https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61721
Bug ID: 61721
Summary: GCC 4.8-4.10 miscompiles webkit hashing
Product: gcc
Version: 4.10.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: cand at gmx dot com
GCC 4.8.3 and 4.10 trunk@212302 tested, both broken. According to
https://bugreports.qt-project.org/browse/QTBUG-31988 this is a regression and
worked in 4.7, but I cannot confirm that as 4.7 can't build current webkit.
Building webkit with current GCC and -O2 or above miscompiles the
hashmap/hashtable hashMemory function and perhaps other parts, causing crashes
in multiple places. -O1 works fine, as does adding -fno-inline or
-fno-strict-aliasing to -O2 or -O3.
The affected files produce no warnings with -Wall -Wextra. Attaching
preprocessed source from both failing (-O2) and working (-O2 -fno-inline)
cases.
Valgrind output from the failing case:
==5710== Use of uninitialised value of size 8
==5710== at 0x15395A6: void
std::swap<WebCore::StorageAreaImpl*>(WebCore::StorageAreaImpl*&,
WebCore::StorageAreaImpl*&) (move.h:175)
==5710== by 0x153965A:
WTF::RefPtr<WebCore::StorageAreaImpl>::operator=(WTF::RefPtr<WebCore::StorageAreaImpl>
const&) (RefPtr.h:109)
==5710== by 0x153BC32:
WTF::HashTableAddResult<WTF::HashTableIterator<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::KeyValuePair<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl> >,
WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl> > >, WebCore::SecurityOriginHash,
WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin>
>, WTF::HashTraits<WTF::RefPtr<WebCore::StorageAreaImpl> > >,
WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin> > > >
WTF::HashTable<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::KeyValuePair<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl> >,
WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl> > >, WebCore::SecurityOriginHash,
WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin>
>, WTF::HashTraits<WTF::RefPtr<WebCore::StorageAreaImpl> > >,
WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin> >
>::add<WTF::HashMapTranslator<WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin>
>, WTF::HashTraits<WTF::RefPtr<WebCore::StorageAreaImpl> > >,
WebCore::SecurityOriginHash>, WTF::RefPtr<WebCore::SecurityOrigin> const&,
WTF::RefPtr<WebCore::StorageAreaImpl>&>(WTF::RefPtr<WebCore::SecurityOrigin>
const&, WTF::RefPtr<WebCore::StorageAreaImpl>&) (HashTable.h:858)
==5710== by 0x153BD19:
WTF::HashTableAddResult<WTF::HashTableIterator<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::KeyValuePair<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl> >,
WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl> > >, WebCore::SecurityOriginHash,
WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin>
>, WTF::HashTraits<WTF::RefPtr<WebCore::StorageAreaImpl> > >,
WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin> > > >
WTF::HashMap<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl>, WebCore::SecurityOriginHash,
WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin> >,
WTF::HashTraits<WTF::RefPtr<WebCore::StorageAreaImpl> >
>::inlineAdd<WTF::RefPtr<WebCore::StorageAreaImpl>&>(WTF::RefPtr<WebCore::SecurityOrigin>
const&, WTF::RefPtr<WebCore::StorageAreaImpl>&) (RefPtrHashMap.h:207)
==5710== by 0x153BD50:
WTF::HashTableAddResult<WTF::HashTableIterator<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::KeyValuePair<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl> >,
WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl> > >, WebCore::SecurityOriginHash,
WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin>
>, WTF::HashTraits<WTF::RefPtr<WebCore::StorageAreaImpl> > >,
WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin> > > >
WTF::HashMap<WTF::RefPtr<WebCore::SecurityOrigin>,
WTF::RefPtr<WebCore::StorageAreaImpl>, WebCore::SecurityOriginHash,
WTF::HashTraits<WTF::RefPtr<WebCore::SecurityOrigin> >,
WTF::HashTraits<WTF::RefPtr<WebCore::StorageAreaImpl> >
>::set<WTF::RefPtr<WebCore::StorageAreaImpl>&>(WTF::RefPtr<WebCore::SecurityOrigin>
const&, WTF::RefPtr<WebCore::StorageAreaImpl>&) (RefPtrHashMap.h:221)
==5710== by 0x153BE7F:
WebCore::StorageNamespaceImpl::storageArea(WTF::PassRefPtr<WebCore::SecurityOrigin>)
(StorageNamespaceImpl.cpp:134)
==5710== by 0x51DFB1: WebCore::DOMWindow::sessionStorage(int&) const (in
testapp)
==5710== by 0x12F60A1: WebCore::jsDOMWindowSessionStorage(JSC::ExecState*,
JSC::JSObject*, long, JSC::PropertyName) (in testapp)
==5710== by 0xD54049: JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName,
JSC::PropertySlot&) const (in testapp)
==5710== by 0x1B79FE3: llint_slow_path_get_by_id (in testapp)
==5710== by 0x1B7240A: ??? (in testapp)
==5710== by 0x1B75747: ??? (in testapp)
==5710== Uninitialised value was created by a stack allocation
==5710== at 0x1539270:
WebCore::SecurityOriginHash::hash(WTF::RefPtr<WebCore::SecurityOrigin> const&)
(SecurityOriginHash.h:50)
The code from SecurityOriginHash:
static unsigned hash(SecurityOrigin* origin)
{
unsigned hashCodes[3] = {
origin->protocol().impl() ? origin->protocol().impl()->hash() : 0,
origin->host().impl() ? origin->host().impl()->hash() : 0,
origin->port()
};
return StringHasher::hashMemory<sizeof(hashCodes)>(hashCodes);
}
There is no way hashCodes[] could be uninitialized. This issue does not
manifest on VS and clang, but it could still be some bug in webkit too.
