196506 2019-04-02 12:09:41 -0700 Crash in Options::setOptions() using --configFile option and libgmalloc 2019-04-02 12:57:05 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 msaboff msaboff commit-queue ews-watchlist keith_miller mark.lam saam webkit-bug-importer oldest_to_newest 1523391 0 msaboff 2019-04-02 12:09:41 -0700 We get this crash when using a JSC configFile and libgmalloc: * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x106a13fb0) * frame #0: 0x00007fff581b0712 libsystem_platform.dylib`_platform_strlen + 18 frame #1: 0x0000000101814731 JavaScriptCore`JSC::Options::setOptions(optionsStr="") at Options.cpp:647:21 frame #2: 0x000000010163c3dc JavaScriptCore`JSC::ConfigFile::parse(this=0x00007ffeefbfec10) at ConfigFile.cpp:470:13 frame #3: 0x000000010164355b JavaScriptCore`JSC::processConfigFile(this=0x00007ffeefbff520)::$_1::operator()() const at ConfigFile.cpp:536:24 frame #4: 0x000000010164347d JavaScriptCore`decltype(__f=0x00007ffeefbff520)::$_1>(fp)()) std::__1::__invoke<JSC::processConfigFile(char const*, char const*, char const*)::$_1>(JSC::processConfigFile(char const*, char const*, char const*)::$_1&&) at type_traits:4345:1 frame #5: 0x0000000101643458 JavaScriptCore`void std::__1::__call_once_param<std::__1::tuple<JSC::processConfigFile(char const*, char const*, char const*)::$_1&&> >::__execute<>(this=0x00007ffeefbff4f0, (null)=__tuple_indices<> @ 0x00007ffeefbff458) at mutex:621:9 frame #6: 0x0000000101643425 JavaScriptCore`std::__1::__call_once_param<std::__1::tuple<JSC::processConfigFile(char const*, char const*, char const*)::$_1&&> >::operator(this=0x00007ffeefbff4f0)() at mutex:613:9 frame #7: 0x00000001016432fd JavaScriptCore`void std::__1::__call_once_proxy<std::__1::tuple<JSC::processConfigFile(char const*, char const*, char const*)::$_1&&> >(__vp=0x00007ffeefbff4f0) at mutex:649:5 frame #8: 0x00007fff5569b896 libc++.1.dylib`std::__1::__call_once(unsigned long volatile&, void*, void (*)(void*)) + 139 frame #9: 0x000000010163c9cc JavaScriptCore`void std::__1::call_once<JSC::processConfigFile(char const*, char const*, char const*)::$_1>(__flag=0x000000010220c5a0, __func=0x00007ffeefbff520)::$_1&&) at mutex:666:9 frame #10: 0x000000010163c95f JavaScriptCore`JSC::processConfigFile(configFilename="jsc.config", processName="jsc", parentProcessName=0x0000000000000000) at ConfigFile.cpp:530:5 frame #11: 0x0000000100005344 jsc`jscmain(argc=2, argv=0x00007ffeefbff690) at jsc.cpp:3002:5 frame #12: 0x00000001000052ee jsc`main(argc=2, argv=0x00007ffeefbff690) at jsc.cpp:2410:15 frame #13: 0x00007fff57fca0a5 libdyld.dylib`start + 1 It appears this i due to the implicit temporary CString getting destructed after the call to Cstring::data(), but before the call to Options::setOptions(). 1523396 1 366521 msaboff 2019-04-02 12:16:19 -0700 Created attachment 366521 Patch 1523398 2 366521 keith_miller 2019-04-02 12:18:29 -0700 Comment on attachment 366521 Patch r=me. 1523399 3 msaboff 2019-04-02 12:20:14 -0700 <rdar://problem/49529020> 1523419 4 366521 commit-queue 2019-04-02 12:57:04 -0700 Comment on attachment 366521 Patch Clearing flags on attachment: 366521 Committed r243754: <https://trac.webkit.org/changeset/243754> 1523420 5 commit-queue 2019-04-02 12:57:05 -0700 All reviewed patches have been landed. Closing bug. 366521 2019-04-02 12:16:19 -0700 2019-04-02 12:57:04 -0700 Patch 196506.patch text/plain 1672 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjQzNzUwKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBA CisyMDE5LTA0LTAyICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIENyYXNoIGluIE9wdGlvbnM6OnNldE9wdGlvbnMoKSB1c2luZyAtLWNvbmZpZ0ZpbGUgb3B0 aW9uIGFuZCBsaWJnbWFsbG9jCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3df YnVnLmNnaT9pZD0xOTY1MDYKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICBDaGFuZ2VkIHRvIGNhbGwgQ1N0cmluZzo6ZGF0YSgpIHdoaWxlIG1ha2luZyB0 aGUgY2FsbCB0byBPcHRpb25zOjpzZXRPcHRpb25zKCkuICBUaGlzIGtlZXBzCisgICAgICAgIHRo ZSBpbXBsaWNpdCBDU3RyaW5nIHRlbXBvcmFyeSBhbGl2ZSB1bnRpbCBhZnRlciBzZXRPcHRpb25z KCkgcmV0dXJucy4KKworICAgICAgICAqIHJ1bnRpbWUvQ29uZmlnRmlsZS5jcHA6CisgICAgICAg IChKU0M6OkNvbmZpZ0ZpbGU6OnBhcnNlKToKKwogMjAxOS0wNC0wMiAgRnVqaWkgSGlyb25vcmkg IDxIaXJvbm9yaS5GdWppaUBzb255LmNvbT4KIAogICAgICAgICBbQ01ha2VdIFdFQktJVF9NQUtF X0ZPUldBUkRJTkdfSEVBREVSUyBzaG91bGRuJ3QgdXNlIFBPU1RfQlVJTEQgdG8gY29weSBnZW5l cmF0ZWQgaGVhZGVycwpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvQ29uZmln RmlsZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvQ29u ZmlnRmlsZS5jcHAJKHJldmlzaW9uIDI0Mzc0OCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9y dW50aW1lL0NvbmZpZ0ZpbGUuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC00NjUsOSArNDY1LDggQEAg dm9pZCBDb25maWdGaWxlOjpwYXJzZSgpCiAgICAgICAgICAgICBXVEY6OnNldERhdGFGaWxlKGxv Z1BhdGhuYW1lKTsKIAogICAgICAgICBpZiAoIWpzY09wdGlvbnNCdWlsZGVyLmlzRW1wdHkoKSkg ewotICAgICAgICAgICAgY29uc3QgY2hhciogb3B0aW9uc1N0ciA9IGpzY09wdGlvbnNCdWlsZGVy LnRvU3RyaW5nKCkudXRmOCgpLmRhdGEoKTsKICAgICAgICAgICAgIE9wdGlvbnM6OmVuYWJsZVJl c3RyaWN0ZWRPcHRpb25zKHRydWUpOwotICAgICAgICAgICAgT3B0aW9uczo6c2V0T3B0aW9ucyhv cHRpb25zU3RyKTsKKyAgICAgICAgICAgIE9wdGlvbnM6OnNldE9wdGlvbnMoanNjT3B0aW9uc0J1 aWxkZXIudG9TdHJpbmcoKS51dGY4KCkuZGF0YSgpKTsKICAgICAgICAgfQogICAgIH0gZWxzZQog ICAgICAgICBXVEY6OmRhdGFMb2dGKCJFcnJvciBpbiBKU0MgQ29uZmlnIGZpbGUgb24gb3IgbmVh ciBsaW5lICV1LCBwYXJzaW5nICclcydcbiIsIHNjYW5uZXIubGluZU51bWJlcigpLCBzY2FubmVy LmN1cnJlbnRCdWZmZXIoKSk7Cg==