149957 2015-10-09 09:08:17 -0700 [Win] Null pointer crash. 2017-01-16 13:01:10 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified NEW P2 Normal --- 1 peavo webkit-unassigned daniel.zimmerman fpizlo ggaren oldest_to_newest 1131925 0 peavo 2015-10-09 09:08:17 -0700 I just got a null pointer crash in JSC::speculationFromCell(). The JSCell object looks more or less ok, but the m_structureID member is 0, causing the null pointer crash. JavaScriptCore.dll!JSC::speculationFromCell(JSC::JSCell * cell) Line 363 + 0x20 bytes C++ JavaScriptCore.dll!JSC::speculationFromValue(JSC::JSValue value) Line 391 + 0x8 bytes C++ JavaScriptCore.dll!JSC::ValueProfileBase<1>::computeUpdatedPrediction(const JSC::ConcurrentJITLocker & __formal) Line 145 + 0x7 bytes C++ JavaScriptCore.dll!JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int & numberOfLiveNonArgumentValueProfiles, unsigned int & numberOfSamplesInProfiles) Line 3770 C++ JavaScriptCore.dll!JSC::CodeBlock::updateAllPredictions() Line 3815 C++ JavaScriptCore.dll!operationOptimize(JSC::ExecState * exec, int bytecodeIndex) Line 1142 C++ 1131926 1 262776 peavo 2015-10-09 09:11:21 -0700 Created attachment 262776 Patch 1131929 2 peavo 2015-10-09 09:13:22 -0700 (In reply to comment #1) > Created attachment 262776 [details] > Patch I'm not sure this is the correct way to deal with this crash :) 1131930 3 262776 ggaren 2015-10-09 09:16:06 -0700 Comment on attachment 262776 Patch While this might fix the crash, I think it's the wrong fix. A cell with a null structureID has been garbage collected. You're lucky if you find the null structureID -- that happens soon after sweeping. If you're unlucky, you'll just get garbage memory, or a crash. We need to investigate how cell got garbage collected in the first place. 1131933 4 peavo 2015-10-09 09:20:44 -0700 (In reply to comment #3) > Comment on attachment 262776 [details] > Patch > > While this might fix the crash, I think it's the wrong fix. > > A cell with a null structureID has been garbage collected. You're lucky if > you find the null structureID -- that happens soon after sweeping. If you're > unlucky, you'll just get garbage memory, or a crash. > > We need to investigate how cell got garbage collected in the first place. Ok, sounds good :) This is the state of the JSCell object when the crash occured: m_structureID 0x00000000 JSC::Structure* m_indexingType 0 unsigned char m_type StringType JSC::JSType m_flags 224 unsigned char m_cellState NewWhite JSC::CellState 1267203 5 daniel.zimmerman 2017-01-16 13:01:10 -0800 I've found a similar crash on iOS 10.2's version of JavascriptCore. I have the following backtrace: #0 0x0000000104d6d2ef in JSC::speculationFromCell(JSC::JSCell*) () #1 0x00000001047d2ec3 in JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) () #2 0x00000001047cebc7 in JSC::CodeBlock::stronglyVisitStrongReferences(JSC::SlotVisitor&) () #3 0x00000001047ce969 in JSC::CodeBlock::visitChildren(JSC::SlotVisitor&) () #4 0x0000000104d699ac in JSC::SlotVisitor::drain() () #5 0x0000000104a0869c in JSC::Heap::markRoots(double, void*, void*, int (&) [37]) () #6 0x0000000104a0b065 in JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [37]) () #7 0x0000000104a0ada1 in JSC::Heap::collect(JSC::HeapOperation) () #8 0x0000000104c3c957 in JSC::MarkedAllocator::allocateSlowCase(unsigned long) () #9 0x0000000104b72ee0 in JSObjectMake () and the state of the JSCell is: m_structureID: 0 m_indexingType: 0 m_type: UnspecifiedType (0) m_flags: 0 m_cellState: AnthraciteOrBlack (0) Is there anyway I can help to find the source of the issue? I have a setup where the bug is pretty reproducible. 262776 2015-10-09 09:11:21 -0700 2015-10-09 09:16:06 -0700 Patch bug-149957-20151009181031.patch text/plain 1323 peavo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTkwODAxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDE1LTEwLTA5ICBQZXIgQXJuZSBWb2xsYW4gIDxwZWF2b0BvdXRsb29rLmNvbT4KKworICAg ICAgICBbV2luXSBOdWxsIHBvaW50ZXIgY3Jhc2guCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNDk5NTcKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBDaGVjayBpZiBKU0NlbGwgc3RydWN0dXJlIElEIGlzIHZh bGlkLgorCisgICAgICAgICogYnl0ZWNvZGUvU3BlY3VsYXRlZFR5cGUuY3BwOgorICAgICAgICAo SlNDOjpzcGVjdWxhdGlvbkZyb21DZWxsKToKKwogMjAxNS0xMC0wOSAgWGFiaWVyIFJvZHJpZ3Vl eiBDYWx2YXIgIDxjYWx2YXJpc0BpZ2FsaWEuY29tPiBhbmQgWW91ZW5uIEZhYmxldCAgPHlvdWVu bi5mYWJsZXRAY3JmLmNhbm9uLmZyPgogCiAgICAgICAgIEF1dG9tYXRlIFdlYkNvcmUgSlMgYnVp bHRpbnMgZ2VuZXJhdGlvbiBhbmQgYnVpbGQgc3lzdGVtCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlw dENvcmUvYnl0ZWNvZGUvU3BlY3VsYXRlZFR5cGUuY3BwCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9K YXZhU2NyaXB0Q29yZS9ieXRlY29kZS9TcGVjdWxhdGVkVHlwZS5jcHAJKHJldmlzaW9uIDE5MDc4 MikKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29kZS9TcGVjdWxhdGVkVHlwZS5jcHAJ KHdvcmtpbmcgY29weSkKQEAgLTM2MCw2ICszNjAsOSBAQCBTcGVjdWxhdGVkVHlwZSBzcGVjdWxh dGlvbkZyb21TdHJ1Y3R1cmUoCiAKIFNwZWN1bGF0ZWRUeXBlIHNwZWN1bGF0aW9uRnJvbUNlbGwo SlNDZWxsKiBjZWxsKQogeworICAgIGlmICghY2VsbC0+c3RydWN0dXJlSUQoKSkKKyAgICAgICAg cmV0dXJuIFNwZWNOb25lOworCiAgICAgaWYgKEpTU3RyaW5nKiBzdHJpbmcgPSBqc0R5bmFtaWND YXN0PEpTU3RyaW5nKj4oY2VsbCkpIHsKICAgICAgICAgaWYgKGNvbnN0IFN0cmluZ0ltcGwqIGlt cGwgPSBzdHJpbmctPnRyeUdldFZhbHVlSW1wbCgpKSB7CiAgICAgICAgICAgICBpZiAoaW1wbC0+ aXNBdG9taWMoKSkK