119395 2013-08-01 06:05:25 -0700 Crash in JSCell::methodTable under errorDescriptionForValue() 2013-09-05 06:35:26 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED DUPLICATE 120080 http://www.sfgate.com P2 Normal --- 0 peavo webkit-unassigned chris_curtis ggaren jbriance mhahnenberg oliver oldest_to_newest 913725 0 peavo 2013-08-01 06:05:25 -0700 I'm getting a crash (NULL pointer access violation) in JavaScriptCore. This is the stacktrace: JavaScriptCore.dll!JSC::JSCell::methodTable() Line 157 C++ JavaScriptCore.dll!JSC::errorDescriptionForValue(JSC::ExecState * exec, JSC::JSValue v) Line 112 + 0xe bytes C++ JavaScriptCore.dll!JSC::createError(JSC::ExecState * exec, JSC::JSObject * (JSC::ExecState *, const WTF::String &)* errorFactory, JSC::JSValue value, const WTF::String & message) Line 117 + 0x24 bytes C++ JavaScriptCore.dll!JSC::createNotAnObjectError(JSC::ExecState * exec, JSC::JSValue value) Line 141 + 0x28 bytes C++ JavaScriptCore.dll!JSC::JSValue::synthesizePrototype(JSC::ExecState * exec) Line 111 + 0xe bytes C++ JavaScriptCore.dll!JSC::JSValue::get(JSC::ExecState * exec, unsigned int propertyName, JSC::PropertySlot & slot) Line 660 C++ JavaScriptCore.dll!JSC::getByVal(JSC::ExecState * callFrame, JSC::JSValue baseValue, JSC::JSValue subscript, JSC::ReturnAddressPtr returnAddress) Line 1542 C++ JavaScriptCore.dll!cti_op_get_by_val_generic(void * * args) Line 1603 C++ 0c192fce() JavaScriptCore.dll!JSC::JITCode::execute(JSC::JSStack * stack, JSC::ExecState * callFrame, JSC::VM * vm) Line 46 + 0x20 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj) Line 856 + 0x2d bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException) Line 85 C++ WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception) Line 74 + 0x1b bytes C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld * world) Line 142 + 0x34 bytes C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode) Line 158 + 0x40 bytes C++ WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 316 + 0x16 bytes C++ WebKit.dll!WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner> * timer) Line 121 + 0x2a5 bytes C++ WebKit.dll!WebCore::Timer<WebCore::ProgressTracker>::fired() Line 114 + 0xb bytes C++ WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 132 C++ WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 111 C++ 913726 1 207921 peavo 2013-08-01 06:10:55 -0700 Created attachment 207921 Patch 913751 2 207921 ggaren 2013-08-01 08:45:37 -0700 Comment on attachment 207921 Patch Can you provide a test case for this? I don't think checking isEmpty() here is right. Generally, JSValue() is not a valid value to use in the JIT or to pass to a runtime function. It's like a null pointer. 913875 3 mhahnenberg 2013-08-01 14:41:47 -0700 Can you give us steps to reproduce the issue? Then we can help you investigate! 914098 4 peavo 2013-08-02 05:33:39 -0700 (In reply to comment #3) > Can you give us steps to reproduce the issue? Then we can help you investigate! I don't have a reduced testcase, but I'm consistently getting the crash on many sites, e.g. www.sfgate.com. I'm running on Windows (WinCairo) though, so I'm not sure you will see the same crash if you're on OSX. 917952 5 208924 peavo 2013-08-16 07:30:53 -0700 Created attachment 208924 Patch 917953 6 peavo 2013-08-16 07:33:33 -0700 I'm frequently getting this crash. Trying another patch, but I assume it's not sufficient, as it doesn't address the root cause of the crash, but only avoids it :) I have not yet been able to figure out the origin of the empty JSValue. 917956 7 mhahnenberg 2013-08-16 08:06:55 -0700 (In reply to comment #6) > I'm frequently getting this crash. Trying another patch, but I assume it's not sufficient, as it doesn't address the root cause of the crash, but only avoids it :) I have not yet been able to figure out the origin of the empty JSValue. The original backtrace seems to indicate that you got the empty JSValue from inside the baseline JIT (cti_op_blah_blah_blah is a baseline JIT stub). Have you tried disabling the JITs to see if the issue goes away? You can do this by setting "useJIT() = false;" in Options::initialize in Options.cpp and recompiling. If that makes the problem go away then try just disabling the top tier JIT by setting "useDFGJIT() = false;" in the same manner (and removing "useJIT() = false;" where you added it previously). These experiments will tell us which execution engine (the LLInt, the baseline JIT, or the DFG JIT) is responsible for the empty JSValue you're seeing. This all should take < 5 minutes to build both versions. How long does it usually take to see this crash when browsing around the web? 918051 8 peavo 2013-08-16 11:51:29 -0700 (In reply to comment #7) > (In reply to comment #6) > > I'm frequently getting this crash. Trying another patch, but I assume it's not sufficient, as it doesn't address the root cause of the crash, but only avoids it :) I have not yet been able to figure out the origin of the empty JSValue. > > The original backtrace seems to indicate that you got the empty JSValue from inside the baseline JIT (cti_op_blah_blah_blah is a baseline JIT stub). Have you tried disabling the JITs to see if the issue goes away? You can do this by setting "useJIT() = false;" in Options::initialize in Options.cpp and recompiling. If that makes the problem go away then try just disabling the top tier JIT by setting "useDFGJIT() = false;" in the same manner (and removing "useJIT() = false;" where you added it previously). These experiments will tell us which execution engine (the LLInt, the baseline JIT, or the DFG JIT) is responsible for the empty JSValue you're seeing. > > This all should take < 5 minutes to build both versions. How long does it usually take to see this crash when browsing around the web? Thanks for the response! I tried setting "useJIT() = false;", but I get the same crash. I believe both LLInt and the DFG JIT is disabled on Windows, so I guess there's no fallback, so baseline JIT is used regardless? I get the same stacktrace with cti_op_get_by_val_generic, which indicates this. Should I try to enable the DFG JIT? I usually see the crash quickly (within minutes or less) when browsing around. It happens every time when I visit www.sfgate.com. 918060 9 208924 darin 2013-08-16 12:07:07 -0700 Comment on attachment 208924 Patch This seems wrong. It’s not correct to call this with an empty JSValue. Where is that happening? 918065 10 peavo 2013-08-16 12:15:20 -0700 (In reply to comment #9) > (From update of attachment 208924 [details]) > This seems wrong. It’s not correct to call this with an empty JSValue. Where is that happening? I get it every time on www.sfgate.com (Windows). 921695 11 jbriance 2013-08-27 15:18:59 -0700 Seems to be a duplicate of https://bugs.webkit.org/show_bug.cgi?id=120080 921737 12 208924 ggaren 2013-08-27 16:47:54 -0700 Comment on attachment 208924 Patch We really need to figure out why these values are NULL. They shouldn't be. 921889 13 jbriance 2013-08-28 02:30:06 -0700 (In reply to comment #10) > I get it every time on www.sfgate.com (Windows). Could you test the patch I've just submitted in https://bugs.webkit.org/show_bug.cgi?id=120080 and give your feedback with your Windows build please? 924993 14 peavo 2013-09-05 06:35:26 -0700 Thanks alot, that patch did the trick :) *** This bug has been marked as a duplicate of bug 120080 *** 207921 2013-08-01 06:10:55 -0700 2013-08-16 07:30:46 -0700 Patch bug-119395-20130801151042.patch text/plain 1216 peavo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTUzNTgyKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDEzIEBA CisyMDEzLTA4LTAxICBwZWF2b0BvdXRsb29rLmNvbSAgPHBlYXZvQG91dGxvb2suY29tPgorCisg ICAgICAgIEphdmFTY3JpcHQgY3Jhc2guCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3Jn L3Nob3dfYnVnLmNnaT9pZD0xMTkzOTUKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICAqIHJ1bnRpbWUvRXhjZXB0aW9uSGVscGVycy5jcHA6CisgICAgICAg IChKU0M6OmVycm9yRGVzY3JpcHRpb25Gb3JWYWx1ZSk6IEhhbmRsZSB0aGUgY2FzZSB3aGVyZSBK U1ZhbHVlIGlzIGVtcHR5LgorCiAyMDEzLTA3LTMxICBHYXZpbiBCYXJyYWNsb3VnaCAgPGJhcnJh Y2xvdWdoQGFwcGxlLmNvbT4KIAogICAgICAgICBNb3JlIGNsZWFudXAgaW4gUHJvcGVydHlTbG90 CkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9FeGNlcHRpb25IZWxwZXJzLmNw cAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9FeGNlcHRpb25I ZWxwZXJzLmNwcAkocmV2aXNpb24gMTUzNTc2KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL3J1 bnRpbWUvRXhjZXB0aW9uSGVscGVycy5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTg5LDYgKzg5LDgg QEAgSlNTdHJpbmcqIGVycm9yRGVzY3JpcHRpb25Gb3JWYWx1ZShFeGVjUwogICAgIFZNJiB2bSA9 IGV4ZWMtPnZtKCk7CiAgICAgaWYgKHYuaXNOdWxsKCkpCiAgICAgICAgIHJldHVybiB2bS5zbWFs bFN0cmluZ3MubnVsbFN0cmluZygpOworICAgIGlmICh2LmlzRW1wdHkoKSkKKyAgICAgICAgcmV0 dXJuIHZtLnNtYWxsU3RyaW5ncy5udWxsU3RyaW5nKCk7CiAgICAgaWYgKHYuaXNVbmRlZmluZWQo KSkKICAgICAgICAgcmV0dXJuIHZtLnNtYWxsU3RyaW5ncy51bmRlZmluZWRTdHJpbmcoKTsKICAg ICBpZiAodi5pc0ludDMyKCkpCg== 208924 2013-08-16 07:30:53 -0700 2013-08-27 16:47:54 -0700 Patch bug-119395-20130816163016.patch text/plain 1627 peavo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTU0MTc4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDEyIEBA CisyMDEzLTA4LTE2ICBwZWF2b0BvdXRsb29rLmNvbSAgPHBlYXZvQG91dGxvb2suY29tPgorCisg ICAgICAgIDxodHRwczovL3dlYmtpdC5vcmcvYi8xMTkzOTU+IENyYXNoIGluIEpTQ2VsbDo6bWV0 aG9kVGFibGUgdW5kZXIgZXJyb3JEZXNjcmlwdGlvbkZvclZhbHVlKCkKKworICAgICAgICBSZXZp ZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIHJ1bnRpbWUvRXhjZXB0aW9uSGVs cGVycy5jcHA6CisgICAgICAgIChKU0M6OmNyZWF0ZUVycm9yKTogQXZvaWQgY2FsbGluZyBlcnJv ckRlc2NyaXB0aW9uRm9yVmFsdWUoKSBtZXRob2Qgd2hlbiBKU1ZhbHVlIGlzIGVtcHR5LgorCiAy MDEzLTA4LTE2ICBCYWxhenMgS2lsdmFkeSAgPGtpbHZhZHliQGhvbWVqaW5uaS5jb20+CiAKICAg ICAgICAgPGh0dHBzOi8vd2Via2l0Lm9yZy9iLzExOTc0Mj4gUkVHUkVTU0lPTihGVEwpOiBGaXgg cmVnaXN0ZXIgdXNhZ2UgaW4gbWlwcyBpbXBsZW1lbnRhdGlvbiBvZiBjdGlWTUhhbmRsZUV4Y2Vw dGlvbgpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvRXhjZXB0aW9uSGVscGVy cy5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvRXhjZXB0 aW9uSGVscGVycy5jcHAJKHJldmlzaW9uIDE1NDE2MykKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29y ZS9ydW50aW1lL0V4Y2VwdGlvbkhlbHBlcnMuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xMTIsNyAr MTEyLDkgQEAgSlNTdHJpbmcqIGVycm9yRGVzY3JpcHRpb25Gb3JWYWx1ZShFeGVjUwogICAgIAog SlNPYmplY3QqIGNyZWF0ZUVycm9yKEV4ZWNTdGF0ZSogZXhlYywgRXJyb3JGYWN0b3J5IGVycm9y RmFjdG9yeSwgSlNWYWx1ZSB2YWx1ZSwgY29uc3QgU3RyaW5nJiBtZXNzYWdlKQogewotICAgIFN0 cmluZyBlcnJvck1lc3NhZ2UgPSBtYWtlU3RyaW5nKGVycm9yRGVzY3JpcHRpb25Gb3JWYWx1ZShl eGVjLCB2YWx1ZSktPnZhbHVlKGV4ZWMpLCAiICIsIG1lc3NhZ2UpOworICAgIFN0cmluZyBlcnJv ck1lc3NhZ2U7CisgICAgaWYgKCF2YWx1ZS5pc0VtcHR5KCkpCisgICAgICAgIGVycm9yTWVzc2Fn ZSA9IG1ha2VTdHJpbmcoZXJyb3JEZXNjcmlwdGlvbkZvclZhbHVlKGV4ZWMsIHZhbHVlKS0+dmFs dWUoZXhlYyksICIgIiwgbWVzc2FnZSk7CiAgICAgSlNPYmplY3QqIGV4Y2VwdGlvbiA9IGVycm9y RmFjdG9yeShleGVjLCBlcnJvck1lc3NhZ2UpOwogICAgIEFTU0VSVChleGNlcHRpb24tPmlzRXJy b3JJbnN0YW5jZSgpKTsKICAgICBzdGF0aWNfY2FzdDxFcnJvckluc3RhbmNlKj4oZXhjZXB0aW9u KS0+c2V0QXBwZW5kU291cmNlVG9NZXNzYWdlKCk7Cg==