156487 2016-04-11 19:32:30 -0700 [GTK][Stable] REGRESSION(r197520) Crash in JSC::Register::codeBlock on http://detexify.kirelabs.org/symbols.html and http://gexpertise.fr/activites/metiers/stockage with GCC 2016-05-13 02:53:33 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other PC Linux RESOLVED FIXED P2 Normal --- 1 mcatanzaro webkit-unassigned benjamin berto bugs-noreply caitp cgarcia clopez fpizlo ggaren kapouer mark.lam mcatanzaro oldest_to_newest 1182925 0 mcatanzaro 2016-04-11 19:32:30 -0700 WebKitGTK+ 2.12.0 crashes 100% when visiting http://detexify.kirelabs.org/symbols.html Program terminated with signal SIGSEGV, Segmentation fault. #0 JSC::Register::codeBlock (this=0xffff000000000012) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/Register.h:157 157 return u.codeBlock; #0 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0xffff000000000012) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/Register.h:157 index = <optimized out> codeOrigin = {static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0} #1 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0xffff000000000002) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/CallFrame.h:70 index = <optimized out> codeOrigin = {static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0} #2 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0x7ffeab036c60, callFrame=0xffff000000000002) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/StackVisitor.cpp:100 index = <optimized out> codeOrigin = {static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0} #3 0x00007f08195028f6 in JSC::CodeBlock::noticeIncomingCall(JSC::ExecState*) (this=this@entry=0x7f07694c7840, callerFrame=callerFrame@entry=0x7ffeab0376f0) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/StackVisitor.h:128 functor = {m_startCallFrame = <optimized out>, m_codeBlock = <optimized out>, m_depthToCheck = 1, m_foundStartCallFrame = true, m_didRecurse = false} #4 0x00007f0819502a61 in JSC::CodeBlock::linkIncomingPolymorphicCall(JSC::ExecState*, JSC::PolymorphicCallNode*) (this=this@entry=0x7f07694c7840, callerFrame=callerFrame@entry=0x7ffeab0376f0, incoming=0x7f0760db5500) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/bytecode/CodeBlock.cpp:3169 #5 0x00007f081988e904 in JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine(JSC::MacroAssemblerCodeRef const&, JSC::VM&, JSC::JSCell const*, JSC::ExecState*, JSC::CallLinkInfo&, WTF::Vector<JSC::PolymorphicCallCase, 0ul, WTF::CrashOnOverflow, 16ul> const&, std::unique_ptr<unsigned int [], std::default_delete<unsigned int []> >) (this=0x7f076116d3c0, codeRef=..., vm=..., owner=0x7f0769495a80, callerFrame=0x7ffeab0376f0, info=..., cases=..., fastCounts=std::unique_ptr<unsigned int> containing 0x7ffeab036f00) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:82 callCase = {m_variant = {m_callee = <optimized out>}, m_codeBlock = 0x7f07694c7840} __for_range = @0x7ffeab036f10: {<WTF::VectorBuffer<JSC::PolymorphicCallCase, 0ul>> = {<WTF::VectorBufferBase<JSC::PolymorphicCallCase>> = {m_buffer = 0x7f079c9fa200, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>} __for_begin = 0x7f079c9fa210 #6 0x00007f081989674c in JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant) (exec=exec@entry=0x7ffeab037610, callLinkInfo=..., newVariant=...) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/Repatch.cpp:883 list = {<WTF::VectorBuffer<JSC::CallVariant, 1ul>> = {<WTF::VectorBufferBase<JSC::CallVariant>> = {m_buffer = 0x7f076b3c3200, m_capacity = 16, m_size = 2}, m_inlineBuffer = {{__data = "\240\341jk\a\177\000", __align = {<No data fields>}}}}, <No data fields>} isClosureCall = <optimized out> callCases = {<WTF::VectorBuffer<JSC::PolymorphicCallCase, 0ul>> = {<WTF::VectorBufferBase<JSC::PolymorphicCallCase>> = {m_buffer = 0x7f079c9fa200, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>} maxPolymorphicCallVariantListSize = <optimized out> stubJit = {<JSC::AssemblyHelpers> = {<JSC::MacroAssembler> = {<JSC::MacroAssemblerX86_64> = {<JSC::MacroAssemblerX86Common> = {<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>> = {m_assembler = {m_formatter = {static maxInstructionSize = 16, static noBase = JSC::X86Registers::ebp, static hasSib = JSC::X86Registers::esp, static noIndex = JSC::X86Registers::esp, static noBase2 = JSC::X86Registers::r13, static hasSib2 = JSC::X86Registers::r12, m_buffer = {static initialCapacity = 128, m_storage = {m_buffer = 0x7f076b3c3280 "H\276`.=\v\030V", m_capacity = 128}, m_index = 106}}, m_indexOfLastWatchpoint = -2147483648, m_indexOfTailOfLastWatchpoint = -2147483648}, m_randomSource = {m_seed = 2351248783, m_low = 2644614111, m_high = 6674715607368803631}, m_tempRegistersValidBits = 0, m_allowScratchRegister = true, m_linkTasks = {<WTF::VectorBuffer<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> >, 0ul>> = {<WTF::VectorBufferBase<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> > >> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}}, static s_scratchRegister = JSC::X86Registers::r11, static DoubleConditionBitInvert = 16, static DoubleConditionBitSpecial = 32, static DoubleConditionBits = 48, static stackPointerRegister = JSC::X86Registers::esp, static framePointerRegister = JSC::X86Registers::ebp, static s_sse4_1CheckState = JSC::MacroAssemblerX86Common::CPUIDCheckState::Set, static s_lzcntCheckState = JSC::MacroAssemblerX86Common::CPUIDCheckState::Set}, static ScalePtr = JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::TimesEight}, static twoToThe32 = 4294967296, static BlindingModulus = 64}, m_vm = 0x7f0807604b80, m_codeBlock = 0x7f0769495a80, m_baselineCodeBlock = 0x7f0769495a80, m_decodedCodeMaps = {m_impl = {static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}}, <No data fields>} slowPath = {m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 2ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7ffeab037030, m_capacity = 2, m_size = 0}, m_inlineBuffer = {{__data = "\350\215\024i", __align = {<No data fields>}}, {__data = "\a\177\000", __align = {<No data fields>}}}}, <No data fields>}} frameShuffler = std::unique_ptr<JSC::CallFrameShuffler> containing 0x0 comparisonValueGPR = <optimized out> caseValues = {<WTF::VectorBuffer<long, 0ul>> = {<WTF::VectorBufferBase<long>> = {m_buffer = 0x7f076bdf98b0, m_capacity = 2, m_size = 2}, <No data fields>}, <No data fields>} calls = <optimized out> fastCounts = std::unique_ptr<unsigned int> containing 0x0 fastCountsBaseGPR = <optimized out> binarySwitch = {m_value = JSC::X86Registers::eax, m_cases = {<WTF::VectorBuffer<JSC::BinarySwitch::Case, 0ul>> = {<WTF::VectorBufferBase<JSC::BinarySwitch::Case>> = {m_buffer = 0x7f079c9fae00, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>}, m_weakRandom = {m_seed = 1646, m_low = 1646, m_high = 13807754112}, m_branches = {<WTF::VectorBuffer<JSC::BinarySwitch::BranchCode, 0ul>> = {<WTF::VectorBufferBase<JSC::BinarySwitch::BranchCode>> = {m_buffer = 0x7f076b3c3c00, m_capacity = 16, m_size = 5}, <No data fields>}, <No data fields>}, m_index = 5, m_caseIndex = 0, m_jumpStack = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 0ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7f076a163dc0, m_capacity = 16, m_size = 0}, <No data fields>}, <No data fields>}, m_fallThrough = {m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 2ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7ffeab0370c8, m_capacity = 2, m_size = 0}, m_inlineBuffer = {{__data = "B\000\000", __align = {<No data fields>}}, {__data = "\000\000\000", __align = {<No data fields>}}}}, <No data fields>}}, m_type = JSC::BinarySwitch::IntPtr} done = {m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 2ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7ffeab037050, m_capacity = 2, m_size = 2}, m_inlineBuffer = {{__data = "/\000\000", __align = {<No data fields>}}, {__data = "O\000\000", __align = {<No data fields>}}}}, <No data fields>}} slow = <optimized out> patchBuffer = {m_executableMemory = {m_ptr = 0x7f076a935900}, m_size = 106, m_didAllocate = true, m_code = 0x7f07afeac000, m_vm = 0x7f0807604b80, m_alreadyDisassembled = false, m_linkTasks = {<WTF::VectorBuffer<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> >, 0ul>> = {<WTF::VectorBufferBase<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> > >> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}} stubRoutine = <optimized out> #7 0x00007f08198786ed in JSC::operationLinkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo*) (execCallee=0x7ffeab037610, callLinkInfo=0x7f078f3b7600) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/JITOperations.cpp:887 calleeAsFunctionCell = 0x7f076bc99c00 result = <optimized out> #8 0x00007f07afd8a544 in () #9 0x00007ffeab0376f0 in () #10 0x00007f07afe1b59f in () #11 0x00007ffeab0376f0 in () #12 0x00007f076bc99c00 in () #13 0x00007f0700000004 in () #14 0x000000000000000a in () #15 0x00007f076b21d440 in () #16 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #17 0x00007f0769a9d2b0 in () #18 0x00007f0769e5ae90 in () #19 0x0000000000000007 in () #20 0x00007f076bc99c00 in () #21 0x000000000000000a in () #22 0x00007f076022ab80 in () #23 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #24 0x000000000000000a in () #25 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #26 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #27 0x000000000000000a in () #28 0x00007f0769a9d290 in () #29 0x00007f0769a9d2b0 in () #30 0x00007f076022ab80 in () #31 0x00007f0769e5ae90 in () #32 0x00007f080766b100 in () #33 0x00007f080766b100 in () #34 0x00007f076b40f408 in () #35 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #36 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #37 0x00007ffeab037780 in () #38 0x00007f08198ba177 in llint_entry () at /lib64/libjavascriptcoregtk-4.0.so.18 1184462 1 kapouer 2016-04-17 02:34:00 -0700 Hello, I noticed it doesn't crash the first time it is loaded with inspector opened. It crashes here too http://gexpertise.fr/activites/metiers/stockage and the stack trace is similar: Program received signal SIGSEGV, Segmentation fault. JSC::StackVisitor::readFrame (this=0x7ffdf68ef990, callFrame=0xffff000000000002) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/StackVisitor.cpp:100 100 /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/StackVisitor.cpp: Aucun fichier ou dossier de ce type. (gdb) bt #0 JSC::StackVisitor::readFrame (this=0x7ffdf68ef990, callFrame=0xffff000000000002) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/StackVisitor.cpp:100 #1 0x00007f0d72f5a0c6 in JSC::StackVisitor::visit<JSC::RecursionCheckFunctor> (functor=<synthetic pointer>, startFrame=<optimized out>) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/StackVisitor.h:128 #2 JSC::ExecState::iterate<JSC::RecursionCheckFunctor> (functor=<synthetic pointer>, this=<optimized out>) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/CallFrame.h:252 #3 JSC::CodeBlock::noticeIncomingCall (this=this@entry=0x7f0d02505200, callerFrame=0x7ffdf68efc00) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/bytecode/CodeBlock.cpp:3472 #4 0x00007f0d72f5a1f1 in JSC::CodeBlock::linkIncomingCall (this=this@entry=0x7f0d02505200, callerFrame=<optimized out>, incoming=incoming@entry=0x7f0d0217a100) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/bytecode/CodeBlock.cpp:3173 #5 0x00007f0d732e680e in JSC::linkFor (exec=exec@entry=0x7ffdf68efb40, callLinkInfo=..., calleeCodeBlock=calleeCodeBlock@entry=0x7f0d02505200, callee=callee@entry=0x7f0d02443d00, codePtr=..., codePtr@entry=...) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/jit/Repatch.cpp:571 #6 0x00007f0d732cd998 in JSC::operationLinkCall (execCallee=0x7ffdf68efb40, callLinkInfo=0x7f0d0217a100) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/jit/JITOperations.cpp:819 1184499 2 kapouer 2016-04-17 12:01:37 -0700 Somewhat expectedly, the crash does not happen when building with EXTRA_CMAKE_ARGUMENTS += -DENABLE_JIT=OFF CPPFLAGS += -DENABLE_ASSEMBLER=0 1188218 3 mcatanzaro 2016-04-28 05:53:19 -0700 *** Bug 157126 has been marked as a duplicate of this bug. *** 1188241 4 clopez 2016-04-28 07:43:41 -0700 I have bisected this. This regression was introduced in the 2.12 branch by r197760: r197760 <http://trac.webkit.org/r197760>: Merge r197520 - DFG should be able to compile StringReplace https://bugs.webkit.org/show_bug.cgi?id=154979 1188243 5 clopez 2016-04-28 07:54:03 -0700 And this only crashes when building with GCC. With Clang don't crashes. On the very same revision (r197760): - A clean build with GCC-4.9: Crash when loading any of this two pages. - A clean build with clang-3.6: OK, there is no crash, both pages load fine. 1188244 6 clopez 2016-04-28 08:22:49 -0700 I have just build r197520 and also crashes, so is not something specific of the 2.12.x branch. It can be reproduced on trunk@r197520. Current master don't crashes. I will try to bisect which revision "fixed" it on trunk 1188296 7 clopez 2016-04-28 10:27:45 -0700 (In reply to comment #6) > I have just build r197520 and also crashes, so is not something specific of > the 2.12.x branch. It can be reproduced on trunk@r197520. > > Current master don't crashes. I will try to bisect which revision "fixed" it > on trunk Bisect done. This is the revision that fixed it on trunk: r199076 <http://trac.webkit.org/r199076> -- JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames ​https://bugs.webkit.org/show_bug.cgi?id=155598 Is quite a large changeset, not sure if we could backport this to the 2.12.x branch 1188585 8 clopez 2016-04-29 04:15:51 -0700 Building with Debug mode and GCC don't makes the crash go away. So it don't looks like this is caused by an optimization level that we can manually disable for the files affected when building with GCC. My suggestion is to revert r197520 in the 2.12.x branch. 1192708 9 cgarcia 2016-05-13 02:53:33 -0700 (In reply to comment #8) > Building with Debug mode and GCC don't makes the crash go away. So it don't > looks like this is caused by an optimization level that we can manually > disable for the files affected when building with GCC. > > My suggestion is to revert r197520 in the 2.12.x branch. Thanks for all the bisects. r197520 was reverted in r200825