[Webkit-unassigned] [Bug 199295] New: [WPE][GTK] Memory corruption when creating WebKitJavascriptResult

Thu Jun 27 15:49:37 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=199295

            Bug ID: 199295
           Summary: [WPE][GTK] Memory corruption when creating
                    WebKitJavascriptResult
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com
                CC: bugs-noreply at webkitgtk.org

I don't understand it, but valgrind has found memory corruption. Normally this results in impossible to debug crashes with backtraces pointing to innocent code, so this is bad.

==125284== Thread 1:
==125284== Invalid write of size 8
==125284==    at 0x9A775ED: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x923FF5A: JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (LocalAllocatorInlines.h:39)
==125284==    by 0x9CE237D: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x9CE237D: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x9CE237D: allocate (AllocatorInlines.h:35)
==125284==    by 0x9CE237D: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x9CE237D: tryAllocateCellHelper<JSC::FunctionPrototype> (JSCellInlines.h:173)
==125284==    by 0x9CE237D: allocateCell<JSC::FunctionPrototype> (JSCellInlines.h:187)
==125284==    by 0x9CE237D: create (FunctionPrototype.h:33)
==125284==    by 0x9CE237D: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:460)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==    by 0x91F7469: jsc_context_new (JSCContext.cpp:583)
==125284==    by 0x686B494: getOrCreateContext (WebKitJavascriptResultPrivate.h:44)
==125284==    by 0x686B494: _WebKitJavascriptResult (WebKitJavascriptResult.cpp:31)
==125284==    by 0x686B494: webkitJavascriptResultCreate(WebCore::SerializedScriptValue&) (WebKitJavascriptResult.cpp:45)
==125284==  Address 0x1ffeffcf08 is on thread 1's stack
==125284==  496 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775F7: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x923FF5A: JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (LocalAllocatorInlines.h:39)
==125284==    by 0x9CE237D: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x9CE237D: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x9CE237D: allocate (AllocatorInlines.h:35)
==125284==    by 0x9CE237D: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x9CE237D: tryAllocateCellHelper<JSC::FunctionPrototype> (JSCellInlines.h:173)
==125284==    by 0x9CE237D: allocateCell<JSC::FunctionPrototype> (JSCellInlines.h:187)
==125284==    by 0x9CE237D: create (FunctionPrototype.h:33)
==125284==    by 0x9CE237D: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:460)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==    by 0x91F7469: jsc_context_new (JSCContext.cpp:583)
==125284==    by 0x686B494: getOrCreateContext (WebKitJavascriptResultPrivate.h:44)
==125284==    by 0x686B494: _WebKitJavascriptResult (WebKitJavascriptResult.cpp:31)
==125284==    by 0x686B494: webkitJavascriptResultCreate(WebCore::SerializedScriptValue&) (WebKitJavascriptResult.cpp:45)
==125284==  Address 0x1ffeffcf18 is on thread 1's stack
==125284==  480 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775ED: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x98D248F: JSC::CompleteSubspace::tryAllocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*) (CompleteSubspace.cpp:128)
==125284==    by 0x98D2698: JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (CompleteSubspace.cpp:117)
==125284==    by 0x9CE2275: allocateNonVirtual (CompleteSubspaceInlines.h:37)
==125284==    by 0x9CE2275: tryAllocateCellHelper<JSC::JSGlobalLexicalEnvironment> (JSCellInlines.h:173)
==125284==    by 0x9CE2275: allocateCell<JSC::JSGlobalLexicalEnvironment> (JSCellInlines.h:187)
==125284==    by 0x9CE2275: create (JSGlobalLexicalEnvironment.h:42)
==125284==    by 0x9CE2275: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:463)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==    by 0x91F7469: jsc_context_new (JSCContext.cpp:583)
==125284==  Address 0x1ffeffce78 is on thread 1's stack
==125284==  544 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775F7: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x98D248F: JSC::CompleteSubspace::tryAllocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*) (CompleteSubspace.cpp:128)
==125284==    by 0x98D2698: JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (CompleteSubspace.cpp:117)
==125284==    by 0x9CE2275: allocateNonVirtual (CompleteSubspaceInlines.h:37)
==125284==    by 0x9CE2275: tryAllocateCellHelper<JSC::JSGlobalLexicalEnvironment> (JSCellInlines.h:173)
==125284==    by 0x9CE2275: allocateCell<JSC::JSGlobalLexicalEnvironment> (JSCellInlines.h:187)
==125284==    by 0x9CE2275: create (JSGlobalLexicalEnvironment.h:42)
==125284==    by 0x9CE2275: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:463)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==    by 0x91F7469: jsc_context_new (JSCContext.cpp:583)
==125284==  Address 0x1ffeffce88 is on thread 1's stack
==125284==  528 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775ED: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x9CAEEF9: operator() (LocalAllocatorInlines.h:39)
==125284==    by 0x9CAEEF9: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x9CAEEF9: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x9CAEEF9: allocate (AllocatorInlines.h:35)
==125284==    by 0x9CAEEF9: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x9CAEEF9: tryAllocateCellHelper<JSC::JSFunction> (JSCellInlines.h:173)
==125284==    by 0x9CAEEF9: void* JSC::allocateCell<JSC::JSFunction>(JSC::Heap&, unsigned long) (JSCellInlines.h:187)
==125284==    by 0x9CAC29F: JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, JSC::NativeFunction, JSC::Intrinsic, JSC::NativeFunction, JSC::DOMJIT::Signature const*) (JSFunction.cpp:99)
==125284==    by 0x9C5478E: JSC::FunctionPrototype::addFunctionProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSFunction**, JSC::JSFunction**, JSC::JSFunction**) (FunctionPrototype.cpp:62)
==125284==    by 0x9CD8EB9: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:500)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==  Address 0x1ffeffcec8 is on thread 1's stack
==125284==  368 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775F7: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x9CAEEF9: operator() (LocalAllocatorInlines.h:39)
==125284==    by 0x9CAEEF9: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x9CAEEF9: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x9CAEEF9: allocate (AllocatorInlines.h:35)
==125284==    by 0x9CAEEF9: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x9CAEEF9: tryAllocateCellHelper<JSC::JSFunction> (JSCellInlines.h:173)
==125284==    by 0x9CAEEF9: void* JSC::allocateCell<JSC::JSFunction>(JSC::Heap&, unsigned long) (JSCellInlines.h:187)
==125284==    by 0x9CAC29F: JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, JSC::NativeFunction, JSC::Intrinsic, JSC::NativeFunction, JSC::DOMJIT::Signature const*) (JSFunction.cpp:99)
==125284==    by 0x9C5478E: JSC::FunctionPrototype::addFunctionProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSFunction**, JSC::JSFunction**, JSC::JSFunction**) (FunctionPrototype.cpp:62)
==125284==    by 0x9CD8EB9: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:500)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==  Address 0x1ffeffced8 is on thread 1's stack
==125284==  352 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775ED: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x942E9F3: operator() (LocalAllocatorInlines.h:39)
==125284==    by 0x942E9F3: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x942E9F3: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x942E9F3: allocate (AllocatorInlines.h:35)
==125284==    by 0x942E9F3: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x942E9F3: tryAllocateCellHelper<JSC::FunctionExecutable> (JSCellInlines.h:173)
==125284==    by 0x942E9F3: allocateCell<JSC::FunctionExecutable> (JSCellInlines.h:187)
==125284==    by 0x942E9F3: create (FunctionExecutable.h:53)
==125284==    by 0x942E9F3: JSC::UnlinkedFunctionExecutable::link(JSC::VM&, JSC::ScriptExecutable*, JSC::SourceCode const&, WTF::Optional<int>, JSC::Intrinsic) (UnlinkedFunctionExecutable.cpp:181)
==125284==    by 0x9221920: JSC::functionPrototypeApplyCodeGenerator(JSC::VM&) (JSCBuiltins.cpp:1522)
==125284==    by 0x9C547BD: JSC::FunctionPrototype::addFunctionProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSFunction**, JSC::JSFunction**, JSC::JSFunction**) (FunctionPrototype.cpp:65)
==125284==    by 0x9CD8EB9: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:500)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==  Address 0x1ffeffcdf8 is on thread 1's stack
==125284==  416 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775F7: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x942E9F3: operator() (LocalAllocatorInlines.h:39)
==125284==    by 0x942E9F3: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x942E9F3: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x942E9F3: allocate (AllocatorInlines.h:35)
==125284==    by 0x942E9F3: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x942E9F3: tryAllocateCellHelper<JSC::FunctionExecutable> (JSCellInlines.h:173)
==125284==    by 0x942E9F3: allocateCell<JSC::FunctionExecutable> (JSCellInlines.h:187)
==125284==    by 0x942E9F3: create (FunctionExecutable.h:53)
==125284==    by 0x942E9F3: JSC::UnlinkedFunctionExecutable::link(JSC::VM&, JSC::ScriptExecutable*, JSC::SourceCode const&, WTF::Optional<int>, JSC::Intrinsic) (UnlinkedFunctionExecutable.cpp:181)
==125284==    by 0x9221920: JSC::functionPrototypeApplyCodeGenerator(JSC::VM&) (JSCBuiltins.cpp:1522)
==125284==    by 0x9C547BD: JSC::FunctionPrototype::addFunctionProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSFunction**, JSC::JSFunction**, JSC::JSFunction**) (FunctionPrototype.cpp:65)
==125284==    by 0x9CD8EB9: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:500)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==  Address 0x1ffeffce08 is on thread 1's stack
==125284==  400 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775ED: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x98D248F: JSC::CompleteSubspace::tryAllocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*) (CompleteSubspace.cpp:128)
==125284==    by 0x98D2698: JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (CompleteSubspace.cpp:117)
==125284==    by 0x9D7DDB8: allocateNonVirtual (CompleteSubspaceInlines.h:37)
==125284==    by 0x9D7DDB8: tryAllocateCellHelper<JSC::ObjectPrototype> (JSCellInlines.h:173)
==125284==    by 0x9D7DDB8: allocateCell<JSC::ObjectPrototype> (JSCellInlines.h:187)
==125284==    by 0x9D7DDB8: JSC::ObjectPrototype::create(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*) (ObjectPrototype.cpp:75)
==125284==    by 0x9CD932A: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:537)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==  Address 0x1ffeffce58 is on thread 1's stack
==125284==  512 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775F7: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x98D248F: JSC::CompleteSubspace::tryAllocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*) (CompleteSubspace.cpp:128)
==125284==    by 0x98D2698: JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (CompleteSubspace.cpp:117)
==125284==    by 0x9D7DDB8: allocateNonVirtual (CompleteSubspaceInlines.h:37)
==125284==    by 0x9D7DDB8: tryAllocateCellHelper<JSC::ObjectPrototype> (JSCellInlines.h:173)
==125284==    by 0x9D7DDB8: allocateCell<JSC::ObjectPrototype> (JSCellInlines.h:187)
==125284==    by 0x9D7DDB8: JSC::ObjectPrototype::create(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*) (ObjectPrototype.cpp:75)
==125284==    by 0x9CD932A: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:537)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==  Address 0x1ffeffce68 is on thread 1's stack
==125284==  496 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775ED: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x9E03C76: operator() (LocalAllocatorInlines.h:39)
==125284==    by 0x9E03C76: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x9E03C76: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x9E03C76: allocate (AllocatorInlines.h:35)
==125284==    by 0x9E03C76: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x9E03C76: tryAllocateCellHelper<JSC::StructureRareData> (JSCellInlines.h:173)
==125284==    by 0x9E03C76: allocateCell<JSC::StructureRareData> (JSCellInlines.h:187)
==125284==    by 0x9E03C76: JSC::StructureRareData::create(JSC::VM&, JSC::Structure*) (StructureRareData.cpp:48)
==125284==    by 0x9E03CB6: JSC::Structure::allocateRareData(JSC::VM&) (Structure.cpp:839)
==125284==    by 0x9E08797: JSC::Structure::ensurePropertyReplacementWatchpointSet(JSC::VM&, int) (Structure.cpp:854)
==125284==    by 0x94157A7: JSC::PropertyCondition::isWatchableWhenValid(JSC::Structure*, JSC::PropertyCondition::WatchabilityEffort) const (PropertyCondition.cpp:323)
==125284==    by 0x9CC4F23: JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::JSObject*, JSC::Identifier const&)#73}::operator()(JSC::JSObject*, JSC::Identifier const&) const [clone .isra.0] (JSGlobalObject.cpp:1119)
==125284==    by 0x9CE07ED: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:1126)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==  Address 0x1ffeffcd78 is on thread 1's stack
==125284==  512 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775F7: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x9E03C76: operator() (LocalAllocatorInlines.h:39)
==125284==    by 0x9E03C76: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x9E03C76: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x9E03C76: allocate (AllocatorInlines.h:35)
==125284==    by 0x9E03C76: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x9E03C76: tryAllocateCellHelper<JSC::StructureRareData> (JSCellInlines.h:173)
==125284==    by 0x9E03C76: allocateCell<JSC::StructureRareData> (JSCellInlines.h:187)
==125284==    by 0x9E03C76: JSC::StructureRareData::create(JSC::VM&, JSC::Structure*) (StructureRareData.cpp:48)
==125284==    by 0x9E03CB6: JSC::Structure::allocateRareData(JSC::VM&) (Structure.cpp:839)
==125284==    by 0x9E08797: JSC::Structure::ensurePropertyReplacementWatchpointSet(JSC::VM&, int) (Structure.cpp:854)
==125284==    by 0x94157A7: JSC::PropertyCondition::isWatchableWhenValid(JSC::Structure*, JSC::PropertyCondition::WatchabilityEffort) const (PropertyCondition.cpp:323)
==125284==    by 0x9CC4F23: JSC::JSGlobalObject::init(JSC::VM&)::{lambda(JSC::JSObject*, JSC::Identifier const&)#73}::operator()(JSC::JSObject*, JSC::Identifier const&) const [clone .isra.0] (JSGlobalObject.cpp:1119)
==125284==    by 0x9CE07ED: JSC::JSGlobalObject::init(JSC::VM&) (JSGlobalObject.cpp:1126)
==125284==    by 0x9CE3C45: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2113)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==  Address 0x1ffeffcd88 is on thread 1's stack
==125284==  496 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775ED: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x9CE3E53: operator() (LocalAllocatorInlines.h:39)
==125284==    by 0x9CE3E53: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x9CE3E53: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x9CE3E53: allocate (AllocatorInlines.h:35)
==125284==    by 0x9CE3E53: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x9CE3E53: tryAllocateCellHelper<JSC::Structure> (JSCellInlines.h:173)
==125284==    by 0x9CE3E53: allocateCell<JSC::Structure> (JSCellInlines.h:187)
==125284==    by 0x9CE3E53: create (Structure.h:798)
==125284==    by 0x9CE3E53: createStructure (JSNonDestructibleProxy.h:69)
==125284==    by 0x9CE3E53: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2114)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==    by 0x91F7469: jsc_context_new (JSCContext.cpp:583)
==125284==    by 0x686B494: getOrCreateContext (WebKitJavascriptResultPrivate.h:44)
==125284==    by 0x686B494: _WebKitJavascriptResult (WebKitJavascriptResult.cpp:31)
==125284==    by 0x686B494: webkitJavascriptResultCreate(WebCore::SerializedScriptValue&) (WebKitJavascriptResult.cpp:45)
==125284==    by 0x68888EC: webkitWebViewRunJavaScriptCallback(API::SerializedScriptValue*, WebCore::ExceptionDetails const&, _GTask*) (WebKitWebView.cpp:3428)
==125284==    by 0x67CE617: operator() (Function.h:79)
==125284==    by 0x67CE617: performCallbackWithReturnValue (GenericCallback.h:109)
==125284==    by 0x67CE617: performCallbackWithReturnValue (GenericCallback.h:101)
==125284==    by 0x67CE617: WebKit::WebPageProxy::scriptValueCallback(IPC::DataReference const&, bool, WebCore::ExceptionDetails const&, WebKit::CallbackID) (WebPageProxy.cpp:6531)
==125284==  Address 0x1ffeffcf48 is on thread 1's stack
==125284==  5008 bytes below stack pointer
==125284== 
==125284== Invalid write of size 8
==125284==    at 0x9A775F7: ??? (in /home/mcatanzaro/Projects/GNOME/install/lib/libjavascriptcoregtk-4.0.so.18.14.1)
==125284==    by 0x9CE3E53: operator() (LocalAllocatorInlines.h:39)
==125284==    by 0x9CE3E53: allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::<lambda()> > (FreeListInlines.h:46)
==125284==    by 0x9CE3E53: allocate (LocalAllocatorInlines.h:37)
==125284==    by 0x9CE3E53: allocate (AllocatorInlines.h:35)
==125284==    by 0x9CE3E53: allocateNonVirtual (IsoSubspaceInlines.h:34)
==125284==    by 0x9CE3E53: tryAllocateCellHelper<JSC::Structure> (JSCellInlines.h:173)
==125284==    by 0x9CE3E53: allocateCell<JSC::Structure> (JSCellInlines.h:187)
==125284==    by 0x9CE3E53: create (Structure.h:798)
==125284==    by 0x9CE3E53: createStructure (JSNonDestructibleProxy.h:69)
==125284==    by 0x9CE3E53: JSC::JSGlobalObject::finishCreation(JSC::VM&) (JSGlobalObject.cpp:2114)
==125284==    by 0x92346E8: create (JSAPIGlobalObject.h:44)
==125284==    by 0x92346E8: JSGlobalContextCreateInGroup (JSContextRef.cpp:141)
==125284==    by 0x91F6E31: jscContextSetVirtualMachine(_JSCContext*, WTF::GRefPtr<_JSCVirtualMachine>&&) (JSCContext.cpp:107)
==125284==    by 0x91FA14E: jscContextConstructed(_GObject*) (JSCContext.cpp:153)
==125284==    by 0x56DEC73: g_object_new_internal (gobject.c:1867)
==125284==    by 0x56DF135: g_object_new_with_properties (gobject.c:1995)
==125284==    by 0x56DE6D6: g_object_new (gobject.c:1667)
==125284==    by 0x91F7469: jsc_context_new (JSCContext.cpp:583)
==125284==    by 0x686B494: getOrCreateContext (WebKitJavascriptResultPrivate.h:44)
==125284==    by 0x686B494: _WebKitJavascriptResult (WebKitJavascriptResult.cpp:31)
==125284==    by 0x686B494: webkitJavascriptResultCreate(WebCore::SerializedScriptValue&) (WebKitJavascriptResult.cpp:45)
==125284==    by 0x68888EC: webkitWebViewRunJavaScriptCallback(API::SerializedScriptValue*, WebCore::ExceptionDetails const&, _GTask*) (WebKitWebView.cpp:3428)
==125284==    by 0x67CE617: operator() (Function.h:79)
==125284==    by 0x67CE617: performCallbackWithReturnValue (GenericCallback.h:109)
==125284==    by 0x67CE617: performCallbackWithReturnValue (GenericCallback.h:101)
==125284==    by 0x67CE617: WebKit::WebPageProxy::scriptValueCallback(IPC::DataReference const&, bool, WebCore::ExceptionDetails const&, WebKit::CallbackID) (WebPageProxy.cpp:6531)
==125284==  Address 0x1ffeffcf58 is on thread 1's stack
==125284==  4992 bytes below stack pointer

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190627/00539656/attachment-0001.html>