177368 2017-09-22 10:46:06 -0700 Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector 2017-09-28 15:49:57 -0700 1 1 1 Unclassified WebKit JavaScriptCore Safari Technology Preview Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 saam saam benjamin commit-queue fpizlo ggaren gskachkov jfbastien keith_miller lforschler mark.lam msaboff rmorisset ticaiolima webkit-bug-importer ysuzuki oldest_to_newest 1351709 0 saam 2017-09-22 10:46:06 -0700 nullptr dereference. Looks like the StackFrame itself is nullptr? There is a chance this is related to my local development, but I don't think so. I saw this on a test that I can't publish to open source repo. ``` Crashed Thread: 10 WTF::AutomaticThread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0: --> __TEXT 0000000100924000-0000000100958000 [ 208K] r-x/rwx SM=COW K [/Volumes/Data/WK/b/OpenSource/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/Resources/jsc] Thread 0:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100df26b0 JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) + 224 (CodeBlock.cpp:2533) 1 com.apple.JavaScriptCore 0x0000000100df2a60 JSC::CodeBlock::shouldOptimizeNow() + 176 (CodeBlock.cpp:2594) 2 com.apple.JavaScriptCore 0x00000001012aa4d6 operationOptimize + 838 (JITOperations.cpp:1451) 3 ??? 0x0000462f1c4061e7 0 + 77168151388647 4 ??? 0x0000462f1c40a91d 0 + 77168151406877 5 ??? 0x0000462f1c40b605 0 + 77168151410181 6 ??? 0x0000462f1c40f1f7 0 + 77168151425527 7 ??? 0x0000462f1c4ced11 0 + 77168152210705 8 com.apple.JavaScriptCore 0x00000001009bc3e4 vmEntryToJavaScript + 304 (LowLevelInterpreter64.asm:258) 9 com.apple.JavaScriptCore 0x0000000101295a4f JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 127 (JITCode.cpp:82) 10 com.apple.JavaScriptCore 0x00000001012569ce JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 16894 (Interpreter.cpp:924) 11 com.apple.JavaScriptCore 0x000000010145ea5f JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 287 (Completion.cpp:103) 12 jsc 0x000000010092796b jscmain(int, char**) + 3883 (jsc.cpp:3482) 13 jsc 0x0000000100926a2b main + 27 (jsc.cpp:3314) 14 libdyld.dylib 0x00007fff5fcc7145 start + 1 Thread 1: 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 libc++.1.dylib 0x00007fff5dd06d43 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93 3 com.apple.JavaScriptCore 0x00000001014ff425 std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 117 (__mutex_base:419) 4 com.apple.JavaScriptCore 0x00000001014ff310 std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 96 (condition_variable:224) 5 com.apple.JavaScriptCore 0x00000001014ff1a9 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 233 (condition_variable:235) 6 com.apple.JavaScriptCore 0x00000001014ff478 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40 (memory:2602) 7 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 2: 0 libsystem_kernel.dylib 0x00007fff5fe176da __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff5ff5106a _pthread_wqthread + 1035 2 libsystem_pthread.dylib 0x00007fff5ff50c4d start_wqthread + 13 Thread 3: 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 libc++.1.dylib 0x00007fff5dd06d43 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93 3 com.apple.JavaScriptCore 0x00000001014ff425 std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 117 (__mutex_base:419) 4 com.apple.JavaScriptCore 0x00000001014ff310 std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 96 (condition_variable:224) 5 com.apple.JavaScriptCore 0x00000001014ff1a9 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 233 (condition_variable:235) 6 com.apple.JavaScriptCore 0x00000001014ff478 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40 (memory:2602) 7 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 4: 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 libc++.1.dylib 0x00007fff5dd06d43 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93 3 com.apple.JavaScriptCore 0x00000001014ff425 std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 117 (__mutex_base:419) 4 com.apple.JavaScriptCore 0x00000001014ff310 std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 96 (condition_variable:224) 5 com.apple.JavaScriptCore 0x00000001014ff1a9 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 233 (condition_variable:235) 6 com.apple.JavaScriptCore 0x00000001014ff478 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40 (memory:2602) 7 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 5: 0 libsystem_kernel.dylib 0x00007fff5fe176da __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff5ff5126f _pthread_wqthread + 1552 2 libsystem_pthread.dylib 0x00007fff5ff50c4d start_wqthread + 13 Thread 6: 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 libc++.1.dylib 0x00007fff5dd06d43 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93 3 com.apple.JavaScriptCore 0x00000001014ff425 std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 117 (__mutex_base:419) 4 com.apple.JavaScriptCore 0x00000001014ff310 std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 96 (condition_variable:224) 5 com.apple.JavaScriptCore 0x00000001014ff1a9 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 233 (condition_variable:235) 6 com.apple.JavaScriptCore 0x00000001014ff478 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40 (memory:2602) 7 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 7:: JSC DEBUG Continuous GC 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 com.apple.JavaScriptCore 0x00000001014ef75a WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 122 (ThreadingPthreads.cpp:582) 3 com.apple.JavaScriptCore 0x00000001014d5588 WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 2616 (ParkingLot.cpp:604) 4 com.apple.JavaScriptCore 0x0000000100c6b4ea bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 154 (ParkingLot.h:81) 5 com.apple.JavaScriptCore 0x00000001011f988f WTF::Function<void ()>::CallableWrapper<JSC::Heap::notifyIsSafeToCollect()::$_34>::call() + 463 (TimeWithDynamicClockType.h:48) 6 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 7 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 8 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 9 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 10 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 8:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 com.apple.JavaScriptCore 0x00000001014ef75a WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 122 (ThreadingPthreads.cpp:582) 3 com.apple.JavaScriptCore 0x00000001014d5588 WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 2616 (ParkingLot.cpp:604) 4 com.apple.JavaScriptCore 0x0000000100c6b4ea bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 154 (ParkingLot.h:81) 5 com.apple.JavaScriptCore 0x00000001014b5645 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 165 (AutomaticThread.cpp:210) 6 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 7 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 8 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 9 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 10 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 9:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fff5fe0df72 swtch_pri + 10 1 libsystem_pthread.dylib 0x00007fff5ff52307 sched_yield + 11 2 com.apple.JavaScriptCore 0x00000001014cc52f WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2>::lockSlow(WTF::Atomic<unsigned char>&) + 207 3 com.apple.JavaScriptCore 0x0000000100debc99 JSC::CodeBlock::visitWeakly(JSC::SlotVisitor&) + 121 (CodeBlock.cpp:967) 4 com.apple.JavaScriptCore 0x000000010120fd90 JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_40::operator()(JSC::MarkStackArray&) const + 368 (SlotVisitor.cpp:389) 5 com.apple.JavaScriptCore 0x0000000101209705 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 165 (SlotVisitorInlines.h:173) 6 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 7 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 8 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 9 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 10 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 11 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 12 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 13 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 14 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 15 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 10 Crashed:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x0000000100b9be11 JSC::StackFrame::visitChildren(JSC::SlotVisitor&) + 17 (WriteBarrier.h:113) 1 com.apple.JavaScriptCore 0x000000010149959b JSC::ErrorInstance::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 59 (ErrorInstance.cpp:226) 2 com.apple.JavaScriptCore 0x000000010120fd90 JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_40::operator()(JSC::MarkStackArray&) const + 368 (SlotVisitor.cpp:389) 3 com.apple.JavaScriptCore 0x0000000101209705 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 165 (SlotVisitorInlines.h:173) 4 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 5 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 6 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 7 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 8 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 9 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 10 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 11 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 12 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 13 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 11:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fff5fe0df72 swtch_pri + 10 1 libsystem_pthread.dylib 0x00007fff5ff52307 sched_yield + 11 2 com.apple.JavaScriptCore 0x00000001014cc52f WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2>::lockSlow(WTF::Atomic<unsigned char>&) + 207 3 com.apple.JavaScriptCore 0x0000000100c6b511 bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 193 (Lock.h:63) 4 com.apple.JavaScriptCore 0x0000000101209d38 JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 408 (Condition.h:103) 5 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 6 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 7 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 8 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 9 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 10 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 11 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 12 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 13 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 12:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x00000001012091f0 void JSC::SlotVisitor::appendToMarkStack<JSC::MarkedBlock>(JSC::MarkedBlock&, JSC::JSCell*) + 176 (SlotVisitor.cpp:289) 1 com.apple.JavaScriptCore 0x0000000100a94ca6 JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 1734 (SlotVisitorInlines.h:99) 2 com.apple.JavaScriptCore 0x0000000100a5c615 JSC::JSCallee::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 21 (WriteBarrier.h:89) 3 com.apple.JavaScriptCore 0x0000000100a64756 JSC::JSFunction::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 22 (WriteBarrier.h:89) 4 com.apple.JavaScriptCore 0x000000010120fd90 JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_40::operator()(JSC::MarkStackArray&) const + 368 (SlotVisitor.cpp:389) 5 com.apple.JavaScriptCore 0x0000000101209705 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 165 (SlotVisitorInlines.h:173) 6 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 7 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 8 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 9 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 10 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 11 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 12 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 13 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 14 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 15 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 13:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fff5fe0df72 swtch_pri + 10 1 libsystem_pthread.dylib 0x00007fff5ff52307 sched_yield + 11 2 com.apple.JavaScriptCore 0x00000001014cc52f WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2>::lockSlow(WTF::Atomic<unsigned char>&) + 207 3 com.apple.JavaScriptCore 0x0000000100c6b511 bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 193 (Lock.h:63) 4 com.apple.JavaScriptCore 0x0000000101209d38 JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 408 (Condition.h:103) 5 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 6 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 7 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 8 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 9 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 10 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 11 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 12 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 13 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 14:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x000000010120971a JSC::SlotVisitor::drain(WTF::MonotonicTime) + 186 (Atomics.h:248) 1 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 2 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 3 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 4 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 5 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 6 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 7 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 8 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 9 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 10 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 15:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x00000001014fe524 bmalloc::Heap::allocateSmallBumpRangesByObject(std::__1::lock_guard<bmalloc::StaticMutex>&, unsigned long, bmalloc::BumpAllocator&, bmalloc::FixedVector<bmalloc::BumpRange, 3ul>&, std::__1::array<bmalloc::List<bmalloc::SmallPage>, 112ul>&) + 436 (Heap.cpp:427) 1 com.apple.JavaScriptCore 0x00000001014fab5a bmalloc::Allocator::refillAllocatorSlowCase(bmalloc::BumpAllocator&, unsigned long) + 138 (__mutex_base:113) 2 com.apple.JavaScriptCore 0x00000001014fac84 bmalloc::Allocator::allocateLogSizeClass(unsigned long) + 180 (Allocator.cpp:165) 3 com.apple.JavaScriptCore 0x00000001014c923e WTF::fastMalloc(unsigned long) + 94 (FastMalloc.cpp:258) 4 com.apple.JavaScriptCore 0x0000000101209192 void JSC::SlotVisitor::appendToMarkStack<JSC::MarkedBlock>(JSC::MarkedBlock&, JSC::JSCell*) + 82 (DoublyLinkedList.h:56) 5 com.apple.JavaScriptCore 0x0000000100decbe0 JSC::CodeBlock::stronglyVisitStrongReferences(JSC::ConcurrentJSLocker const&, JSC::SlotVisitor&) + 800 (SlotVisitorInlines.h:64) 6 com.apple.JavaScriptCore 0x0000000100dec6a3 JSC::CodeBlock::visitChildren(JSC::SlotVisitor&) + 355 (CodeBlock.cpp:1059) 7 com.apple.JavaScriptCore 0x000000010120fd90 JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_40::operator()(JSC::MarkStackArray&) const + 368 (SlotVisitor.cpp:389) 8 com.apple.JavaScriptCore 0x0000000101209705 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 165 (SlotVisitorInlines.h:173) 9 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 10 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 11 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 12 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 13 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 14 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 15 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 16 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 17 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 18 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 10 crashed with X86 Thread State (64-bit): rax: 0x0000000103a535b0 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000001 rdi: 0x0000000000000000 rsi: 0x0000000102eb00b8 rbp: 0x0000700005b34bd0 rsp: 0x0000700005b34bb0 r8: 0x0000000102eb00b8 r9: 0xffffffff00000000 r10: 0x0000000102ea2028 r11: 0x0000000102ea2030 r12: 0x00000001033b7dc0 r13: 0x0000000000000000 r14: 0x0000000102eb00b8 r15: 0x0000000000000000 rip: 0x0000000100b9be11 rfl: 0x0000000000010206 cr2: 0x0000000000000000 Logical CPU: 7 Error Code: 0x00000004 Trap Number: 14 ``` 1351716 1 saam 2017-09-22 10:53:08 -0700 It seems like we probably want a storeStoreFence() before storing to m_stackTrace in ErrorInstance. That said, it's really unlikely this is the cause of the crash on x86 since storeStoreFence is a compiler fence, and we're storing the result of a call. I think we may want the storeStoreFence for arm though, so: m_stackTrace = getStackTrace(exec, vm, this, useCurrentFrame); should become auto tmp = getStackTrace(exec, vm, this, useCurrentFrame); storeStoreFence() m_stackTrace = WTFMove(tmp) 1351717 2 saam 2017-09-22 10:54:00 -0700 I believe we also need a WriteBarrier after storing to m_stackTrace. 1351718 3 saam 2017-09-22 10:57:59 -0700 I bet the bug is we're materializeErrorInfoIfNeeded on the main thread, while visiting the stack trace on the collector thread 1351737 4 321569 saam 2017-09-22 11:24:42 -0700 Created attachment 321569 patch 1351738 5 321569 keith_miller 2017-09-22 11:28:49 -0700 Comment on attachment 321569 patch r=me. 1351767 6 321569 commit-queue 2017-09-22 12:18:36 -0700 Comment on attachment 321569 patch Clearing flags on attachment: 321569 Committed r222398: <http://trac.webkit.org/changeset/222398> 1351768 7 commit-queue 2017-09-22 12:18:38 -0700 All reviewed patches have been landed. Closing bug. 321569 2017-09-22 11:24:42 -0700 2017-09-22 12:18:36 -0700 patch c-backup.diff text/plain 2490 saam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjIyMzk0KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDE3LTA5LTIyICBTYWFtIEJhcmF0aSAgPHNiYXJhdGlAYXBwbGUuY29tPgorCisgICAgICAg IFVzYWdlIG9mIEVycm9ySW5zdGFuY2U6Om1fc3RhY2tUcmFjZSBvbiB0aGUgbXV0YXRvciBpcyBy YWN5IHdpdGggdGhlIGNvbGxlY3RvcgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9z aG93X2J1Zy5jZ2k/aWQ9MTc3MzY4CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BT ISkuCisKKyAgICAgICAgKiBydW50aW1lL0Vycm9ySW5zdGFuY2UuY3BwOgorICAgICAgICAoSlND OjpFcnJvckluc3RhbmNlOjpmaW5pc2hDcmVhdGlvbik6CisgICAgICAgIChKU0M6OkVycm9ySW5z dGFuY2U6Om1hdGVyaWFsaXplRXJyb3JJbmZvSWZOZWVkZWQpOgorICAgICAgICAoSlNDOjpFcnJv ckluc3RhbmNlOjp2aXNpdENoaWxkcmVuKToKKwogMjAxNy0wOS0yMiAgWXVzdWtlIFN1enVraSAg PHV0YXRhbmUudGVhQGdtYWlsLmNvbT4KIAogICAgICAgICBbREZHXVtGVExdIFByb2ZpbGUgYXJy YXkgdmVjdG9yIGxlbmd0aCBmb3IgYXJyYXkgYWxsb2NhdGlvbgpJbmRleDogU291cmNlL0phdmFT Y3JpcHRDb3JlL3J1bnRpbWUvRXJyb3JJbnN0YW5jZS5jcHAKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNl L0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvRXJyb3JJbnN0YW5jZS5jcHAJKHJldmlzaW9uIDIyMjM5 NCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0Vycm9ySW5zdGFuY2UuY3BwCSh3 b3JraW5nIGNvcHkpCkBAIC0xMTUsNyArMTE1LDEzIEBAIHZvaWQgRXJyb3JJbnN0YW5jZTo6Zmlu aXNoQ3JlYXRpb24oRXhlY1MKICAgICBpZiAoIW1lc3NhZ2UuaXNOdWxsKCkpCiAgICAgICAgIHB1 dERpcmVjdCh2bSwgdm0ucHJvcGVydHlOYW1lcy0+bWVzc2FnZSwganNTdHJpbmcoJnZtLCBtZXNz YWdlKSwgRG9udEVudW0pOwogCi0gICAgbV9zdGFja1RyYWNlID0gZ2V0U3RhY2tUcmFjZShleGVj LCB2bSwgdGhpcywgdXNlQ3VycmVudEZyYW1lKTsKKyAgICBzdGQ6OnVuaXF1ZV9wdHI8VmVjdG9y PFN0YWNrRnJhbWU+PiBzdGFja1RyYWNlID0gZ2V0U3RhY2tUcmFjZShleGVjLCB2bSwgdGhpcywg dXNlQ3VycmVudEZyYW1lKTsKKyAgICB7CisgICAgICAgIGF1dG8gbG9ja2VyID0gaG9sZExvY2so KnRoaXMpOworICAgICAgICBtX3N0YWNrVHJhY2UgPSBXVEZNb3ZlKHN0YWNrVHJhY2UpOworICAg IH0KKyAgICB2bS5oZWFwLndyaXRlQmFycmllcih0aGlzKTsKKwogICAgIGlmIChtX3N0YWNrVHJh Y2UgJiYgIW1fc3RhY2tUcmFjZS0+aXNFbXB0eSgpICYmIGhhc1NvdXJjZUFwcGVuZGVyKCkpIHsK ICAgICAgICAgdW5zaWduZWQgYnl0ZWNvZGVPZmZzZXQ7CiAgICAgICAgIENhbGxGcmFtZSogY2Fs bEZyYW1lOwpAQCAtMjAyLDcgKzIwOCwxMCBAQCB2b2lkIEVycm9ySW5zdGFuY2U6Om1hdGVyaWFs aXplRXJyb3JJbmZvCiAgICAgICAgIHJldHVybjsKICAgICAKICAgICBhZGRFcnJvckluZm8odm0s IG1fc3RhY2tUcmFjZS5nZXQoKSwgdGhpcyk7Ci0gICAgbV9zdGFja1RyYWNlID0gbnVsbHB0cjsK KyAgICB7CisgICAgICAgIGF1dG8gbG9ja2VyID0gaG9sZExvY2soKnRoaXMpOworICAgICAgICBt X3N0YWNrVHJhY2UgPSBudWxscHRyOworICAgIH0KICAgICAKICAgICBtX2Vycm9ySW5mb01hdGVy aWFsaXplZCA9IHRydWU7CiB9CkBAIC0yMjIsOSArMjMxLDEyIEBAIHZvaWQgRXJyb3JJbnN0YW5j ZTo6dmlzaXRDaGlsZHJlbihKU0NlbGwKICAgICBBU1NFUlRfR0NfT0JKRUNUX0lOSEVSSVRTKHRo aXNPYmplY3QsIGluZm8oKSk7CiAgICAgQmFzZTo6dmlzaXRDaGlsZHJlbih0aGlzT2JqZWN0LCB2 aXNpdG9yKTsKIAotICAgIGlmICh0aGlzT2JqZWN0LT5tX3N0YWNrVHJhY2UpIHsKLSAgICAgICAg Zm9yIChTdGFja0ZyYW1lJiBmcmFtZSA6ICp0aGlzT2JqZWN0LT5tX3N0YWNrVHJhY2UpCi0gICAg ICAgICAgICBmcmFtZS52aXNpdENoaWxkcmVuKHZpc2l0b3IpOworICAgIHsKKyAgICAgICAgYXV0 byBsb2NrZXIgPSBob2xkTG9jaygqdGhpc09iamVjdCk7CisgICAgICAgIGlmICh0aGlzT2JqZWN0 LT5tX3N0YWNrVHJhY2UpIHsKKyAgICAgICAgICAgIGZvciAoU3RhY2tGcmFtZSYgZnJhbWUgOiAq dGhpc09iamVjdC0+bV9zdGFja1RyYWNlKQorICAgICAgICAgICAgICAgIGZyYW1lLnZpc2l0Q2hp bGRyZW4odmlzaXRvcik7CisgICAgICAgIH0KICAgICB9CiB9CiAK