122445 2013-10-07 04:11:43 -0700 Crash while browsing GitHub 2014-01-27 15:43:35 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P1 Normal --- 1 berto webkit-unassigned cgarcia fpizlo ggaren mark.lam webkit-bug-importer oldest_to_newest 937018 0 berto 2013-10-07 04:11:43 -0700 This happens with MiniBrowser and the latest trunk (r157033) when loading https://github.com/WebKit/webkit Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007fa601ed6f26 in ?? () #0 0x00007fa601ed6f26 in ?? () #1 0x00007fa5f1797f98 in ?? () #2 0x000000000000000a in ?? () #3 0x0000000002a2b688 in ?? () #4 0x0000000002a2f210 in ?? () #5 0x00007fa601ec3b66 in ?? () #6 0x00007fa5dae68820 in ?? () #7 0x00007fff449589c0 in ?? () #8 0x00007fa653647e34 in JSC::MacroAssemblerCodeRef::operator! (this=0x0) at ../../Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:409 #9 0x00007fa6536476f6 in JSC::JITCode::execute (this=0x3af8050, stack=0x26fd8f8, callFrame=0x7fa5f1797f98, vm=0x281b9a0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:46 #10 0x00007fa6536303a8 in JSC::Interpreter::executeCall (this=0x26fd8e0, callFrame=0x7fa60010f4b0, function=0x7fa5db3e4e30, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:957 #11 0x00007fa653728a42 in JSC::call (exec=0x7fa60010f4b0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39 #12 0x00007fa64f26d334 in WebCore::JSMainThreadExecState::call (exec=0x7fa60010f4b0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:53 #13 0x00007fa64f2973f5 in WebCore::JSEventListener::handleEvent (this=0x2e412d0, scriptExecutionContext=0x36a4900, event=0x27e21f0) at ../../Source/WebCore/bindings/js/JSEventListener.cpp:133 #14 0x00007fa64f54a45f in WebCore::EventTarget::fireEventListeners (this=0x36a4850, event=0x27e21f0, d=0x3169240, entry=...) at ../../Source/WebCore/dom/EventTarget.cpp:277 #15 0x00007fa64f54a177 in WebCore::EventTarget::fireEventListeners (this=0x36a4850, event=0x27e21f0) at ../../Source/WebCore/dom/EventTarget.cpp:233 #16 0x00007fa64f5744c9 in WebCore::Node::handleLocalEvents (this=0x36a4850, event=0x27e21f0) at ../../Source/WebCore/dom/Node.cpp:2067 #17 0x00007fa64f53deca in WebCore::EventContext::handleLocalEvents (this=0x3a55570, event=0x27e21f0) at ../../Source/WebCore/dom/EventContext.cpp:58 #18 0x00007fa64f53f9f9 in WebCore::EventDispatcher::dispatchEventAtTarget (this=0x7fff449590b0) at ../../Source/WebCore/dom/EventDispatcher.cpp:160 #19 0x00007fa64f53f248 in WebCore::EventDispatcher::dispatch (this=0x7fff449590b0) at ../../Source/WebCore/dom/EventDispatcher.cpp:121 #20 0x00007fa64f53e4ed in WebCore::EventDispatchMediator::dispatchEvent (this=0x36add90, dispatcher=0x7fff449590b0) at ../../Source/WebCore/dom/EventDispatchMediator.cpp:54 #21 0x00007fa64f53e77a in WebCore::EventDispatcher::dispatchEvent (node=0x36a4850, mediator=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:52 #22 0x00007fa64f57466d in WebCore::Node::dispatchEvent (this=0x36a4850, event=...) at ../../Source/WebCore/dom/Node.cpp:2088 #23 0x00007fa64f4e1623 in WebCore::Document::finishedParsing (this=0x36a4850) at ../../Source/WebCore/dom/Document.cpp:4438 #24 0x00007fa64f797371 in WebCore::HTMLConstructionSite::finishedParsing (this=0x36ad538) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:352 #25 0x00007fa64f7cf793 in WebCore::HTMLTreeBuilder::finished (this=0x36ad520) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2908 #26 0x00007fa64f79e5ac in WebCore::HTMLDocumentParser::end (this=0x36ac790) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:758 #27 0x00007fa64f79e699 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x36ac790) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:769 #28 0x00007fa64f79d27c in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x36ac790) 937024 1 cgarcia 2013-10-07 05:08:54 -0700 This looks like a JSC crash. 937025 2 cgarcia 2013-10-07 05:10:21 -0700 And it's not specific to WebKit2 either, it crashes for me with GtkLauncher too. 937100 3 ap 2013-10-07 09:43:46 -0700 I could reproduce this page crash with a reload on Mac, but the stack trace wasn't very helpful. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 ??? 0x0000599bcb97cd32 0 + 98525670526258 1 com.apple.JavaScriptCore 0x000000010716c047 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 71 (JITCode.cpp:46) 2 com.apple.JavaScriptCore 0x000000010714f12f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1455 (Interpreter.cpp:957) 3 com.apple.JavaScriptCore 0x0000000106ed2b6e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:39) 937101 4 ap 2013-10-07 09:44:01 -0700 <rdar://problem/15166040> 937191 5 mark.lam 2013-10-07 12:39:55 -0700 After a lot of tries on a debug build of r157033, I am able to get a crash in JITted code, but not at JSC::MacroAssemblerCodeRef::operator!(). The crash (at least the one I reproduced) seems to be intermittent. It didn't reproduce for many tries initially, but seems to reproduce more consistently now. 937201 6 mark.lam 2013-10-07 12:56:50 -0700 On r157033, here's the crash I'm actually seeing: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00005a8339477d26 in ?? () (gdb) bt #0 0x00005a8339477d26 in ?? () #1 0x00000001103515f7 in JSC::JITCode::execute (this=0x7fc8a29b4af0, stack=0x7fc89d804ba8, callFrame=0x11d4aff98, vm=0x7fc89e026c00) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/jit/JITCode.cpp:46 #2 0x000000011033474f in JSC::Interpreter::executeCall (this=0x7fc89d804b90, callFrame=0x11d4feab0, function=0x11e1f4930, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/interpreter/Interpreter.cpp:957 #3 0x00000001100b0a5e in JSC::call (exec=0x11d4feab0, functionObject={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4800334128, ptr = 0x11e1f4930, asBits = {payload = 505366832, tag = 1}}}, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/runtime/CallData.cpp:39 #4 0x000000011210576b in WebCore::JSMainThreadExecState::call (exec=0x11d4feab0, functionObject={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4800334128, ptr = 0x11e1f4930, asBits = {payload = 505366832, tag = 1}}}, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at JSMainThreadExecState.h:53 #5 0x000000011223b53f in WebCore::JSEventListener::handleEvent (this=0x7fc89aca4410, scriptExecutionContext=0x7fc89b0b92b0, event=0x7fc8a29bb7c0) at /Volumes/Data/ws7/OpenSource/Source/WebCore/bindings/js/JSEventListener.cpp:132 #6 0x0000000111baf3b2 in WebCore::EventTarget::fireEventListeners (this=0x7fc89b0b9200, event=0x7fc8a29bb7c0, d=0x7fc8a16dbdd0, entry=@0x7fc89ac1c850) at /Volumes/Data/ws7/OpenSource/Source/WebCore/dom/EventTarget.cpp:277 ... (gdb) x /20i $pc 0x5a8339477d27: int3 0x5a8339477d28: int3 0x5a8339477d29: int3 0x5a8339477d2a: int3 0x5a8339477d2b: int3 0x5a8339477d2c: mov %rsp,%rdi 0x5a8339477d2f: mov %r13,0x58(%rsp) 0x5a8339477d34: movl $0x80000001,0x34(%r13) 0x5a8339477d3c: mov $0x11036c320,%r11 0x5a8339477d46: callq *%r11 0x5a8339477d49: jmpq 0x5a8339477b8d 0x5a8339477d4e: pop %rcx 0x5a8339477d4f: mov %rcx,0x10(%r13) 0x5a8339477d53: mov $0x7fc89bdd0140,%r11 0x5a8339477d5d: mov %r11,0x8(%r13) 0x5a8339477d61: mov 0x30(%r13),%edx 0x5a8339477d65: cmp $0x2,%edx 0x5a8339477d68: jae 0x5a8339477b73 0x5a8339477d6e: mov %rsp,%rdi 0x5a8339477d71: mov %r13,0x58(%rsp) This issue may be related to https://bugs.webkit.org/show_bug.cgi?id=122462. 937288 7 mark.lam 2013-10-07 17:24:16 -0700 (In reply to comment #6) > This issue may be related to https://bugs.webkit.org/show_bug.cgi?id=122462. Filip said that the int3 is just the way the DFG fails an assertion. Hence, these issues may not be related at all. 937535 8 mark.lam 2013-10-08 08:56:03 -0700 It appears that the crash started manifesting after we allow JIT inlining in debug builds: http://trac.webkit.org/changeset/155889. I verified that the crash does not manifest in r155888. 937764 9 mark.lam 2013-10-08 17:23:01 -0700 With the help of some JIT probes sprinkled at all the call sites of breakpoint() and bail() in the DFG, we find that the SIGTRAP is due to "!m_state.isValid()" in SpeculativeJIT::compileCurrentBlock() (in DFGSpeculativeJIT.cpp). Again, this only happens if DFG inlining is enabled. 937880 10 berto 2013-10-09 04:32:54 -0700 (In reply to comment #8) > It appears that the crash started manifesting after we allow JIT > inlining in debug builds: http://trac.webkit.org/changeset/155889. > I verified that the crash does not manifest in r155888. Yes, I can confirm it too. Thanks! 937902 11 cgarcia 2013-10-09 06:30:20 -0700 (In reply to comment #10) > (In reply to comment #8) > > It appears that the crash started manifesting after we allow JIT > > inlining in debug builds: http://trac.webkit.org/changeset/155889. > > I verified that the crash does not manifest in r155888. > > Yes, I can confirm it too. Thanks! It still crashes for me even after reverting r155889, with a release build. 957656 12 berto 2013-12-08 10:21:35 -0800 This seems to be working fine now. Carlos, can you double-check? 958264 13 cgarcia 2013-12-10 03:16:42 -0800 (In reply to comment #12) > This seems to be working fine now. > > Carlos, can you double-check? Seems to work fine now :-)