Bug 210567

Summary: crash due to unaligned acces in KJS::Machine::runBlock()
Product: [Applications] konqueror Reporter: Helge Deller <deller>
Component: kjsAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: crash CC: deller, justin.zobel, maksim
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Helge Deller 2009-10-14 17:06:51 UTC 
Version:            (using KDE 4.3.2)
Compiler:          debian gcc 
OS:                Linux
Installed from:    Debian testing/unstable Packages

Konqueror crashes on hppa/Linux when loading a webpage (http://heise.de).
The important part is, that the hppa architecture is sensitive to unaligned accesses, e.g. accessing a 32bit integer at an unaligned address.
This is what happens here:


[533442.488000] Unaligned handler failed, ret = -2                                                                                       
[533442.540000] konqueror (pid 8984): Unaligned data reference (code 28) at 46694df7                                                     
[533442.632000]                                                                                                                          
[533442.632000]      YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI                                                                                    
[533442.632000] PSW: 00000000000001001111111100001011 Tainted: G        W                                                                
[533442.632000] r00-03  0004ff0b 466c85a8 4669925f c0231720                                                                              
[533442.632000] r04-07  003bbd04 002cfdf4 00000007 00000006                                                                              
[533442.632000] r08-11  002cf6c8 007e7178 c0231378 00000000                                                                              
[533442.632000] r12-15  00000004 c023139c c02313f4 c0231430                                                                              
[533442.632000] r16-19  402b0000 003bbaf8 00000000 466cef5c                                                                              
[533442.632000] r20-23  00000001 00000001 00000001 0035e550                                                                              
[533442.632000] r24-27  51f66afc 00332688 00000000 00011b10                                                                              
[533442.632000] r28-31  00000070 00000041 c02318c0 466818c7                                                                              
[533442.632000] sr00-03  00002df0 00002964 00000000 00002df0                                                                             
[533442.632000] sr04-07  00002df0 00002df0 00002df0 00002df0                                                                             
[533442.632000]                                                                                                                          
[533442.632000]       VZOUICununcqcqcqcqcqcrmunTDVZOUI                                                                                   
[533442.632000] FPSR: 00001100001001000000000000000000                                                                                   
[533442.632000] FPER1: 00000000                                                                                                          
[533442.632000] fr00-03  0c24000000000000 0000000000000000 0000000000000000 0000000000000000                                             
[533442.632000] fr04-07  0000000000000000 bff0000000000000 3ff0000000000000 405cc00000000000                                             
[533442.632000] fr08-11  bf8e1e1e1e1e1e1e 0000000000000000 3ff0000000000000 3fe2000000000000                                             
[533442.632000] fr12-15  4183225470000000 4183225470000000 0000000000000000 00000000ffffffff                                             
[533442.632000] fr16-19  0000000000000000 103d16ec11667180 00000000fffff000 8f82f00000000000                                             
[533442.632000] fr20-23  ffffff9c00000002 3b9aca0010452540 bff0000000000000 0000000000000000                                             
[533442.632000] fr24-27  405fc00000000000 0000000000000000 0000000000000000 3ff0000000000000                                             
[533442.632000] fr28-31  3ff0000000000000 3ff0000000000000 3ff0000000000000 0000000000000000                                             
[533442.632000]                                                                                                                          
[533442.632000] IASQ: 00002df0 00002df0 IAOQ: 46694df7 46694dfb                                                                          
[533442.632000]  IIR: 2f850204    ISR: 00002df0  IOR: 002cfe64                                                                           
[533442.632000]  CPU:        0   CR30: 18fb8000 CR31: ffffffff                                                                           
[533442.632000]  ORIG_R28: 00000001                                                                                                      
[533442.632000]  IAOQ[0]: 46694df7                                                                                                       
[533442.632000]  IAOQ[1]: 46694dfb                                                                                                       
[533442.632000]  RP(r2): 4669925f   



kde backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x46694df4 in KJS::Machine::runBlock (exec=0xc0231378, codeBlock=..., parentExec=0x0) at codes.def:127
127     codes.def: No such file or directory.                                                         
        in codes.def                                                                                  
(gdb) kdeinit4: preparing to launch /usr/lib/libkdeinit4_kbuildsycoca4.so                             
<unknown program name>(8554)/ KStartupInfo::createNewStartupId: creating:  "ls3017;1255531984;212000;8554_TIME0" : "unnamed app"
kbuildsycoca4 running...                                                                                                        

(gdb) bt
#0  0x46694df4 in KJS::Machine::runBlock (exec=0xc0231378, codeBlock=..., parentExec=0x0) at codes.def:127
#1  0x46642dc0 in KJS::FunctionBodyNode::execute (this=0x2cfb00, exec=0xc0231378) at ../../kjs/nodes.cpp:928
#2  0x4667d6b4 in KJS::Interpreter::evaluate (this=0x54b608, sourceURL=..., startingLineNumber=1343, code=0x7e6e70, codeLength=317, 
    thisV=0x402b0000) at ../../kjs/interpreter.cpp:556                                                                              
#3  0x4667d800 in KJS::Interpreter::evaluate (this=0x0, sourceURL=..., startingLineNumber=1375103740, code=<value optimized out>,   
    thisV=0x402b0000) at ../../kjs/interpreter.cpp:496                                                                              
#4  0x45f312e8 in KJS::KJSProxyImpl::evaluate (this=0x331ba0, filename=..., baseLine=1343, str=<value optimized out>, n=...,        
    completion=0xc0231128) at ../../khtml/ecma/kjs_proxy.cpp:158                                                                    
#5  0x45c2f170 in KHTMLPart::executeScript (this=0x332688, filename=..., baseLine=1343, n=..., script=...) at ../../khtml/khtml_part.cpp:1329
#6  0x45d15290 in khtml::HTMLTokenizer::scriptExecution (this=0x2c3470, str=..., scriptURL=<value optimized out>, baseLine=1343)
    at ../../khtml/html/htmltokenizer.cpp:501
#7  0x45d16410 in khtml::HTMLTokenizer::scriptHandler (this=0x2c3470) at ../../khtml/html/htmltokenizer.cpp:454
#8  0x45d179bc in khtml::HTMLTokenizer::parseSpecial (this=0x2c3470, src=...) at ../../khtml/html/htmltokenizer.cpp:369
#9  0x45d19884 in khtml::HTMLTokenizer::parseTag (this=0x2c3470, src=...) at ../../khtml/html/htmltokenizer.cpp:1550
#10 0x45d1ac38 in khtml::HTMLTokenizer::write (this=0x2c3470, str=<value optimized out>, appendData=false)
    at ../../khtml/html/htmltokenizer.cpp:1810
#11 0x45cb4e04 in DOM::DocumentImpl::write (this=<value optimized out>, text=...) at ../../khtml/xml/dom_docimpl.cpp:1679
#12 0x45ee6ad4 in KJS::HTMLDocFunction::callAsFunction (this=0x402c10e0, exec=0xc02303f8, thisObj=0xc0230990, args=...)
    at ../../khtml/ecma/kjs_html.cpp:137
#13 0x4667a148 in KJS::JSObject::call (this=0x0, exec=0x332688, thisObj=0x51f66afc, args=...) at ../../kjs/object.cpp:69
#14 0x4669a8d8 in KJS::Machine::runBlock (exec=0xc02303f8, codeBlock=..., parentExec=0x0) at codes.def:1192
#15 0x46642dc0 in KJS::FunctionBodyNode::execute (this=0xa6f0e0, exec=0xc02303f8) at ../../kjs/nodes.cpp:928
#16 0x4667d6b4 in KJS::Interpreter::evaluate (this=0x54b608, sourceURL=..., startingLineNumber=0, code=0x7e37c0, codeLength=3046,
    thisV=0x402b0000) at ../../kjs/interpreter.cpp:556
#17 0x4667d800 in KJS::Interpreter::evaluate (this=0x0, sourceURL=..., startingLineNumber=1375103740, code=<value optimized out>,
    thisV=0x402b0000) at ../../kjs/interpreter.cpp:496
#18 0x45f312e8 in KJS::KJSProxyImpl::evaluate (this=0x331ba0, filename=..., baseLine=0, str=<value optimized out>, n=...,
    completion=0xc02301a8) at ../../khtml/ecma/kjs_proxy.cpp:158
#19 0x45c2f170 in KHTMLPart::executeScript (this=0x332688, filename=..., baseLine=0, n=..., script=...) at ../../khtml/khtml_part.cpp:1329
#20 0x45d15290 in khtml::HTMLTokenizer::scriptExecution (this=0x2c3470, str=..., scriptURL=<value optimized out>, baseLine=0)
    at ../../khtml/html/htmltokenizer.cpp:501
#21 0x45d158b0 in khtml::HTMLTokenizer::notifyFinished (this=0x2c3470) at ../../khtml/html/htmltokenizer.cpp:2122
#22 0x45e77e4c in khtml::CachedScript::checkNotify (this=0xa8bcf8) at ../../khtml/misc/loader.cpp:390
#23 0x45e780fc in khtml::CachedScript::data (this=0xa8bcf8, buffer=<value optimized out>, eof=<value optimized out>)
    at ../../khtml/misc/loader.cpp:382
#24 0x45e76534 in khtml::Loader::slotFinished (this=0x2ad4c0, job=0x826f18) at ../../khtml/misc/loader.cpp:1461
#25 0x45e7f6ac in khtml::Loader::qt_metacall (this=0x2ad4c0, _c=QMetaObject::InvokeMetaMethod, _id=-4, _a=0xc022fac8) at ./loader.moc:130
#26 0x411b1d90 in QMetaObject::activate (sender=0x826f18, from_signal_index=7, to_signal_index=7, argv=0xc022fac8) at kernel/qobject.cpp:3112
#27 0x4217abcc in KJob::result (this=0x0, _t1=0x826f18) at ./kjob.moc:188
#28 0x4217b148 in KJob::emitResult (this=0x826f18) at ../../kdecore/jobs/kjob.cpp:304
#29 0x41443840 in KIO::SimpleJob::slotFinished (this=0x826f18) at ../../kio/kio/job.cpp:477
#30 0x41449c7c in KIO::TransferJob::slotFinished (this=0x826f18) at ../../kio/kio/job.cpp:948
#31 0x4144d2d8 in KIO::TransferJob::qt_metacall (this=0x826f18, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xc022f748)
    at ./jobclasses.moc:341
Comment 1 Maksim Orlovich 2009-10-14 17:11:56 UTC 
Well, it's certainly -supposed- to align everything right (it actually even 8-aligns pointers on IA-32), but seems like I screwed it up somewhere...

Any chance you could get a backtrace with -fno-inline or such?
Comment 2 Helge Deller 2009-10-14 18:09:05 UTC 
> Any chance you could get a backtrace with -fno-inline or such?

No, not easily. The backtrace is from the pre-compiled debian packages...

If it helps: The assembler command at 0x46694df4 tries to store a "float" (8-byte alignment needed) to some location. Not sure if that helps though...

0x46694de0 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22196>:   extrw,s r20,29,30,r26
0x46694de4 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22200>:   stw r26,-10(sp)
0x46694de8 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22204>:   fldw -10(sp),fr23
0x46694dec <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22208>:   fcnvxf,sgl,dbl fr23,fr4
0x46694df0 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22212>:   depw,z r6,27,28,ret0
0x46694df4 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22216>:   fstd fr4,r5(ret0)
0x46694df8 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22220>:   ldw -334(sp),r4
0x46694dfc <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22224>:   ldw 0(r4),ret0
0x46694e00 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22228>:   addil L%800,r19,r1
0x46694e04 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22232>:   ldw 1d4(r1),r1
0x46694e08 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22236>:   ldw,s ret0(r1),r20
0x46694e0c <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22240>:   bv,n r0(r20)
0x46694e10 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22244>:   ldo c(r4),ret0
0x46694e14 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22248>:   stw ret0,-334(sp)
0x46694e18 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22252>:   ldw -4(ret0),r20
0x46694e1c <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22256>:   ldw -32c(sp),r22
0x46694e20 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22260>:   ldb r22(r20),r21
0x46694e24 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22264>:   cmpiclr,= 0,r21,r0
0x46694e28 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+22268>:   b,l 0x46699514 <_ZN3KJS7Machine8runBlockEPNS_9ExecStateERKN3WTF6VectorIhLj0EEES2_+40424>,r0
Comment 3 Maksim Orlovich 2009-10-14 20:49:50 UTC 
floats are 32-bit, so why would they need to be 8-byte aligned? The difficulty here is that it's a pretty frequently aligned method, so without knowing where it comes from it'd be very hard to point out what's wrong. In gdb, can you get value of the pc or localPC local variables? Hmm, logging "info locals" might help.
Comment 4 Helge Deller 2009-10-14 23:39:35 UTC 
I said "float" above, but meant actually an 8-byte "double" instead, as the assembler statement reads "fstd fr4,r5(ret0)", which refers to a double...

> In gdb, can you get value of the pc or localPC local variables?

Program received signal SIGSEGV, Segmentation fault.

0x46a94df4 in KJS::Machine::runBlock (exec=0xc0048378, codeBlock=..., parentExec=0x0) at codes.def:127
127     codes.def: No such file or directory.
        in codes.def

(gdb) info locals

localPC = 0x70 <Address 0x70 out of bounds>

fbDestReg = 7

in = 0x1

out = 0

base = 0xab2238 ""

pc = 0xab2450 ""

workList = {_impBase = 0x46acff78}

localStore = 0xab200c

globalObject = 0x40210000

kjsVMOpHandlers = {0x46a97ecc, 0x46a981b8, 0x46a98174, 0x46a981f4, 0x46a94e54, 0x46a94e10, 0x46a8f91c, 0x46a8f920, 0x46a954d0, 0x46a8f980, 0x46a8f984, 0x46a94d0c, 0x46a8f9e4, 0x46a8f9e8, 0x46a94db4, 0x46a94d74, 0x46a9606c, 0x46a95d84, 0x46a95d14, 0x46a95cdc, 0x46a960b0,

  0x46a8fa40, 0x46a8fa44, 0x46a960ec, 0x46a8fa8c, 0x46a8fa90, 0x46a95958, 0x46a8fafc, 0x46a8fb00, 0x46a97f98, 0x46a97f50, 0x46a97f04, 0x46a8fb30, 0x46a8fb34, 0x46a95910, 0x46a8fb78, 0x46a8fb7c, 0x46a95534, 0x46a8fbbc, 0x46a8fbc0, 0x46a954c0, 0x46a954b8, 0x46a954b0,

  0x46a90664, 0x46a95484, 0x46a95448, 0x46a95404, 0x46a953a8, 0x46a9517c, 0x46a95138, 0x46a95760, 0x46a8fbf4, 0x46a8fbf8, 0x46a9524c, 0x46a951b8, 0x46a8fd48, 0x46a8fd4c, 0x46a95b24, 0x46a8fe08, 0x46a8fe0c, 0x46a95700, 0x46a956cc, 0x46a95690, 0x46a9557c, 0x46a95108,

  0x46a950d0, 0x46a90584, 0x46a90588, 0x46a94fbc, 0x46a94f14, 0x46a94ed8, 0x46a94e94, 0x46a905e0, 0x46a905e4, 0x46a95ae8, 0x46a95aa0, 0x46a90618, 0x46a9061c, 0x46a9585c, 0x46a95820, 0x46a8f88c, 0x46a8f890, 0x46a90664, 0x46a9067c, 0x46a90680, 0x46a906fc, 0x46a90700,

  0x46a958ac, 0x46a90784, 0x46a90788, 0x46a909c0, 0x46a909c4, 0x46a90aa0, 0x46a90aa4, 0x46a90cd8, 0x46a90cdc, 0x46a8fe6c, 0x46a8fe70, 0x46a8ff4c, 0x46a8ff50, 0x46a900b4, 0x46a900b8, 0x46a90184, 0x46a90188, 0x46a90288, 0x46a9028c, 0x46a904ac, 0x46a904b0, 0x46a91020,

  0x46a91024, 0x46a95be4, 0x46a95a40, 0x46a90e20, 0x46a90e24, 0x46a957bc, 0x46a95a08, 0x46a959cc, 0x46a95f48, 0x46a95f0c, 0x46a90e58, 0x46a90e5c, 0x46a95f80, 0x46a90ec4, 0x46a90ec8, 0x46a90f20, 0x46a90f24, 0x46a90f80, 0x46a90f84, 0x46a90d9c, 0x46a90da0, 0x46a9186c,

  0x46a91870, 0x46a917c8, 0x46a917cc, 0x46a91818, 0x46a9181c, 0x46a91474, 0x46a91478, 0x46a91518, 0x46a9151c, 0x46a98020, 0x46a97fd0, 0x46a98518, 0x46a91660, 0x46a91664, 0x46a983b4, 0x46a982cc, 0x46a9823c, 0x46a9105c, 0x46a91060, 0x46a91178, 0x46a9117c, 0x46a91298,

  0x46a9129c, 0x46a95dec, 0x46a913b8, 0x46a913bc, 0x46a95c20, 0x46a91414, 0x46a91418, 0x46a95c7c, 0x46a918f8, 0x46a918fc, 0x46a91ae8, 0x46a91aec, 0x46a94078, 0x46a9407c, 0x46a940dc, 0x46a940e0, 0x46a93dc4, 0x46a93dc8, 0x46a93e70, 0x46a93e74, 0x46a96a20, 0x46a93fd4,

  0x46a93fd8, 0x46a93af0, 0x46a93af4, 0x46a9635c, 0x46a962bc, 0x46a93b9c, 0x46a93ba0, 0x46a965a0, 0x46a963f8, 0x46a93be4, 0x46a93be8, 0x46a93ce8, 0x46a93cec, 0x46a93d30, 0x46a93d34, 0x46a93d7c, 0x46a93d80, 0x46a937f0, 0x46a937f4, 0x46a9383c, 0x46a93840, 0x46a96688,

  0x46a969b4, 0x46a93884, 0x46a93888...}
Comment 5 Justin Zobel 2020-12-03 22:02:34 UTC 
Thank you for the report, Helge.

As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.
Comment 6 Bug Janitor Service 2020-12-18 04:34:51 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 7 Bug Janitor Service 2021-01-02 04:34:25 UTC 
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!