[Webkit-unassigned] [Bug 137955] New: Crashes in WinCairo 64-bit

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 22 05:31:24 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=137955

            Bug ID: 137955
           Summary: Crashes in WinCairo 64-bit
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: PC
                OS: Windows 8
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: alexei4203 at yandex.ru

I've been using WinCairo port about 2,5 years. Few months ago I started to build 64-bit configurations. Since then I've got a bunch of crashes in JIT code. In all cases callstacks were useless. I think this is caused by manual stack manipulating in JIT which may be incompatible with win64 calling convention. In the end I found an almost stable way to get WebKit crashed. All you need to do is open a complex HTML-page (for example, GWT-based web app), then open Web Inspector and randomly click on different nodes. Once you get a crash in this piece of code:

00000000209610C0  test        r15,rcx  
00000000209610C3  jne         0000000020961842  
00000000209610C9  cmp         dword ptr [rcx],4EA6h  
00000000209610CF  jne         0000000020961858  
00000000209610D5  mov         rdx,1415E210h  
00000000209610DF  mov         rdx,qword ptr [rdx+8]  
00000000209610E3  mov         dword ptr [rsp+18h],1  
00000000209610EB  mov         qword ptr [rsp+10h],rdx  
00000000209610F0  mov         qword ptr [rsp+20h],rcx  
00000000209610F5  mov         qword ptr [rbp-28h],rax  
00000000209610F9  mov         dword ptr [rbp+2Ch],80000002h  
0000000020961100  mov         r11,0  
000000002096110A  cmp         rdx,r11  
000000002096110D  jne         0000000020961126  
0000000020961113  mov         rax,qword ptr [rdx+18h]  ; <- RDX is always zero here because of 3 previous commands
0000000020961117  mov         qword ptr [rsp+8],rax  
000000002096111C  call        0000000020961121  
0000000020961121  jmp         0000000020961138  
0000000020961126  mov         rax,rdx  
0000000020961129  mov         rcx,1FE630C0h  
0000000020961133  call        000000000AFA0900  
0000000020961138  mov         r11,0Eh  
0000000020961142  cmp         rax,r11  
0000000020961145  ja          0000000020961884  
000000002096114B  mov         rcx,qword ptr [rbp-28h]  
000000002096114F  cmp         rax,rcx  
0000000020961152  sete        dl  
0000000020961155  movzx       edx,dl  
0000000020961158  or          edx,6  
000000002096115B  test        dl,1  
000000002096115E  je          0000000020961169  
0000000020961164  jmp         00000000209613DB  

Code above is always the same. Callstack always is broken and contain only 1 entry. I'm not sure if this code related to JIT or not. It might be a bug of Web Inspector.
Recently, I've turned off JIT and enabled C-loop. Today I got WebKit crashed again. But now I have a normal callstack.

>	JavaScriptCore.dll!JSC::JSObject::canSetIndexQuicklyForPutDirect(unsigned int i) Line 309	C++
     JavaScriptCore.dll!JSC::JSObject::putDirectIndex(JSC::ExecState * exec, unsigned int propertyName, JSC::JSValue value, unsigned int attributes, JSC::PutDirectIndexMode mode) Line 164    C++
     JavaScriptCore.dll!JSC::JSObject::putDirectIndexBeyondVectorLength(JSC::ExecState * exec, unsigned int i, JSC::JSValue value, unsigned int attributes, JSC::PutDirectIndexMode mode) Line 2249    C++
     JavaScriptCore.dll!JSC::JSObject::putDirectIndex(JSC::ExecState * exec, unsigned int propertyName, JSC::JSValue value) Line 172    C++
     JavaScriptCore.dll!JSC::arrayProtoFuncSlice(JSC::ExecState * exec) Line 618    C++
     JavaScriptCore.dll!JSC::LLInt::CLoop::execute(JSC::OpcodeID entryOpcodeID, void * executableAddress, JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame, bool isInitializationPass) Line 6780    C++
     JavaScriptCore.dll!vmEntryToJavaScript(void * executableAddress, JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 100    C++
     JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 57    C++
     JavaScriptCore.dll!JSC::Interpreter::executeCall(JSC::ExecState * callFrame, JSC::JSObject * function, JSC::CallType callType, const JSC::CallData & callData, JSC::JSValue thisValue, const JSC::ArgList & args) Line 975    C++
     JavaScriptCore.dll!JSC::call(JSC::ExecState * exec, JSC::JSValue functionObject, JSC::CallType callType, const JSC::CallData & callData, JSC::JSValue thisValue, const JSC::ArgList & args, JSC::JSValue * exception) Line 45    C++
     WebKit.dll!WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext * scriptExecutionContext, WebCore::Event * event) Line 128    C++
     WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event, WebCore::EventTargetData * d, WTF::Vector<WebCore::RegisteredEventListener,1,WTF::CrashOnOverflow> & entry) Line 247    C++
     WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event) Line 197    C++
     WebKit.dll!WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event> event) Line 161    C++
     WebKit.dll!WebCore::XMLHttpRequestProgressEventThrottle::dispatchEvent(WTF::PassRefPtr<WebCore::Event> event) Line 104    C++
     WebKit.dll!WebCore::XMLHttpRequestProgressEventThrottle::dispatchReadyStateChangeEvent(WTF::PassRefPtr<WebCore::Event> event, WebCore::ProgressEventAction progressEventAction) Line 91    C++
     WebKit.dll!WebCore::XMLHttpRequest::callReadyStateChangeListener() Line 367    C++
     WebKit.dll!WebCore::XMLHttpRequest::didFinishLoading(unsigned long identifier, double __formal) Line 1106    C++
     WebKit.dll!WebCore::CachedResource::checkNotify() Line 346    C++
     WebKit.dll!WebCore::CachedRawResource::finishLoading(WebCore::ResourceBuffer * data) Line 101    C++
     WebKit.dll!WebCore::SubresourceLoader::didFinishLoading(double finishTime) Line 311    C++
     WebKit.dll!WebCore::ResourceHandleManager::downloadTimerCallback(WebCore::Timer<WebCore::ResourceHandleManager> * __formal) Line 726    C++
     WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 135    C++
     WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 108    C++

I'm not sure if it's reproducible. I will try to reproduce it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141022/35ab70d8/attachment-0002.html>

More information about the webkit-unassigned mailing list