[Webkit-unassigned] [Bug 156831] New: [WinCairo] heap corruption is detected when destructing JSGlobalObject

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 20 20:03:22 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=156831

            Bug ID: 156831
           Summary: [WinCairo] heap corruption is detected when
                    destructing JSGlobalObject
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Hironori.Fujii at sony.com

[WinCairo] heap corruption is detected when destructing JSGlobalObject

trunk at 199765
perl Tools/Scripts/build-webkit --debug --wincairo --64-bit

fast/dom/insertedIntoDocument-iframe.html

Log:

> Critical error detected c0000374

Callstack:

> ntdll.dll!00007fff7168e6db()	Unknown
> ntdll.dll!00007fff71690dc6()	Unknown
> ntdll.dll!00007fff71644b4a()	Unknown
> ntdll.dll!00007fff715c0f36()	Unknown
> ntdll.dll!00007fff715c09fd()	Unknown
> JavaScriptCore.dll!_free_base(void * block) Line 107	C++
> [External Code]	
> JavaScriptCore.dll!WTF::HashTable<OpaqueJSClass * __ptr64,WTF::KeyValuePair<OpaqueJSClass * __ptr64,std::unique_ptr<OpaqueJSClassContextData,std::default_delete<OpaqueJSClassContextData> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<OpaqueJSClass * __ptr64,std::unique_ptr<OpaqueJSClassContextData,std::default_delete<OpaqueJSClassContextData> > > >,WTF::PtrHash<OpaqueJSClass * __ptr64>,WTF::HashMap<OpaqueJSClass * __ptr64,std::unique_ptr<OpaqueJSClassContextData,std::default_delete<OpaqueJSClassContextData> >,WTF::PtrHash<OpaqueJSClass * __ptr64>,WTF::HashTraits<OpaqueJSClass * __ptr64>,WTF::HashTraits<std::unique_ptr<OpaqueJSClassContextData,std::default_delete<OpaqueJSClassContextData> > > >::KeyValuePairTraits,WTF::HashTraits<OpaqueJSClass * __ptr64> >::~HashTable<OpaqueJSClass * __ptr64,WTF::KeyValuePair<OpaqueJSClass * __ptr64,std::unique_ptr<OpaqueJSClassContextData,std::default_delete<OpaqueJSClassContextData> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<OpaqueJS
> [External Code]	
> JavaScriptCore.dll!JSC::JSGlobalObject::~JSGlobalObject() Line 248	C++
> [External Code]	
> WebKit.dll!WebCore::JSDOMWindowBase::destroy(JSC::JSCell * cell) Line 100	C++
> JavaScriptCore.dll!JSC::Heap::FinalizerOwner::finalize(JSC::Handle<enum JSC::Unknown> handle, void * context) Line 1560	C++
> JavaScriptCore.dll!JSC::WeakBlock::finalize(JSC::WeakImpl * weakImpl) Line 53	C++
> JavaScriptCore.dll!JSC::WeakBlock::sweep() Line 85	C++
> JavaScriptCore.dll!JSC::WeakSet::sweep() Line 51	C++
> JavaScriptCore.dll!JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode sweepMode) Line 134	C++
> JavaScriptCore.dll!JSC::Sweep::operator()(JSC::MarkedBlock * block) Line 48	C++
> JavaScriptCore.dll!JSC::MarkedAllocator::forEachBlock<JSC::Sweep>(JSC::Sweep & functor) Line 159	C++
> JavaScriptCore.dll!JSC::MarkedSpace::forEachBlock<JSC::Sweep>(JSC::Sweep & functor) Line 228	C++
> JavaScriptCore.dll!JSC::MarkedSpace::forEachBlock<JSC::Sweep>() Line 244	C++
> JavaScriptCore.dll!JSC::MarkedSpace::sweep() Line 95	C++
> JavaScriptCore.dll!JSC::Heap::collectAndSweep(JSC::HeapOperation collectionType) Line 1102	C++
> WebKit.dll!JSC::Heap::collectAllGarbage() Line 168	C++
> WebKit.dll!WebCore::GCController::garbageCollectNow() Line 87	C++
> WebKit.dll!WebJavaScriptCollector::collect() Line 97	C++
> DumpRenderTreeLib.dll!GCController::collect() Line 43	C++
> DumpRenderTreeLib.dll!collectCallback(const OpaqueJSContext * context, OpaqueJSValue * function, OpaqueJSValue * thisObject, unsigned __int64 argumentCount, const OpaqueJSValue * const * arguments, const OpaqueJSValue * * exception) Line 49	C++
> JavaScriptCore.dll!JSC::APICallbackFunction::call<JSC::JSCallbackFunction>(JSC::ExecState * exec) Line 61	C++
> JavaScriptCore.dll!JSC::LLInt::handleHostCall(JSC::ExecState * execCallee, JSC::Instruction * pc, JSC::JSValue callee, JSC::CodeSpecializationKind kind) Line 1132	C++
> JavaScriptCore.dll!JSC::LLInt::setUpCall(JSC::ExecState * execCallee, JSC::Instruction * pc, JSC::CodeSpecializationKind kind, JSC::JSValue calleeAsValue, JSC::LLIntCallLinkInfo * callLinkInfo) Line 1178	C++
> JavaScriptCore.dll!JSC::LLInt::genericCall(JSC::ExecState * exec, JSC::Instruction * pc, JSC::CodeSpecializationKind kind) Line 1262	C++
> JavaScriptCore.dll!llint_slow_path_call(JSC::ExecState * exec, JSC::Instruction * pc) Line 1268	C++
> JavaScriptCore.dll!llint_entry() Line 8582	Unknown
> [External Code]

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160421/61d5d1a6/attachment.html>

More information about the webkit-unassigned mailing list