Re: [Edbrowse-dev] seg fault what?

edbrowse-dev - development list for edbrowse
 help / color / mirror / Atom feed

From: Chris Brannon <chris@the-brannons.com>
To: Edbrowse-dev@lists.the-brannons.com
Subject: Re: [Edbrowse-dev] seg fault what?
Date: Thu, 23 Jan 2014 10:28:47 -0800	[thread overview]
Message-ID: <87r47yr1r4.fsf@mushroom.PK5001Z> (raw)
In-Reply-To: <20140023123926.eklhad@comcast.net> (Karl Dahlke's message of "Thu, 23 Jan 2014 12:39:26 -0500")

I can't reproduce with your file in any version that I have, but I think
I've found a similar test case.
Visit www.youtube.com with js enabled.  Search for Popular (with
/Popular) and click on the link.  It always segfaults for me, with
several versions: edbrowse from master built against
spidermonkey 1.8.5, code from Adam's git repository built against
spidermonkey 24.0, and even edbrowse 3.4.9 built against spidermonkey
1.8.5.
I also managed to reproduce the crash under valgrind, and here's what I
found.  I'm posting two logs, one made with edbrowse from master, the
other made with edbrowse from Adam's repo.  Notice that they look
suspiciously similar.  For ease of navigation, the logs are enclosed in
<log> and </log>


<log>
(With edbrowse built against spidermonkey 1.8.5):
Invalid read of size 8
   at 0x565F3AE: JS_NewObject (in /usr/lib64/libmozjs185.so.1.0.0)
   by 0x42F80F: domLink (jsdom.c:1185)
   by 0x424092: encodeTags (html.c:1621)
   by 0x424A50: htmlParse (html.c:2134)
   by 0x40E1D7: browseCurrentBuffer (buffers.c:4837)
   by 0x410068: runCommand (buffers.c:4446)
   by 0x412E2F: edbrowseCommand (buffers.c:4621)
   by 0x4068C9: main (main.c:1303)
 Address 0x1000045ba is not stack'd, malloc'd or (recently) free'd


Process terminating with default action of signal 11 (SIGSEGV)
 Access not within mapped region at address 0x1000045BA
   at 0x565F3AE: JS_NewObject (in /usr/lib64/libmozjs185.so.1.0.0)
   by 0x42F80F: domLink (jsdom.c:1185)
   by 0x424092: encodeTags (html.c:1621)
   by 0x424A50: htmlParse (html.c:2134)
   by 0x40E1D7: browseCurrentBuffer (buffers.c:4837)
   by 0x410068: runCommand (buffers.c:4446)
   by 0x412E2F: edbrowseCommand (buffers.c:4621)
   by 0x4068C9: main (main.c:1303)
</log>

<log>
(With edbrowse built against spidermonkey 24.0):
Invalid read of size 8
   at 0x571EA32: js::GCMarker::drainMarkStack(js::SliceBudget&) (Heap.h:687)
   by 0x5808C14: IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3779)
   by 0x580A960: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) (jsgc.cpp:4422)
   by 0x580AD7F: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) [clone .part.222] (jsgc.cpp:4558)
   by 0x580B1D8: void* js::gc::ArenaLists::refillFreeList<(js::AllowGC)1>(js::ThreadSafeContext*, js::gc::AllocKind) (jsgc.cpp:1467)
   by 0x588BC46: JSFlatString* js_NewStringCopyN<(js::AllowGC)1>(JSContext*, unsigned short const*, unsigned long) (jsgcinlines.h:541)
   by 0x57C45DE: js::Atomize(JSContext*, char const*, unsigned long, js::InternBehavior) (jsatom.cpp:306)
   by 0x57AC8E1: DefineProperty(JSContext*, JS::Handle<JSObject*>, char const*, JS::Value const&, JSPropertyOpWrapper const&, JSStrictPropertyOpWrapper const&, unsigned int, unsigned int, int) (jsapi.cpp:3718)
   by 0x57ACCA9: JS_DefineProperty(JSContext*, JSObject*, char const*, JS::Value, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>), int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::MutableHandle<JS::Value>), unsigned int) (jsapi.cpp:3734)
   by 0x43A9E1: domLink (jsdom.cpp:1263)
   by 0x429E55: encodeTags (html.c:1447)
   by 0x42C0CB: htmlParse (html.c:2134)
 Address 0xfc0b0 is not stack'd, malloc'd or (recently) free'd


Process terminating with default action of signal 11 (SIGSEGV)
 Access not within mapped region at address 0xFC0B0
   at 0x571EA32: js::GCMarker::drainMarkStack(js::SliceBudget&) (Heap.h:687)
   by 0x5808C14: IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3779)
   by 0x580A960: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) (jsgc.cpp:4422)
   by 0x580AD7F: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) [clone .part.222] (jsgc.cpp:4558)
   by 0x580B1D8: void* js::gc::ArenaLists::refillFreeList<(js::AllowGC)1>(js::ThreadSafeContext*, js::gc::AllocKind) (jsgc.cpp:1467)
   by 0x588BC46: JSFlatString* js_NewStringCopyN<(js::AllowGC)1>(JSContext*, unsigned short const*, unsigned long) (jsgcinlines.h:541)
   by 0x57C45DE: js::Atomize(JSContext*, char const*, unsigned long, js::InternBehavior) (jsatom.cpp:306)
   by 0x57AC8E1: DefineProperty(JSContext*, JS::Handle<JSObject*>, char const*, JS::Value const&, JSPropertyOpWrapper const&, JSStrictPropertyOpWrapper const&, unsigned int, unsigned int, int) (jsapi.cpp:3718)
   by 0x57ACCA9: JS_DefineProperty(JSContext*, JSObject*, char const*, JS::Value, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>), int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::MutableHandle<JS::Value>), unsigned int) (jsapi.cpp:3734)
   by 0x43A9E1: domLink (jsdom.cpp:1263)
   by 0x429E55: encodeTags (html.c:1447)
   by 0x42C0CB: htmlParse (html.c:2134)
</log>

-- Chris

next prev parent reply	other threads:[~2014-01-23 18:29 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-23 17:39 Karl Dahlke
2014-01-23 18:28 ` Chris Brannon [this message]
2014-01-24 10:31   ` Adam Thompson
2014-01-24 11:38     ` [Edbrowse-dev] seg fault what?1 Adam Thompson
     [not found]     ` <87vbx9pclw.fsf@mushroom.PK5001Z>
2014-01-24 16:53       ` [Edbrowse-dev] seg fault what? Adam Thompson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87r47yr1r4.fsf@mushroom.PK5001Z \
    --to=chris@the-brannons.com \
    --cc=Edbrowse-dev@lists.the-brannons.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).