129969 2014-03-08 08:15:44 -0800 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow 2014-03-08 11:17:17 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 129318 1 mark.lam mark.lam commit-queue fpizlo ggaren mhahnenberg mmirman msaboff oliver webkit-bug-importer oldest_to_newest 988557 0 mark.lam 2014-03-08 08:15:44 -0800 I haven't isolated the root cause yet, but here's what I'm seeing while running stress/recurse-infinitely-on-getter.js test with the JIT enable (it runs fine with only the LLINT): Stack trace 1: before handleUncaughtException returns: (lldb) bt 15 * thread #1: tid = 0xaadf21, 0x006164eb JavaScriptCore`handleUncaughtException + 39, queue = 'com.apple.main-thread', stop reason = instruction step into * frame #0: 0x006164eb JavaScriptCore`handleUncaughtException + 39 frame #1: 0xbfc1fa10 frame #2: 0x0048ccca JavaScriptCore`JSC::Interpreter::executeCall(this=0x03839b20, callFrame=0xbfc1fe58, function=0x01f8dc10, callType=CallTypeJS, callData=0xbfc1fbe0, thisValue=JSValue at 0xbfc1fb14, args=0xbfc1fbc0) + 1482 at Interpreter.cpp:994 frame #3: 0x000f816d JavaScriptCore`JSC::call(exec=0xbfc1fe58, functionObject=JSValue at 0xbfc1fb84, callType=CallTypeJS, callData=0xbfc1fbe0, thisValue=JSValue at 0xbfc1fb94, args=0xbfc1fbc0) + 253 at CallData.cpp:39 frame #4: 0x004112e9 JavaScriptCore`JSC::callGetter(exec=0xbfc1fe58, base=JSValue at 0xbfc1fc14, getterSetter=JSValue at 0xbfc1fc1c) + 313 at GetterSetter.cpp:61 frame #5: 0x007548f2 JavaScriptCore`JSC::PropertySlot::functionGetter(this=0xbfc1fdb8, exec=0xbfc1fe58) const + 194 at PropertySlot.cpp:32 frame #6: 0x0006e59f JavaScriptCore`JSC::PropertySlot::getValue(this=0xbfc1fdb8, exec=0xbfc1fe58, propertyName=PropertyName at 0xbfc1fce8) const + 239 at JSObject.h:1564 frame #7: 0x00092f15 JavaScriptCore`JSC::JSValue::get(this=0xbfc1fdd8, exec=0xbfc1fe58, propertyName=PropertyName at 0xbfc1fd58, slot=0xbfc1fdb8) const + 357 at JSCJSValueInlines.h:670 frame #8: 0x004c1240 JavaScriptCore`operationGetByIdBuildList(exec=0xbfc1fe58, stubInfo=0x01a33120, base=-21441347712, uid=0x0383aa60) + 256 at JITOperations.cpp:140 frame #9: 0x01f649b1 frame #10: 0x00615dc4 JavaScriptCore`callToJavaScript + 292 frame #11: 0x004afd60 JavaScriptCore`JSC::JITCode::execute(this=0x01a33740, vm=0x022b5600, protoCallFrame=0xbfc20010) + 64 at JITCode.cpp:47 frame #12: 0x0048ccca JavaScriptCore`JSC::Interpreter::executeCall(this=0x03839b20, callFrame=0xbfc203f8, function=0x01f8dc10, callType=CallTypeJS, callData=0xbfc20180, thisValue=JSValue at 0xbfc200b4, args=0xbfc20160) + 1482 at Interpreter.cpp:994 frame #13: 0x000f816d JavaScriptCore`JSC::call(exec=0xbfc203f8, functionObject=JSValue at 0xbfc20124, callType=CallTypeJS, callData=0xbfc20180, thisValue=JSValue at 0xbfc20134, args=0xbfc20160) + 253 at CallData.cpp:39 frame #14: 0x004112e9 JavaScriptCore`JSC::callGetter(exec=0xbfc203f8, base=JSValue at 0xbfc201b4, getterSetter=JSValue at 0xbfc201bc) + 313 at GetterSetter.cpp:61 Stack trace 2: after handleUncaughtException returns (by stepping thru the "retl" instruction in handleUncaughtException): (lldb) Process 25830 stopped * thread #1: tid = 0xaadf21, 0x006164f5 JavaScriptCore`handleUncaughtException + 49, queue = 'com.apple.main-thread', stop reason = instruction step into frame #0: 0x006164f5 JavaScriptCore`handleUncaughtException + 49 JavaScriptCore`handleUncaughtException + 49: -> 0x6164f5: retl JavaScriptCore`llint_op_enter: 0x6164f6: movl %esp, %ecx 0x6164f8: andl $0xf, %ecx 0x6164fb: testl %ecx, %ecx (lldb) Process 25830 stopped * thread #1: tid = 0xaadf21, 0x0005ff2f JavaScriptCore`JSC::Heap::heap(cell=0x01f8dc10) + 31 at Heap.h:398, queue = 'com.apple.main-thread', stop reason = instruction step into frame #0: 0x0005ff2f JavaScriptCore`JSC::Heap::heap(cell=0x01f8dc10) + 31 at Heap.h:398 395 396 inline Heap* Heap::heap(const JSCell* cell) 397 { -> 398 return MarkedBlock::blockFor(cell)->heap(); 399 } 400 401 inline Heap* Heap::heap(const JSValue v) (lldb) bt 15 * thread #1: tid = 0xaadf21, 0x0005ff2f JavaScriptCore`JSC::Heap::heap(cell=0x01f8dc10) + 31 at Heap.h:398, queue = 'com.apple.main-thread', stop reason = instruction step into * frame #0: 0x0005ff2f JavaScriptCore`JSC::Heap::heap(cell=0x01f8dc10) + 31 at Heap.h:398 frame #1: 0x0006ec80 JavaScriptCore`JSC::JSCell::classInfo(this=0x00aab93c) const + 64 at JSDestructibleObject.h:36 (lldb) The stack pointer appears to be messed up somewhere in the process of getting to handleUncaughtExceptions. 988558 1 mark.lam 2014-03-08 08:19:17 -0800 <rdar://problem/16270160> 988559 2 mark.lam 2014-03-08 08:35:32 -0800 Looks like the 32-bit version of handleUncaughtException isn't handling an edge case for stack overflows that the 64-bit version does. Now testing the solution. 988560 3 226215 mark.lam 2014-03-08 08:50:04 -0800 Created attachment 226215 the patch. 988565 4 226215 ggaren 2014-03-08 10:45:18 -0800 Comment on attachment 226215 the patch. r=me 988580 5 226215 commit-queue 2014-03-08 11:17:14 -0800 Comment on attachment 226215 the patch. Clearing flags on attachment: 226215 Committed r165334: <http://trac.webkit.org/changeset/165334> 988581 6 commit-queue 2014-03-08 11:17:17 -0800 All reviewed patches have been landed. Closing bug. 226215 2014-03-08 08:50:04 -0800 2014-03-08 11:17:14 -0800 the patch. bug-129969.patch text/plain 2157 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTY1MzMyKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBA CisyMDE0LTAzLTA4ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICAz Mi1iaXQgeDg2IGhhbmRsZVVuY2F1Z2h0RXhjZXB0aW9uIHJldHVybnMgdG8gd3JvbmcgbG9jYXRp b24gYWZ0ZXIgYSBzdGFjayBvdmVyZmxvdy4KKyAgICAgICAgPGh0dHBzOi8vd2Via2l0Lm9yZy9i LzEyOTk2OT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBUaGUgMzItYml0IHZlcnNpb24gb2YgaGFuZGxlVW5jYXVnaHRFeGNlcHRpb24gd2FzIG1pc3Np bmcgdGhlIGhhbmRsaW5nIG9mIGFuCisgICAgICAgIGVkZ2UgY2FzZSBmb3Igc3RhY2sgb3ZlcmZs b3dzIHdoZXJlIHRoZSBjdXJyZW50IGZyYW1lIG1heSBhbHJlYWR5IGJlIHRoZQorICAgICAgICBz ZW50aW5lbCBmcmFtZS4gIFRoaXMgZWRnZSBjYXNlIHdhcyBoYW5kbGVkIGluIHRoZSA2NC1iaXQg dmVyc2lvbi4gIFRoZSBmaXgKKyAgICAgICAgaXMgdG8gYnJpbmcgdGhlIDMyLWJpdCB2ZXJzaW9u IHVwIHRvIHBhcml0eS4KKworICAgICAgICAqIGppdC9KSVQuY3BwOgorICAgICAgICAoSlNDOjpK SVQ6OnByaXZhdGVDb21waWxlKToKKyAgICAgICAgKiBsbGludC9Mb3dMZXZlbEludGVycHJldGVy MzJfNjQuYXNtOgorCiAyMDE0LTAzLTA3ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4K IAogICAgICAgICBGaXggYnVncyBpbiAzMi1iaXQgU3RydWN0dXJlIGltcGxlbWVudGF0aW9uLgpJ bmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2xsaW50L0xvd0xldmVsSW50ZXJwcmV0ZXIzMl82 NC5hc20KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2xsaW50L0xvd0xldmVs SW50ZXJwcmV0ZXIzMl82NC5hc20JKHJldmlzaW9uIDE2NTMzMikKKysrIFNvdXJjZS9KYXZhU2Ny aXB0Q29yZS9sbGludC9Mb3dMZXZlbEludGVycHJldGVyMzJfNjQuYXNtCSh3b3JraW5nIGNvcHkp CkBAIC0zNzksMTAgKzM3OSwxMyBAQCBfaGFuZGxlVW5jYXVnaHRFeGNlcHRpb246CiAgICAgbG9h ZHAgTWFya2VkQmxvY2s6Om1fd2Vha1NldCArIFdlYWtTZXQ6Om1fdm1bdDNdLCB0MwogICAgIGxv YWRwIFZNOjpjYWxsRnJhbWVGb3JUaHJvd1t0M10sIGNmcgogCi0gICAgIyBTbyBmYXIsIHdlJ3Zl IHVud291bmQgdGhlIHN0YWNrIHRvIHRoZSBmcmFtZSBqdXN0IGJlbG93IHRoZSBzZW50aW5lbCBm cmFtZS4KLSAgICAjIFdlIG5lZWQgdG8gcG9wIHRvIHRoZSBzZW50aW5lbCBmcmFtZSBhbmQgZG8g dGhlIG5lY2Vzc2FyeSBjbGVhbiB1cCBmb3IKKyAgICAjIFNvIGZhciwgd2UndmUgdW53b3VuZCB0 aGUgc3RhY2sgdG8gdGhlIGZyYW1lIGp1c3QgYmVsb3cgdGhlIHNlbnRpbmVsIGZyYW1lLCBleGNl cHQKKyAgICAjIGluIHRoZSBjYXNlIG9mIHN0YWNrIG92ZXJmbG93IGluIHRoZSBmaXJzdCBmdW5j dGlvbiBjYWxsZWQgZnJvbSBjYWxsVG9KYXZhU2NyaXB0LgorICAgICMgQ2hlY2sgaWYgd2UgbmVl ZCB0byBwb3AgdG8gdGhlIHNlbnRpbmVsIGZyYW1lIGFuZCBkbyB0aGUgbmVjZXNzYXJ5IGNsZWFu IHVwIGZvcgogICAgICMgcmV0dXJuaW5nIHRvIHRoZSBjYWxsZXIgQyBmcmFtZS4KKyAgICBicGVx IENvZGVCbG9ja1tjZnJdLCAxLCAuaGFuZGxlVW5jYXVnaHRFeGNlcHRpb25BbHJlYWR5SXNTZW50 aW5lbAogICAgIGxvYWRwIENhbGxlckZyYW1lICsgUGF5bG9hZE9mZnNldFtjZnJdLCBjZnIKKy5o YW5kbGVVbmNhdWdodEV4Y2VwdGlvbkFscmVhZHlJc1NlbnRpbmVsOgogCiAgICAgbG9hZHAgQ2Fs bGVlICsgUGF5bG9hZE9mZnNldFtjZnJdLCB0MyAjIFZNCiAgICAgbG9hZHAgU2NvcGVDaGFpbiAr IFBheWxvYWRPZmZzZXRbY2ZyXSwgdDUgIyBwcmV2aW91cyB0b3BDYWxsRnJhbWUK