[Webkit-unassigned] [Bug 199295] [WPE][GTK] Memory corruption when creating WebKitJavascriptResult

Thu Jul 18 05:36:57 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=199295

--- Comment #3 from Carlos Garcia Campos <cgarcia at igalia.com> ---
==12053== Invalid write of size 8
==12053==    at 0x53ED29C: ??? (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C7A3AA: JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x55FDD76: JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, JSC::NativeFunction, JSC::Intrinsic, JSC::NativeFunction, JSC::DOMJIT::Signature const*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x55AA06E: JSC::FunctionPrototype::addFunctionProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSFunction**, JSC::JSFunction**, JSC::JSFunction**) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x561E183: JSC::JSGlobalObject::init(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5626B2D: JSC::JSGlobalObject::finishCreation(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C82895: JSGlobalContextCreateInGroup (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x117FC8: WTF::Detail::CallableWrapper<testCAPIViaCpp::{lambda()#11}, void>::call() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/bin/testapi)
==12053==    by 0x58E3DCA: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x593F008: WTF::wtfThreadEntryPoint(void*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x7B0DFA2: start_thread (pthread_create.c:486)
==12053==    by 0x84934CE: clone (clone.S:95)
==12053==  Address 0xbe029c8 is on thread 7's stack
==12053==  368 bytes below stack pointer
==12053== 
==12053== Invalid write of size 8
==12053==    at 0x53ED29C: ??? (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4E624B3: JSC::UnlinkedFunctionExecutable::link(JSC::VM&, JSC::ScriptExecutable*, JSC::SourceCode const&, WTF::Optional<int>, JSC::Intrinsic) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C6F54F: JSC::functionPrototypeApplyCodeGenerator(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x55AA09D: JSC::FunctionPrototype::addFunctionProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSFunction**, JSC::JSFunction**, JSC::JSFunction**) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x561E183: JSC::JSGlobalObject::init(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5626B2D: JSC::JSGlobalObject::finishCreation(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C82895: JSGlobalContextCreateInGroup (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x117FC8: WTF::Detail::CallableWrapper<testCAPIViaCpp::{lambda()#11}, void>::call() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/bin/testapi)
==12053==    by 0x58E3DCA: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x593F008: WTF::wtfThreadEntryPoint(void*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x7B0DFA2: start_thread (pthread_create.c:486)
==12053==    by 0x84934CE: clone (clone.S:95)
==12053==  Address 0xbe02918 is on thread 7's stack
==12053==  416 bytes below stack pointer
==12053== 
==12053== Invalid write of size 8
==12053==    at 0x53ED29C: ??? (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x526A88F: JSC::CompleteSubspace::tryAllocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x526AAF8: JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x56BBAE0: JSC::ObjectPrototype::create(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x561E507: JSC::JSGlobalObject::init(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5626B2D: JSC::JSGlobalObject::finishCreation(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C82895: JSGlobalContextCreateInGroup (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x117FC8: WTF::Detail::CallableWrapper<testCAPIViaCpp::{lambda()#11}, void>::call() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/bin/testapi)
==12053==    by 0x58E3DCA: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x593F008: WTF::wtfThreadEntryPoint(void*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x7B0DFA2: start_thread (pthread_create.c:486)
==12053==    by 0x84934CE: clone (clone.S:95)
==12053==  Address 0xbe02968 is on thread 7's stack
==12053==  496 bytes below stack pointer
==12053== 
==12053== Invalid write of size 8
==12053==    at 0x53ED29C: ??? (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5734C7E: JSC::StructureRareData::create(JSC::VM&, JSC::Structure*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5734CC6: JSC::Structure::allocateRareData(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5738787: JSC::Structure::ensurePropertyReplacementWatchpointSet(JSC::VM&, int) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4E484A2: JSC::PropertyCondition::isWatchableWhenValid(JSC::Structure*, JSC::PropertyCondition::WatchabilityEffort) const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x560FF72: JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::JSObject*, JSC::Identifier const&)#72}::operator()(JSC::JSObject*, JSC::Identifier const&) const [clone .isra.226] (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5624B62: JSC::JSGlobalObject::init(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5626B2D: JSC::JSGlobalObject::finishCreation(JSC::VM&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C82895: JSGlobalContextCreateInGroup (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x117FC8: WTF::Detail::CallableWrapper<testCAPIViaCpp::{lambda()#11}, void>::call() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/bin/testapi)
==12053==    by 0x58E3DCA: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x593F008: WTF::wtfThreadEntryPoint(void*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==  Address 0x4ecff858 is on thread 12's stack
==12053==  656 bytes below stack pointer
==12053== 
==12053== Invalid write of size 8
==12053==    at 0x53ED29C: ??? (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C7A3AA: JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5715351: void* JSC::allocateCell<JSC::ProgramCodeBlock>(JSC::Heap&, unsigned long) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x57113CB: JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*, JSC::Exception*&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5714436: JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5331B57: JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x55737CC: JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x5573957: JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C76CC6: JSEvaluateScriptInternal (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x4C76F5A: JSEvaluateScript (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==12053==    by 0x11882A: WTF::SharedTaskFunctor<void (TestAPI&), testCAPIViaCpp::{lambda(TestAPI&)#2}>::run(TestAPI&) (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/bin/testapi)
==12053==    by 0x11810E: WTF::Detail::CallableWrapper<testCAPIViaCpp::{lambda()#11}, void>::call() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/bin/testapi)
==12053==  Address 0x4ecffca8 is on thread 12's stack
==12053==  656 bytes below stack pointer
==12053==

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190718/f5fa19d2/attachment-0001.html>