139000 2014-11-21 22:46:51 -0800 r176455: ASSERT(!m_vector.isEmpty()) in IntendedStructureChain.cpp(143) 2014-12-02 13:43:37 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 139194 1 msaboff msaboff ggaren jimoase oldest_to_newest 1050698 0 msaboff 2014-11-21 22:46:51 -0800 From <rdar://problem/19046388> 1. Get a spade build of Safari with open source release r176455 or later. 2. Open Safari and navigate to http://www.bobistheoilguy.com/castrol-edge-qa/ 3. You may need to scroll. RESULTS Crash. With a Debug build: ASSERTION FAILED: !m_vector.isEmpty() /Volumes/Data/src/webkit/Source/JavaScriptCore/runtime/IntendedStructureChain.cpp(143) : JSC::JSObject *JSC::IntendedStructureChain::terminalPrototype() const 1 0x10dea92b0 WTFCrash 2 0x10dadfe96 JSC::IntendedStructureChain::terminalPrototype() const 3 0x10de62c96 JSC::ComplexGetStatus::computeFor(JSC::CodeBlock*, JSC::Structure*, JSC::StructureChain*, unsigned int, WTF::StringImpl*) 4 0x10da286f9 JSC::GetByIdStatus::computeForStubInfo(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*, JSC::StructureStubInfo*, WTF::StringImpl*, JSC::CallLinkStatus::ExitSiteData) 5 0x10da2799b JSC::GetByIdStatus::computeFor(JSC::CodeBlock*, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> >&, unsigned int, WTF::StringImpl*) 6 0x10da29fbb JSC::GetByIdStatus::computeFor(JSC::CodeBlock*, JSC::CodeBlock*, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> >&, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> >&, JSC::CodeOrigin, WTF::StringImpl*) 7 0x10d6e8ed7 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) 8 0x10d6e1629 JSC::DFG::ByteCodeParser::parseCodeBlock() 9 0x10d6ef97a JSC::DFG::ByteCodeParser::parse() 10 0x10d6efcae JSC::DFG::parse(JSC::DFG::Graph&) 11 0x10d887951 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 12 0x10d887566 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) 13 0x10d94a640 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) 14 0x10d948c34 JSC::DFG::Worklist::threadFunction(void*) 15 0x10defce69 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const 16 0x10defce3c std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()() 17 0x10ded207a std::__1::function<void ()>::operator()() const 18 0x10defbdbe WTF::threadEntryPoint(void*) 19 0x10defd7c8 WTF::wtfThreadEntryPoint(void*) 20 0x7fff8cede2fc _pthread_body 21 0x7fff8cede279 _pthread_body 22 0x7fff8cedc4b1 thread_start LEAK: 2 WebPageProxy LEAK: 2 WebContext 1050700 1 242113 msaboff 2014-11-21 23:26:00 -0800 Created attachment 242113 Patch 1050727 2 msaboff 2014-11-22 11:07:11 -0800 Committed r176506: <http://trac.webkit.org/changeset/176506> 1050767 3 mark.lam 2014-11-23 08:20:27 -0800 *** Bug 138772 has been marked as a duplicate of this bug. *** 1051936 4 242113 ggaren 2014-12-02 12:41:53 -0800 Comment on attachment 242113 Patch Can you write a test for this? I think the test case here is more valuable than the patch, since this is code that changes a lot, and this mistake can easily be reintroduced. It looks like the key to this bug is invoking tryBuildGetByIDList(), with an object whose prototype is explicitly null. So, you can probably get this to happen by writing a test case where we repeatedly do an access, for three or four different structures, and each structure has a null prototype. One way to get a null prototype is to explicitly set object.__proto__ = null. 1051938 5 ggaren 2014-12-02 12:43:54 -0800 var o1 = { __proto__: null, a: 0, b: 0 }; var o2 = { __proto__: null, a: 0, c: 0 }; var o3 = { __proto__: null, a: 0, d: 0 }; function access(o) { return o.a; } do a lot: access(o1) access(o2) access(o3) 242113 2014-11-21 23:26:00 -0800 2014-11-22 10:29:19 -0800 Patch 139000.patch text/plain 1310 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTc2NTAwKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDE0LTExLTIxICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIHIxNzY0NTU6IEFTU0VSVCghbV92ZWN0b3IuaXNFbXB0eSgpKSBpbiBJbnRlbmRlZFN0cnVj dHVyZUNoYWluLmNwcCgxNDMpCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3df YnVnLmNnaT9pZD0xMzkwMDAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICBDaGVjayB0aGF0IHRoZSBjaGFpbkNvdW50IGlzIG5vbi16ZXJvIGJlZm9yZSB1 c2luZyBhIFN0cnVjdHVyZUNoYWluLgorCisgICAgICAgICogYnl0ZWNvZGUvQ29tcGxleEdldFN0 YXR1cy5jcHA6CisgICAgICAgIChKU0M6OkNvbXBsZXhHZXRTdGF0dXM6OmNvbXB1dGVGb3IpOgor CiAyMDE0LTExLTIxICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgogCiAgICAg ICAgIEFsbG9jYXRlIGxvY2FsIFNjb3BlQ2hhaW4gcmVnaXN0ZXIKSW5kZXg6IFNvdXJjZS9KYXZh U2NyaXB0Q29yZS9ieXRlY29kZS9Db21wbGV4R2V0U3RhdHVzLmNwcAo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBT b3VyY2UvSmF2YVNjcmlwdENvcmUvYnl0ZWNvZGUvQ29tcGxleEdldFN0YXR1cy5jcHAJKHJldmlz aW9uIDE3NjQ3OCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29kZS9Db21wbGV4R2V0 U3RhdHVzLmNwcAkod29ya2luZyBjb3B5KQpAQCAtNDYsNyArNDYsNyBAQCBDb21wbGV4R2V0U3Rh dHVzIENvbXBsZXhHZXRTdGF0dXM6OmNvbXB1CiAgICAgQ29tcGxleEdldFN0YXR1cyByZXN1bHQ7 CiAgICAgcmVzdWx0Lm1fa2luZCA9IElubGluZWFibGU7CiAgICAgCi0gICAgaWYgKGNoYWluKSB7 CisgICAgaWYgKGNoYWluICYmIGNoYWluQ291bnQpIHsKICAgICAgICAgcmVzdWx0Lm1fY2hhaW4g PSBhZG9wdFJlZihuZXcgSW50ZW5kZWRTdHJ1Y3R1cmVDaGFpbigKICAgICAgICAgICAgIHByb2Zp bGVkQmxvY2ssIGhlYWRTdHJ1Y3R1cmUsIGNoYWluLCBjaGFpbkNvdW50KSk7CiAgICAgICAgIAo=