Bug 119872

Summary: REGRESSION: Crash under JITCompiler::link while loading Gmail
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: adam, cgarcia, csaavedra, fpizlo, ggaren, oliver, phiw2, sergio, vjaquez, vomitols, webkit-bug-importer, zan
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Ryosuke Niwa
Reported 2013-08-15 15:32:16 PDT
Thread 0:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000011002cd41 JSC::IdentifierTable::add(WTF::StringImpl*) + 1 1 com.apple.JavaScriptCore 0x000000010fe5e881 JSC::Identifier::addSlowCase(JSC::ExecState*, WTF::StringImpl*) + 129 2 com.apple.JavaScriptCore 0x000000010ff39bf3 JSC::objectProtoFuncHasOwnProperty(JSC::ExecState*) + 307 3 ??? 0x00005c6d70401045 0 + 101625104437317 4 com.apple.JavaScriptCore 0x000000010fe7ea91 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 5 com.apple.JavaScriptCore 0x000000010fe647aa JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 6 com.apple.JavaScriptCore 0x000000010fd4bff5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 7 com.apple.JavaScriptCore 0x000000010feb45be JSC::boundFunctionCall(JSC::ExecState*) + 526 8 ??? 0x00005c6d70401045 0 + 101625104437317 9 com.apple.JavaScriptCore 0x000000010fe7ea91 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 10 com.apple.JavaScriptCore 0x000000010fe647aa JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 11 com.apple.JavaScriptCore 0x000000010fd4bff5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 12 com.apple.JavaScriptCore 0x000000010feb45be JSC::boundFunctionCall(JSC::ExecState*) + 526 13 ??? 0x00005c6d70401045 0 + 101625104437317 14 com.apple.JavaScriptCore 0x000000010fe7ea91 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 15 com.apple.JavaScriptCore 0x000000010fe647aa JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 16 com.apple.JavaScriptCore 0x000000010fd4bff5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 17 com.apple.WebCore 0x0000000110c57eb9 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 441 18 com.apple.WebCore 0x0000000110c57b0a WebCore::ScheduledAction::execute(WebCore::Document*) + 154 19 com.apple.WebCore 0x000000011042a261 WebCore::DOMTimer::fired() + 273 20 com.apple.WebCore 0x0000000110df2def WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 21 com.apple.WebCore 0x0000000110ca7bc3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 22 com.apple.CoreFoundation 0x00007fff8e3bc804 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 23 com.apple.CoreFoundation 0x00007fff8e3bc31d __CFRunLoopDoTimer + 557 24 com.apple.CoreFoundation 0x00007fff8e3a1ad9 __CFRunLoopRun + 1529 25 com.apple.CoreFoundation 0x00007fff8e3a10e2 CFRunLoopRunSpecific + 290 26 com.apple.HIToolbox 0x00007fff8d7e8eb4 RunCurrentEventLoopInMode + 209 27 com.apple.HIToolbox 0x00007fff8d7e8c52 ReceiveNextEventCommon + 356 28 com.apple.HIToolbox 0x00007fff8d7e8ae3 BlockUntilNextEventMatchingListInMode + 62 29 com.apple.AppKit 0x00007fff90bbb533 _DPSNextEvent + 685 30 com.apple.AppKit 0x00007fff90bbadf2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 31 com.apple.AppKit 0x00007fff90bb21a3 -[NSApplication run] + 517 32 com.apple.WebCore 0x0000000110c538f2 WebCore::RunLoop::run() + 82 33 com.apple.WebKit2 0x000000010f96aeb2 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 614 34 com.apple.WebProcess 0x000000010f881e23 main + 337 35 libdyld.dylib 0x00007fff944237e1 start + 1
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2013-08-15 15:32:58 PDT
<rdar://problem/14751238>
Alexey Proskuryakov
Comment 2 2013-08-16 09:51:56 PDT
This stack trace is not useful, because the crash happens on a different thread. In the future, please attach a complete crash log as a file. I can reproduce this, getting this crash: Thread 15 Crashed:: JSC Compilation Thread 0 com.apple.JavaScriptCore 0x000000010d89b3de WTFCrash + 62 1 com.apple.JavaScriptCore 0x000000010d8b1bb9 WTF::CrashOnOverflow::overflowed() + 9 2 com.apple.JavaScriptCore 0x000000010d76eb6a JSC::DFG::JITCompiler::link(JSC::LinkBuffer&) + 5514 3 com.apple.JavaScriptCore 0x000000010d903507 JSC::DFG::JITCompiler::linkFunction() + 103 4 com.apple.JavaScriptCore 0x000000010d909edb JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 971 5 com.apple.JavaScriptCore 0x000000010d909986 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) + 214 6 com.apple.JavaScriptCore 0x000000010d924044 JSC::DFG::Worklist::runThread() + 500 7 com.apple.JavaScriptCore 0x000000010d60f88f WTF::wtfThreadEntryPoint(void*) + 15 8 libsystem_pthread.dylib 0x00007fff8bdb38a9 _pthread_body + 138 9 libsystem_pthread.dylib 0x00007fff8bdb373a _pthread_start + 137 10 libsystem_pthread.dylib 0x00007fff8bdb7fd9 thread_start + 13
Alexey Proskuryakov
Comment 3 2013-08-16 09:52:28 PDT
*** Bug 119881 has been marked as a duplicate of this bug. ***
Ryosuke Niwa
Comment 4 2013-08-20 12:56:24 PDT
Still crashing: ASSERTION FAILED: isInt32() /Volumes/Data/webkit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(409) : int32_t JSC::JSValue::asInt32() const 1 0x1031de450 WTFCrash 2 0x102ca4cd5 JSC::JSValue::asInt32() const 3 0x102e54b5a JSC::DFG::LazyJSValue::switchLookupValue() const 4 0x102e51647 JSC::DFG::JITCompiler::link(JSC::LinkBuffer&) 5 0x102e539a4 JSC::DFG::JITCompiler::linkFunction() 6 0x102e88aa9 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 7 0x102e88497 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) 8 0x102f2476c JSC::DFG::Worklist::runThread() 9 0x102f238e5 JSC::DFG::Worklist::threadFunction(void*) 10 0x103223490 WTF::threadEntryPoint(void*) 11 0x103223e18 WTF::wtfThreadEntryPoint(void*) 12 0x7fff91c097a2 _pthread_start 13 0x7fff91bf61e1 thread_start
Filip Pizlo
Comment 5 2013-08-21 14:39:05 PDT
Landed in http://trac.webkit.org/changeset/154419
Zan Dobersek
Comment 6 2013-08-23 00:22:35 PDT
*** Bug 120198 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.