131682 2014-04-15 11:23:41 -0700 Reproducible crash in JavaScriptCore: JSObjectMakeArray() 2015-03-30 13:21:28 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac (Intel) OS X 10.9 RESOLVED INVALID P1 Critical --- 1 AlexanderMeissner webkit-unassigned adam.fedor ggaren oldest_to_newest 1000899 0 AlexanderMeissner 2014-04-15 11:23:41 -0700 Reproducible crash in JavaScriptCore: JS_EXPORT JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) CF_AVAILABLE(10_6, 7_0); The attached source code crashes every time the same way. No JS exception is thrown and there are serval ways to manipulate when it crashes, but it always crashes in JSObjectMakeArray(). I'm not sure if I'm doing something fundamentally wrong or if it really is a bug in JavaScriptCore its self. The circumstances which are needed to reproduce the crash are very odd and I randomly came across this bug by implementing a linear algebra JS interface for a separate project. Call stack: #0 0x00000001018d7057 in JSC::StructureIDTable::get(unsigned int) [inlined] at WebKit/Source/JavaScriptCore/runtime/StructureIDTable.h:86 #1 0x00000001018d7050 in JSC::JSCell::structure(JSC::VM&) const [inlined] at WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:104 #2 0x00000001018d7050 in JSC::JSCell::methodTable() const [inlined] at WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:191 #3 0x00000001018d7036 in toJS(JSC::ExecState*, OpaqueJSValue const*) [inlined] at WebKit/Source/JavaScriptCore/API/APICast.h:81 #4 0x00000001018d702e in JSObjectMakeArray at WebKit/Source/JavaScriptCore/API/JSObjectRef.cpp:178 Tested r167020: One built by my self and also the JavaScriptCore.framework of WebKit nightly MacBook Pro Retina, Mid 2012, 64-Bit, MacOS 10.8.5 and another one (identical hardware) but with MacOS 10.9 All of the following ways stop the test from crashing or change the iteration it crashes: 1. context = JSGlobalContextCreate(NULL); //instead of JSClassCreate(&kJSClassDefinitionEmpty) 2. not adding the property "test" to the contexts global object 3. using stack memory instead of heap for the valueArray passed to JSObjectMakeArray() like: JSValueRef valueArray[4]; or JSValueRef* valueArray = (JSValueRef*)alloca(sizeof(JSValueRef)*4); 4. adding another than 3 or 4 properties to the vector instances 0 properties: All Iterations 1 property: All Iterations 2 properties: All Iterations 3 properties: 326 Iterations 4 properties: 285 Iterations 5 properties: All Iterations 6 properties: All Iterations 5. Not passing a JSClassRef to: JSObjectRef instance = JSObjectMake(context, NULL, NULL); 6. Creating less than 4 instances of the vector class in one iteration: 0 to 3 instances per iteration: All Iterations 4 instances per iteration: 326 Iterations 5 instances per iteration: 575 Iterations 6 instances per iteration: 217 Iterations 7 instances per iteration: 186 Iterations 8 instances per iteration: 163 Iterations 7. Adjusting the argumentCount parameter of JSObjectMakeArray() to the actual count of instances per iteration changes the behavior too But not a single one of them is a work around as I need the complete functionality of JavaScriptCore. 1000900 1 229382 AlexanderMeissner 2014-04-15 11:27:56 -0700 Created attachment 229382 Source code to reproduce the crash When compiling and running the code, be sure to link against the JavaScriptCore.framework of WebKit Nightly not the one of your system You can check that by using: otool -L [executable] Which should show something like: @executable_path/JavaScriptCore.framework/Versions/A/JavaScriptCore instead of: /System/Library/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore 1063915 2 adam.fedor 2015-01-24 08:44:55 -0800 I reproduced this on my machine (Mid-2011 Mini, OS X 10.10.1) Using Webkit svn rev 176947. I'm interested in this as it seems very similar to a bug I reported to Apple rdar://19378158 (http://openradar.appspot.com/radar?id=6174800997253120) 1064061 3 adam.fedor 2015-01-25 18:23:05 -0800 Actually, now I think it might be just an issue with the example. I can't claim to know anything about how JavaScript works, but I think the newly created objects aren't on the stack, so the garbage collector doesn't know about them, so occasionally an object just gets deallocated. Doing something like this fixes the issue: JSValueRef a = newVectorInstance() valueArray[0] = a; ...etc... Does anyone know if that's right or if there is another way to keep an object from being collected? (JSValueProtect/JSValueUnprotect also works, but it seems like that is if you want the objects to be global). 1064139 4 AlexanderMeissner 2015-01-26 05:25:24 -0800 (In reply to comment #3) This is actually more the way C/C++ works that matters than the way JavaScript works. The difference is that JSValueRef a = newVectorInstance(); valueArray[0] = a; orders the compiler to use the stack, while valueArray[0] = newVectorInstance(); is a temporary value which could be held in registers. But this is already known to be part of the bug, using the stack is some kind of work around: JSValueRef* valueArray = (JSValueRef*)alloca(sizeof(JSValueRef)*4); I suspect that the problem might be in the Construction/Destruction of JSValue (as that would be stack related) or a memory access in the heap that goes wrong, caused by a early delete/free of memory. 1081283 5 ggaren 2015-03-30 13:21:28 -0700 > JSValueRef* valueArray = new JSValueRef[8]; It's not valid to put a JSValueRef in the heap without first calling JSValueProtect. The garbage collector will automatically scan JSValueRefs on the stack, but once you put the JSValueRef into the heap like this, you need to use explicit reference counting through JSValueProtect and JSValueUnprotect. 229382 2014-04-15 11:27:56 -0700 2014-04-15 11:29:39 -0700 Source code to reproduce the crash main.cpp text/plain-text 3049 AlexanderMeissner Ly8KLy8gIG1haW4uY3BwCi8vICBXZWJLaXRCdWdUZXN0Ci8vCi8vICBDcmVhdGVkIGJ5IEFsZXhh bmRlciBNZWnDn25lciBvbiAxNS4wNC4xNC4KLy8gIENvcHlyaWdodCAoYykgMjAxNCBBbGV4YW5k ZXIgTWVpw59uZXIuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCi8vCgojaW5jbHVkZSA8SmF2YVNjcmlw dENvcmUvSmF2YVNjcmlwdC5oPgoKSlNHbG9iYWxDb250ZXh0UmVmIGNvbnRleHQ7CkpTQ2xhc3NS ZWYgdmVjdG9yQ2xhc3M7CkpTU3RyaW5nUmVmIHN0clgsIHN0clksIHN0closIHN0clRlc3Q7Cgpz dGF0aWMgSlNWYWx1ZVJlZiBuZXdWZWN0b3JJbnN0YW5jZSgpIHsKICAgIEpTVmFsdWVSZWYgZXhj ZXB0aW9uID0gTlVMTDsKICAgIAogICAgLy9KU09iamVjdFJlZiBpbnN0YW5jZSA9IEpTT2JqZWN0 TWFrZShjb250ZXh0LCBOVUxMLCBOVUxMKTsgLy9Xb3VsZCBub3QgY3Jhc2gKICAgIEpTT2JqZWN0 UmVmIGluc3RhbmNlID0gSlNPYmplY3RNYWtlKGNvbnRleHQsIHZlY3RvckNsYXNzLCBOVUxMKTsK ICAgIAogICAgSlNPYmplY3RTZXRQcm9wZXJ0eShjb250ZXh0LCBpbnN0YW5jZSwgc3RyWCwgSlNW YWx1ZU1ha2VOdW1iZXIoY29udGV4dCwgMC4wKSwga0pTUHJvcGVydHlBdHRyaWJ1dGVEb250RGVs ZXRlLCAmZXhjZXB0aW9uKTsKICAgIEpTT2JqZWN0U2V0UHJvcGVydHkoY29udGV4dCwgaW5zdGFu Y2UsIHN0clksIEpTVmFsdWVNYWtlTnVtYmVyKGNvbnRleHQsIDAuMCksIGtKU1Byb3BlcnR5QXR0 cmlidXRlRG9udERlbGV0ZSwgJmV4Y2VwdGlvbik7CiAgICBKU09iamVjdFNldFByb3BlcnR5KGNv bnRleHQsIGluc3RhbmNlLCBzdHJaLCBKU1ZhbHVlTWFrZU51bWJlcihjb250ZXh0LCAwLjApLCBr SlNQcm9wZXJ0eUF0dHJpYnV0ZURvbnREZWxldGUsICZleGNlcHRpb24pOwogICAgLy9KU09iamVj dFNldFByb3BlcnR5KGNvbnRleHQsIGluc3RhbmNlLCBzdHJUZXN0LCBKU1ZhbHVlTWFrZU51bWJl cihjb250ZXh0LCAwLjApLCBrSlNQcm9wZXJ0eUF0dHJpYnV0ZURvbnREZWxldGUsICZleGNlcHRp b24pOyAvL1dvdWxkIGFsc28gY3Jhc2gKICAgIAogICAgaWYoZXhjZXB0aW9uKQogICAgICAgIHBy aW50ZigiRXhjZXB0aW9uICVwXG4iLCBleGNlcHRpb24pOyAvL05ldmVyIHRocm93bgogICAgCiAg ICByZXR1cm4gaW5zdGFuY2U7Cn0KCmludCBtYWluKGludCBhcmdjLCBjb25zdCBjaGFyICogYXJn dltdKSB7CiAgICBzdHJYID0gSlNTdHJpbmdDcmVhdGVXaXRoVVRGOENTdHJpbmcoIngiKTsKICAg IHN0clkgPSBKU1N0cmluZ0NyZWF0ZVdpdGhVVEY4Q1N0cmluZygieSIpOwogICAgc3RyWiA9IEpT U3RyaW5nQ3JlYXRlV2l0aFVURjhDU3RyaW5nKCJ6Iik7CiAgICBzdHJUZXN0ID0gSlNTdHJpbmdD cmVhdGVXaXRoVVRGOENTdHJpbmcoInRlc3QiKTsKICAgIHZlY3RvckNsYXNzID0gSlNDbGFzc0Ny ZWF0ZSgma0pTQ2xhc3NEZWZpbml0aW9uRW1wdHkpOwogICAgCiAgICAvL2NvbnRleHQgPSBKU0ds b2JhbENvbnRleHRDcmVhdGUoTlVMTCk7IC8vV291bGQgbm90IGNyYXNoCiAgICBjb250ZXh0ID0g SlNHbG9iYWxDb250ZXh0Q3JlYXRlKEpTQ2xhc3NDcmVhdGUoJmtKU0NsYXNzRGVmaW5pdGlvbkVt cHR5KSk7CiAgICAKICAgIEpTVmFsdWVSZWYgZXhjZXB0aW9uID0gTlVMTDsKICAgIEpTT2JqZWN0 UmVmIGdsb2JhbE9iamVjdCA9IEpTQ29udGV4dEdldEdsb2JhbE9iamVjdChjb250ZXh0KTsKICAg IEpTT2JqZWN0U2V0UHJvcGVydHkoY29udGV4dCwgZ2xvYmFsT2JqZWN0LCBzdHJUZXN0LCBKU09i amVjdE1ha2UoY29udGV4dCwgTlVMTCwgTlVMTCksIDAsICZleGNlcHRpb24pOyAvL1dpdGhvdXQ6 IFdvdWxkIG5vdCBjcmFzaAogICAgaWYoZXhjZXB0aW9uKQogICAgICAgIHByaW50ZigiRXhjZXB0 aW9uICVwXG4iLCBleGNlcHRpb24pOyAvL05ldmVyIHRocm93bgogICAgCiAgICAvL0pTVmFsdWVS ZWYgdmFsdWVBcnJheVs4XTsgLy9Xb3VsZCBub3QgY3Jhc2gKICAgIC8vSlNWYWx1ZVJlZiogdmFs dWVBcnJheSA9IChKU1ZhbHVlUmVmKilhbGxvY2Eoc2l6ZW9mKEpTVmFsdWVSZWYpKjgpOyAvL1dv dWxkIG5vdCBjcmFzaAogICAgSlNWYWx1ZVJlZiogdmFsdWVBcnJheSA9IG5ldyBKU1ZhbHVlUmVm WzhdOwogICAgCiAgICBmb3IodW5zaWduZWQgaW50IGkgPSAwOyBpIDwgNTAwMDsgaSArKykgewog ICAgICAgIHZhbHVlQXJyYXlbMF0gPSBuZXdWZWN0b3JJbnN0YW5jZSgpOwogICAgICAgIHZhbHVl QXJyYXlbMV0gPSBuZXdWZWN0b3JJbnN0YW5jZSgpOwogICAgICAgIHZhbHVlQXJyYXlbMl0gPSBu ZXdWZWN0b3JJbnN0YW5jZSgpOwogICAgICAgIHZhbHVlQXJyYXlbM10gPSBuZXdWZWN0b3JJbnN0 YW5jZSgpOyAvL0NyYXNoIGF0IGk9MzI2CiAgICAgICAgLy92YWx1ZUFycmF5WzRdID0gbmV3VmVj dG9ySW5zdGFuY2UoKTsgLy9DcmFzaCBhdCBpPTU3NQogICAgICAgIC8vdmFsdWVBcnJheVs1XSA9 IG5ld1ZlY3Rvckluc3RhbmNlKCk7IC8vQ3Jhc2ggYXQgaT0yMTcKICAgICAgICAvL3ZhbHVlQXJy YXlbNl0gPSBuZXdWZWN0b3JJbnN0YW5jZSgpOyAvL0NyYXNoIGF0IGk9MTg2CiAgICAgICAgLy92 YWx1ZUFycmF5WzddID0gbmV3VmVjdG9ySW5zdGFuY2UoKTsgLy9DcmFzaCBhdCBpPTE2MwogICAg ICAgIAogICAgICAgIHByaW50ZigiSXRlcmF0aW9uICVkXG4iLCBpKTsKICAgICAgICBKU09iamVj dE1ha2VBcnJheShjb250ZXh0LCA0LCB2YWx1ZUFycmF5LCAmZXhjZXB0aW9uKTsKICAgICAgICAK ICAgICAgICBpZihleGNlcHRpb24pCiAgICAgICAgICAgIHByaW50ZigiRXhjZXB0aW9uICVwXG4i LCBleGNlcHRpb24pOyAvL05ldmVyIHRocm93bgogICAgfQogICAgCiAgICAvL05ldmVyIHJlYWNo ZWQKICAgIGRlbGV0ZSBbXSB2YWx1ZUFycmF5OwogICAgSlNHbG9iYWxDb250ZXh0UmVsZWFzZShj b250ZXh0KTsKICAgIEpTU3RyaW5nUmVsZWFzZShzdHJYKTsKICAgIEpTU3RyaW5nUmVsZWFzZShz dHJZKTsKICAgIEpTU3RyaW5nUmVsZWFzZShzdHJaKTsKICAgIEpTU3RyaW5nUmVsZWFzZShzdHJU ZXN0KTsKICAgIAogICAgcmV0dXJuIDA7Cn0KCg==