage it always cause a assertion, it seems a JSCell pointer is NULL. And this value is from DFG register, do you know how to fix this bug? Thanks.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 3022]
0xb5402f9e in WTFCrash () at TGL/thirdparty/webkit-2.4/Source/WTF/wtf/Assertions.cpp:333
333 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0xb5402f9e in WTFCrash () at TGL/thirdparty/webkit-2.4/Source/WTF/wtf/Assertions.cpp:333
#1 0xb515e7ac in methodTable (this=<optimized out>) at TGL/thirdparty/webkit-2.4/Source/JavaScriptCore/runtime/JSCellInlines.h:160
#2 JSC::JSValue::put (this=0xb302e6e8, exec=0xb0944958, propertyName=<optimized out>, value=..., slot=...)
at TGL/thirdparty/webkit-2.4/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703
#3 0xb5220a0a in JSC::putByVal (callFrame=0xfffffffb, baseValue=..., subscript=..., value=...) at TGL/thirdparty/webkit-2.4/Source/JavaScriptCore/jit/JITOperations.cpp:478
#4 0xb52226b8 in JSC::operationPutByVal (exec=0xb0944958, encodedBaseValue=<optimized out>, encodedSubscript=-18516814096, encodedValue=-18617586880)
at TGL/thirdparty/webkit-2.4/Source/JavaScriptCore/jit/JITOperations.cpp:542
#5 0xaf0d8b30 in ?? ()
#6 0xaf0d8b30 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) disas WTFCrash
Dump of assembler code for function WTFCrash():
0xb5402f88 <+0>: push {r3, lr}
0xb5402f8a <+2>: ldr r3, [pc, #24] ; (0xb5402fa4 <WTFCrash()+28>)
0xb5402f8c <+4>: add r3, pc
0xb5402f8e <+6>: ldr r0, [r3, #0]
0xb5402f90 <+8>: cbz r0, 0xb5402f94 <WTFCrash()+12>
0xb5402f92 <+10>: blx r0
0xb5402f94 <+12>: movw r2, #48879 ; 0xbeef
0xb5402f98 <+16>: movt r2, #48045 ; 0xbbad
0xb5402f9c <+20>: movs r1, #0
=> 0xb5402f9e <+22>: str r1, [r2, #0]
0xb5402fa0 <+24>: blx r1
0xb5402fa2 <+26>: pop {r3, pc}
0xb5402fa4 <+28>: andeq r8, r3, r8, lsr #1
End of assembler dump.
(gdb) i r
r0 0x0 0
r1 0x0 0
r2 0xbbadbeef 3148725999
r3 0xb543b038 3041112120
r4 0xaa4e2b40 2857249600
r5 0xfffffffb 4294967291
r6 0xb302e6e8 3003311848
r7 0xb302e6a8 3003311784
r8 0xb302e6f8 3003311864
r9 0xac3d14b0 2889684144
r10 0xb0944958 2962508120
r11 0xfffffffb 4294967291
r12 0xb53e3b48 3040754504
sp 0xb302e690 0xb302e690
lr 0xb515e7ad -1256855635
pc 0xb5402f9e 0xb5402f9e <WTFCrash()+22>
cpsr 0x60030030 1610809392
(gdb) l
328 {
329 if (globalHook)
330 globalHook();
331
332 WTFReportBacktrace();
333 *(int *)(uintptr_t)0xbbadbeef = 0;
334 // More reliable, but doesn't say BBADBEEF.
335 #if COMPILER(CLANG)
336 __builtin_trap();
337 #else
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141114/8963b712/attachment-0002.html>
More information about the webkit-unassigned
mailing list