136080 2014-08-19 11:27:57 -0700 Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js 2014-08-19 17:37:13 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mark.lam msaboff fpizlo ggaren mmirman msaboff oliver webkit-bug-importer oldest_to_newest 1030073 0 mark.lam 2014-08-19 11:27:57 -0700 This crash only manifests when I run the test as follows: $ JSC_useLLInt=false ... jsc jsc-stress-results/.tests/jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js Some tidbits that may or may not be related to the root cause: 1. If I disable the FTL, it stops reproducing. 2. If I re-enable the LLINT, it stops reproducing. 3. The test is doing some deep recursion, and have ultimately encountered an eminent stack overflow. The backtrace below shows the top frames on the stack at the point of the crash. 4. At frame 4, the callFrame that we're trying to get the callee() from appears to be invalid (or at least, I can't use my debugPrintCallFrame on it). Needs more investigation. (lldb) bt 30 * thread #1: tid = 0x367234, 0x00000001008cc1fa JavaScriptCore`WTFCrash + 42 at Assertions.cpp:329, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x00000001008cc1fa JavaScriptCore`WTFCrash + 42 at Assertions.cpp:329 frame #1: 0x00000001000807a1 JavaScriptCore`JSC::asObject(cell=0x00007fff5f8200f0) + 65 at JSObject.h:1189 frame #2: 0x0000000100080750 JavaScriptCore`JSC::asObject(value=JSValue at 0x00007fff5f81f3f8) + 32 at JSObject.h:1195 frame #3: 0x00000001000806e5 JavaScriptCore`JSC::Register::function(this=0x00007fff5f81ffd0) const + 85 at JSObject.h:1472 frame #4: 0x000000010008060c JavaScriptCore`JSC::ExecState::callee(this=0x00007fff5f81ffb0) const + 28 at CallFrame.h:46 frame #5: 0x0000000100823492 JavaScriptCore`JSC::StackVisitor::readNonInlinedFrame(this=0x00007fff5f81f540, callFrame=0x00007fff5f81ffb0, codeOrigin=0x0000000000000000) + 114 at StackVisitor.cpp:114 frame #6: 0x0000000100823113 JavaScriptCore`JSC::StackVisitor::readFrame(this=0x00007fff5f81f540, callFrame=0x00007fff5f81ffb0) + 147 at StackVisitor.cpp:84 frame #7: 0x0000000100823254 JavaScriptCore`JSC::StackVisitor::gotoNextFrame(this=0x00007fff5f81f540) + 116 at StackVisitor.cpp:59 frame #8: 0x0000000100531788 JavaScriptCore`void JSC::StackVisitor::visit<JSC::GetStackTraceFunctor>(startFrame=0x00007fff5f81fee0, functor=0x00007fff5f81f5d0) + 104 at StackVisitor.h:130 frame #9: 0x000000010052fe9d JavaScriptCore`void JSC::ExecState::iterate<JSC::GetStackTraceFunctor>(this=0x00007fff5f81fee0, functor=0x00007fff5f81f5d0) + 29 at CallFrame.h:260 frame #10: 0x000000010052bc74 JavaScriptCore`JSC::Interpreter::getStackTrace(this=0x0000000106901be0, results=0x00007fff5f81f7a8, maxStackSize=18446744073709551615) + 100 at Interpreter.cpp:604 frame #11: 0x0000000100872ee2 JavaScriptCore`JSC::VM::throwException(this=0x0000000102007800, exec=0x00007fff5f81fee0, error=JSValue at 0x00007fff5f81f7c0) + 306 at VM.cpp:644 frame #12: 0x0000000100873a18 JavaScriptCore`JSC::VM::throwException(this=0x0000000102007800, exec=0x00007fff5f81fee0, error=0x0000000108971190) + 72 at VM.cpp:692 frame #13: 0x0000000100556e3d JavaScriptCore`operationThrowStackOverflowError(exec=0x00007fff5f81f8b0, codeBlock=0x0000000108a51540) + 157 at JITOperations.cpp:91 frame #14: 0x00003bf360803373 frame #15: 0x00000001006b2ed9 JavaScriptCore`vmEntryToJavaScript + 361 frame #16: 0x0000000100548b3d JavaScriptCore`JSC::JITCode::execute(this=0x00000001088fc050, vm=0x0000000102007800, protoCallFrame=0x00007fff5f81fa70) + 45 at JITCode.cpp:47 frame #17: 0x000000010052dc7a JavaScriptCore`JSC::Interpreter::executeCall(this=0x0000000106901be0, callFrame=0x00007fff5f81fee0, function=0x0000000106ec6030, callType=CallTypeJS, callData=0x00007fff5f81fc80, thisValue=JSValue at 0x00007fff5f81fb20, args=0x00007fff5f81fc58) + 1450 at Interpreter.cpp:986 frame #18: 0x000000010010bcce JavaScriptCore`JSC::call(exec=0x00007fff5f81fee0, functionObject=JSValue at 0x00007fff5f81fc08, callType=CallTypeJS, callData=0x00007fff5f81fc80, thisValue=JSValue at 0x00007fff5f81fbf0, args=0x00007fff5f81fc58) + 190 at CallData.cpp:39 frame #19: 0x00000001004b9c85 JavaScriptCore`JSC::callGetter(exec=0x00007fff5f81fee0, base=JSValue at 0x00007fff5f81fca8, getterSetter=JSValue at 0x00007fff5f81fca0) + 261 at GetterSetter.cpp:86 frame #20: 0x00000001007e4314 JavaScriptCore`JSC::PropertySlot::functionGetter(this=0x00007fff5f81fe38, exec=0x00007fff5f81fee0) const + 148 at PropertySlot.cpp:32 frame #21: 0x000000010008793d JavaScriptCore`JSC::PropertySlot::getValue(this=0x00007fff5f81fe38, exec=0x00007fff5f81fee0, propertyName=PropertyName at 0x00007fff5f81fd50) const + 93 at JSObject.h:1581 frame #22: 0x00000001000ab1f3 JavaScriptCore`JSC::JSValue::get(this=0x00007fff5f81fe70, exec=0x00007fff5f81fee0, propertyName=PropertyName at 0x00007fff5f81fdc0, slot=0x00007fff5f81fe38) const + 291 at JSCJSValueInlines.h:696 frame #23: 0x00000001005572bd JavaScriptCore`operationGetByIdOptimize(exec=0x00007fff5f81fee0, stubInfo=0x0000000102a01130, base=4411200208, uid=0x0000000106906a60) + 269 at JITOperations.cpp:164 frame #24: 0x00003bf3a0800293 frame #25: 0x00003bf36080310a frame #26: 0x00000001006b2ed9 JavaScriptCore`vmEntryToJavaScript + 361 frame #27: 0x0000000100548b3d JavaScriptCore`JSC::JITCode::execute(this=0x00000001088fc050, vm=0x0000000102007800, protoCallFrame=0x00007fff5f8200f0) + 45 at JITCode.cpp:47 frame #28: 0x000000010052dc7a JavaScriptCore`JSC::Interpreter::executeCall(this=0x0000000106901be0, callFrame=0x00007fff5f820560, function=0x0000000106ec6070, callType=CallTypeJS, callData=0x00007fff5f820300, thisValue=JSValue at 0x00007fff5f8201a0, args=0x00007fff5f8202d8) + 1450 at Interpreter.cpp:986 frame #29: 0x000000010010bcce JavaScriptCore`JSC::call(exec=0x00007fff5f820560, functionObject=JSValue at 0x00007fff5f820288, callType=CallTypeJS, callData=0x00007fff5f820300, thisValue=JSValue at 0x00007fff5f820270, args=0x00007fff5f8202d8) + 190 at CallData.cpp:39 ... Here's an instance of this crash in the wild: http://build.webkit.org/builders/Apple%20Mavericks%20Debug%20WK1%20%28Tests%29/builds/7159/steps/jscore-test/logs/stdio 1030074 1 webkit-bug-importer 2014-08-19 11:28:52 -0700 <rdar://problem/18065110> 1030086 2 msaboff 2014-08-19 12:39:19 -0700 Taking this bug because <https://trac.webkit.org/changeset/163179> is likely responsible for it. 1030125 3 msaboff 2014-08-19 15:13:25 -0700 The issue is that operationThrowStackOverflowError() unwinds one frame, pointed to by callerFrame. We create a NativeCallFrameTracer object to "wrap" the unwinding. NativeCallFrameTracer sets VM::topCallFrame, which is used as the frame to start unwinding from. If the callee frame, pointed to by exec, is the direct callee of a VM entry frame, then "calleeFrame" will point to a frame somewhat above VM entry frame, BUT we haven't updated VM::topVMEntryFrame accordingly. This messes up unwinding. Patch in progress. 1030155 4 236835 msaboff 2014-08-19 16:50:35 -0700 Created attachment 236835 Patch 1030160 5 236835 mark.lam 2014-08-19 17:16:16 -0700 Comment on attachment 236835 Patch Please add a comment to the ChangeLog to explain the difference between when we should use one constructor and the other, so as to explain why only these 3 cases have been fixed to use the new constructor. r=me with comment added. 1030164 6 msaboff 2014-08-19 17:37:13 -0700 Committed r172792: <http://trac.webkit.org/changeset/172792> 236835 2014-08-19 16:50:35 -0700 2014-08-19 17:16:15 -0700 Patch 136080.patch text/plain 4825 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTcyNzg0KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI1IEBA CisyMDE0LTA4LTE5ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIENyYXNoIGluIGpzYy1sYXlvdXQtdGVzdHMueWFtbC9qcy9zY3JpcHQtdGVzdHMvcmVlbnRy YW50LWNhY2hpbmcuanMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcu Y2dpP2lkPTEzNjA4MAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisg ICAgICAgIFVwZGF0ZSBWTTo6dG9wVk1FbnRyeUZyYW1lIHZpYSBOYXRpdmVDYWxsRnJhbWVUcmFj ZXIoKSB3aGVuIHdlIHBhc3MgdGhlIGNhbGxlcidzIGZyYW1lCisgICAgICAgIHRvIE5hdGl2ZUNh bGxGcmFtZVRyYWNlcigpIGFzIHRoZSBjYWxsZWUncyBmcmFtZSBtYXkgYmUgdGhlIGZpcnN0IGNh bGxlZSBmcm9tIGFuIGVudHJ5CisgICAgICAgIGZyYW1lLiAgSW4gdGhhdCBjYXNlLCB0aGUgY2Fs bGVyIHdpbGwgaGF2ZSB0aGUgcHJpb3IgVk0gZW50cnkgZnJhbWUuCisKKyAgICAgICAgKiBpbnRl cnByZXRlci9JbnRlcnByZXRlci5oOgorICAgICAgICAoSlNDOjpOYXRpdmVDYWxsRnJhbWVUcmFj ZXI6Ok5hdGl2ZUNhbGxGcmFtZVRyYWNlcik6IEFkZGVkIGEgbmV3IGNvbnN0cnVjdG9yIHRoYXQg dGFrZXMgYQorICAgICAgICBWTUVudHJ5RnJhbWUuICBBZGRlZCBhbiBBU1NFUlQgdG8gYm90aCBj b25zdHJ1Y3RvcnMgdG8gY2hlY2sgdGhhdCB0aGUgdXBkYXRlZCB0b3BDYWxsRnJhbWUKKyAgICAg ICAgaXMgYmVsb3cgdGhlIGN1cnJlbnQgdm1FbnRyeUZyYW1lLgorCisgICAgICAgICogaml0L0pJ VE9wZXJhdGlvbnMuY3BwOgorICAgICAgICAoSlNDOjpvcGVyYXRpb25UaHJvd1N0YWNrT3ZlcmZs b3dFcnJvcik6CisgICAgICAgIChKU0M6Om9wZXJhdGlvbkNhbGxBcml0eUNoZWNrKToKKyAgICAg ICAgKEpTQzo6b3BlcmF0aW9uQ29uc3RydWN0QXJpdHlDaGVjayk6CisgICAgICAgIFNldCBWTTo6 dG9wVk1FbnRyeUZyYW1lIHRvIHRoZSBwb3NzaWJseSB1cGRhdGVkIFZNRW50cnlGcmFtZSBhZnRl ciBnZXR0aW5nIHRoZSBjYWxsZXIncyBmcmFtZS4KKwogMjAxNC0wOC0xOSAgQW5keSBFc3RlcyAg PGFlc3Rlc0BhcHBsZS5jb20+CiAKICAgICAgICAgW0NvY29hXSBPZmZsaW5lIEFzc2VtYmxlciBi dWlsZCBwaGFzZSBmYWlscyB3aGVuICRCVUlMVF9QUk9EVUNUU19ESVIgY29udGFpbnMgc3BhY2Vz CkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIvSW50ZXJwcmV0ZXIuaAo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIvSW50ZXJwcmV0 ZXIuaAkocmV2aXNpb24gMTcyNzU2KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJl dGVyL0ludGVycHJldGVyLmgJKHdvcmtpbmcgY29weSkKQEAgLTE3NSw2ICsxNzUsMTYgQEAgbmFt ZXNwYWNlIEpTQyB7CiAgICAgICAgIHsKICAgICAgICAgICAgIEFTU0VSVCh2bSk7CiAgICAgICAg ICAgICBBU1NFUlQoY2FsbEZyYW1lKTsKKyAgICAgICAgICAgIEFTU0VSVChjYWxsRnJhbWUgPCB2 bS0+dG9wVk1FbnRyeUZyYW1lKTsKKyAgICAgICAgICAgIHZtLT50b3BDYWxsRnJhbWUgPSBjYWxs RnJhbWU7CisgICAgICAgIH0KKworICAgICAgICBBTFdBWVNfSU5MSU5FIE5hdGl2ZUNhbGxGcmFt ZVRyYWNlcihWTSogdm0sIFZNRW50cnlGcmFtZSogdm1FbnRyeUZyYW1lLCBDYWxsRnJhbWUqIGNh bGxGcmFtZSkKKyAgICAgICAgeworICAgICAgICAgICAgQVNTRVJUKHZtKTsKKyAgICAgICAgICAg IEFTU0VSVChjYWxsRnJhbWUpOworICAgICAgICAgICAgQVNTRVJUKGNhbGxGcmFtZSA8IHZtRW50 cnlGcmFtZSk7CisgICAgICAgICAgICB2bS0+dG9wVk1FbnRyeUZyYW1lID0gdm1FbnRyeUZyYW1l OwogICAgICAgICAgICAgdm0tPnRvcENhbGxGcmFtZSA9IGNhbGxGcmFtZTsKICAgICAgICAgfQog ICAgIH07CkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaml0L0pJVE9wZXJhdGlvbnMuY3Bw Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qaXQvSklUT3BlcmF0aW9ucy5j cHAJKHJldmlzaW9uIDE3Mjc1NikKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qaXQvSklUT3Bl cmF0aW9ucy5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTgxLDEyICs4MSwxMiBAQCB2b2lkIEpJVF9P UEVSQVRJT04gb3BlcmF0aW9uVGhyb3dTdGFja092CiAgICAgLy8gV2UgcGFzcyBpbiBvdXIgb3du IGNvZGUgYmxvY2ssIGJlY2F1c2UgdGhlIGNhbGxmcmFtZSBoYXNuJ3QgYmVlbiBwb3B1bGF0ZWQu CiAgICAgVk0qIHZtID0gY29kZUJsb2NrLT52bSgpOwogCi0gICAgVk1FbnRyeUZyYW1lKiB0b3BW TUVudHJ5RnJhbWUgPSB2bS0+dG9wVk1FbnRyeUZyYW1lOwotICAgIENhbGxGcmFtZSogY2FsbGVy RnJhbWUgPSBleGVjLT5jYWxsZXJGcmFtZSh0b3BWTUVudHJ5RnJhbWUpOworICAgIFZNRW50cnlG cmFtZSogdm1FbnRyeUZyYW1lID0gdm0tPnRvcFZNRW50cnlGcmFtZTsKKyAgICBDYWxsRnJhbWUq IGNhbGxlckZyYW1lID0gZXhlYy0+Y2FsbGVyRnJhbWUodm1FbnRyeUZyYW1lKTsKICAgICBpZiAo IWNhbGxlckZyYW1lKQogICAgICAgICBjYWxsZXJGcmFtZSA9IGV4ZWM7CiAKLSAgICBOYXRpdmVD YWxsRnJhbWVUcmFjZXIgdHJhY2VyKHZtLCBjYWxsZXJGcmFtZSk7CisgICAgTmF0aXZlQ2FsbEZy YW1lVHJhY2VyIHRyYWNlcih2bSwgdm1FbnRyeUZyYW1lLCBjYWxsZXJGcmFtZSk7CiAgICAgRXJy b3JIYW5kbGluZ1Njb3BlIGVycm9yU2NvcGUoKnZtKTsKICAgICB2bS0+dGhyb3dFeGNlcHRpb24o Y2FsbGVyRnJhbWUsIGNyZWF0ZVN0YWNrT3ZlcmZsb3dFcnJvcihjYWxsZXJGcmFtZSkpOwogfQpA QCAtOTQsMTUgKzk0LDE2IEBAIHZvaWQgSklUX09QRVJBVElPTiBvcGVyYXRpb25UaHJvd1N0YWNr T3YKIGludDMyX3QgSklUX09QRVJBVElPTiBvcGVyYXRpb25DYWxsQXJpdHlDaGVjayhFeGVjU3Rh dGUqIGV4ZWMpCiB7CiAgICAgVk0qIHZtID0gJmV4ZWMtPnZtKCk7Ci0gICAgVk1FbnRyeUZyYW1l KiB0b3BWTUVudHJ5RnJhbWUgPSB2bS0+dG9wVk1FbnRyeUZyYW1lOwotICAgIENhbGxGcmFtZSog Y2FsbGVyRnJhbWUgPSBleGVjLT5jYWxsZXJGcmFtZSh0b3BWTUVudHJ5RnJhbWUpOwotICAgIE5h dGl2ZUNhbGxGcmFtZVRyYWNlciB0cmFjZXIodm0sIGNhbGxlckZyYW1lKTsKKyAgICBWTUVudHJ5 RnJhbWUqIHZtRW50cnlGcmFtZSA9IHZtLT50b3BWTUVudHJ5RnJhbWU7CisgICAgQ2FsbEZyYW1l KiBjYWxsZXJGcmFtZSA9IGV4ZWMtPmNhbGxlckZyYW1lKHZtRW50cnlGcmFtZSk7CiAKICAgICBK U1N0YWNrJiBzdGFjayA9IHZtLT5pbnRlcnByZXRlci0+c3RhY2soKTsKIAogICAgIGludDMyX3Qg bWlzc2luZ0FyZ0NvdW50ID0gQ29tbW9uU2xvd1BhdGhzOjphcml0eUNoZWNrRm9yKGV4ZWMsICZz dGFjaywgQ29kZUZvckNhbGwpOwotICAgIGlmIChtaXNzaW5nQXJnQ291bnQgPCAwKQorICAgIGlm IChtaXNzaW5nQXJnQ291bnQgPCAwKSB7CisgICAgICAgIE5hdGl2ZUNhbGxGcmFtZVRyYWNlciB0 cmFjZXIodm0sIHZtRW50cnlGcmFtZSwgY2FsbGVyRnJhbWUpOwogICAgICAgICB0aHJvd1N0YWNr T3ZlcmZsb3dFcnJvcihjYWxsZXJGcmFtZSk7CisgICAgfQogCiAgICAgcmV0dXJuIG1pc3NpbmdB cmdDb3VudDsKIH0KQEAgLTExMCwxNSArMTExLDE2IEBAIGludDMyX3QgSklUX09QRVJBVElPTiBv cGVyYXRpb25DYWxsQXJpdHkKIGludDMyX3QgSklUX09QRVJBVElPTiBvcGVyYXRpb25Db25zdHJ1 Y3RBcml0eUNoZWNrKEV4ZWNTdGF0ZSogZXhlYykKIHsKICAgICBWTSogdm0gPSAmZXhlYy0+dm0o KTsKLSAgICBWTUVudHJ5RnJhbWUqIHRvcFZNRW50cnlGcmFtZSA9IHZtLT50b3BWTUVudHJ5RnJh bWU7Ci0gICAgQ2FsbEZyYW1lKiBjYWxsZXJGcmFtZSA9IGV4ZWMtPmNhbGxlckZyYW1lKHRvcFZN RW50cnlGcmFtZSk7Ci0gICAgTmF0aXZlQ2FsbEZyYW1lVHJhY2VyIHRyYWNlcih2bSwgY2FsbGVy RnJhbWUpOworICAgIFZNRW50cnlGcmFtZSogdm1FbnRyeUZyYW1lID0gdm0tPnRvcFZNRW50cnlG cmFtZTsKKyAgICBDYWxsRnJhbWUqIGNhbGxlckZyYW1lID0gZXhlYy0+Y2FsbGVyRnJhbWUodm1F bnRyeUZyYW1lKTsKIAogICAgIEpTU3RhY2smIHN0YWNrID0gdm0tPmludGVycHJldGVyLT5zdGFj aygpOwogCiAgICAgaW50MzJfdCBtaXNzaW5nQXJnQ291bnQgPSBDb21tb25TbG93UGF0aHM6OmFy aXR5Q2hlY2tGb3IoZXhlYywgJnN0YWNrLCBDb2RlRm9yQ29uc3RydWN0KTsKLSAgICBpZiAobWlz c2luZ0FyZ0NvdW50IDwgMCkKKyAgICBpZiAobWlzc2luZ0FyZ0NvdW50IDwgMCkgeworICAgICAg ICBOYXRpdmVDYWxsRnJhbWVUcmFjZXIgdHJhY2VyKHZtLCB2bUVudHJ5RnJhbWUsIGNhbGxlckZy YW1lKTsKICAgICAgICAgdGhyb3dTdGFja092ZXJmbG93RXJyb3IoY2FsbGVyRnJhbWUpOworICAg IH0KIAogICAgIHJldHVybiBtaXNzaW5nQXJnQ291bnQ7CiB9Cg==