<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - [WinCairo] heap corruption is detected when destructing JSGlobalObject"
href="https://bugs.webkit.org/show_bug.cgi?id=156831#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - [WinCairo] heap corruption is detected when destructing JSGlobalObject"
href="https://bugs.webkit.org/show_bug.cgi?id=156831">bug 156831</a>
from <span class="vcard"><a class="email" href="mailto:Hironori.Fujii@sony.com" title="Fujii Hironori <Hironori.Fujii@sony.com>"> <span class="fn">Fujii Hironori</span></a>
</span></b>
<pre>This is caused by the heaps mismatch of allocating and deallocating.
Allocating in the heap of WebKit.dll, but Deallocating in JavaScriptCore.dll.
JSGlobalObject::createRareDataIfNeeded is inlined,
but JSGlobalObject::~JSGlobalObject is not inlined.
Callstack of allocation:
<span class="quote">> WebKit.dll!WTF::Lock::Lock() Line 119 C++
> [External Code]
> WebKit.dll!WTF::HashTable<WTF::RefPtr<OpaqueJSWeakObjectMap>,WTF::RefPtr<OpaqueJSWeakObjectMap>,WTF::IdentityExtractor,WTF::PtrHash<WTF::RefPtr<OpaqueJSWeakObjectMap> >,WTF::HashTraits<WTF::RefPtr<OpaqueJSWeakObjectMap> >,WTF::HashTraits<WTF::RefPtr<OpaqueJSWeakObjectMap> > >::HashTable<WTF::RefPtr<OpaqueJSWeakObjectMap>,WTF::RefPtr<OpaqueJSWeakObjectMap>,WTF::IdentityExtractor,WTF::PtrHash<WTF::RefPtr<OpaqueJSWeakObjectMap> >,WTF::HashTraits<WTF::RefPtr<OpaqueJSWeakObjectMap> >,WTF::HashTraits<WTF::RefPtr<OpaqueJSWeakObjectMap> > >() Line 557 C++
> WebKit.dll!WTF::HashSet<WTF::RefPtr<OpaqueJSWeakObjectMap>,WTF::PtrHash<WTF::RefPtr<OpaqueJSWeakObjectMap> >,WTF::HashTraits<WTF::RefPtr<OpaqueJSWeakObjectMap> > >::HashSet<WTF::RefPtr<OpaqueJSWeakObjectMap>,WTF::PtrHash<WTF::RefPtr<OpaqueJSWeakObjectMap> >,WTF::HashTraits<WTF::RefPtr<OpaqueJSWeakObjectMap> > >() Line 56 C++
> WebKit.dll!JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData() Line 188 C++
> [External Code]
> WebKit.dll!JSC::JSGlobalObject::createRareDataIfNeeded() Line 354 C++
> WebKit.dll!JSC::JSGlobalObject::setProfileGroup(unsigned int value) Line 626 C++
> WebKit.dll!WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld & world) Line 262 C++
> WebKit.dll!WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld & world) Line 90 C++
> WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld & world, WebCore::ExceptionDetails * exceptionDetails) Line 154 C++
> WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode, WebCore::ExceptionDetails * exceptionDetails) Line 180 C++
> WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 321 C++
> WebKit.dll!WebCore::ScriptElement::prepareScript(const WTF::TextPosition & scriptStartPosition, WebCore::ScriptElement::LegacyTypeSupport supportLegacyTypes) Line 245 C++
> WebKit.dll!WebCore::HTMLScriptRunner::runScript(WebCore::Element * script, const WTF::TextPosition & scriptStartPosition) Line 304 C++
> WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element> scriptElement, const WTF::TextPosition & scriptStartPosition) Line 177 C++
> WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() Line 215 C++
> WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode mode, bool parsingFragment, WebCore::PumpSession & session) Line 234 C++
> WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 282 C++
> WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 169 C++
> WebKit.dll!WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl> && inputSource) Line 396 C++
> WebKit.dll!WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter & writer) Line 60 C++
> WebKit.dll!WebCore::DocumentWriter::end() Line 255 C++
> WebKit.dll!WebCore::DocumentLoader::finishedLoading(double finishTime) Line 437 C++
> WebKit.dll!WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource * resource) Line 384 C++
> WebKit.dll!WebCore::CachedResource::checkNotify() Line 299 C++
> WebKit.dll!WebCore::CachedResource::finishLoading(WebCore::SharedBuffer * __formal) Line 316 C++
> WebKit.dll!WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer * data) Line 104 C++
> WebKit.dll!WebCore::SubresourceLoader::didFinishLoading(double finishTime) Line 431 C++
> WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal, double finishTime) Line 643 C++
> WebKit.dll!WebCore::ResourceHandleManager::downloadTimerCallback() Line 700 C++
> [External Code]
> WebKit.dll!WebCore::Timer::fired() Line 142 C++
> WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 124 C++
> WebKit.dll!WebCore::ThreadTimers::setSharedTimer::__l8::<lambda>() Line 73 C++
> [External Code]
> WebKit.dll!WebCore::MainThreadSharedTimer::fired() Line 53 C++
> WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 91 C++
> [External Code]
> DumpRenderTreeLib.dll!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & inputLine) Line 1145 C++
> DumpRenderTreeLib.dll!main(int argc, const char * * argv) Line 1486 C++
> DumpRenderTreeLib.dll!dllLauncherEntryPoint(int argc, const char * * argv) Line 1517 C++
> DumpRenderTree.exe!main(int argc, const char * * argv) Line 260 C++
> [External Code]</span ></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>