Bug 122445

Summary: Crash while browsing GitHub
Product: WebKit Reporter: Alberto Garcia <berto>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cgarcia, fpizlo, ggaren, mark.lam, webkit-bug-importer
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Alberto Garcia
Reported 2013-10-07 04:11:43 PDT
This happens with MiniBrowser and the latest trunk (r157033) when loading https://github.com/WebKit/webkit Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007fa601ed6f26 in ?? () #0 0x00007fa601ed6f26 in ?? () #1 0x00007fa5f1797f98 in ?? () #2 0x000000000000000a in ?? () #3 0x0000000002a2b688 in ?? () #4 0x0000000002a2f210 in ?? () #5 0x00007fa601ec3b66 in ?? () #6 0x00007fa5dae68820 in ?? () #7 0x00007fff449589c0 in ?? () #8 0x00007fa653647e34 in JSC::MacroAssemblerCodeRef::operator! (this=0x0) at ../../Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:409 #9 0x00007fa6536476f6 in JSC::JITCode::execute (this=0x3af8050, stack=0x26fd8f8, callFrame=0x7fa5f1797f98, vm=0x281b9a0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:46 #10 0x00007fa6536303a8 in JSC::Interpreter::executeCall (this=0x26fd8e0, callFrame=0x7fa60010f4b0, function=0x7fa5db3e4e30, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:957 #11 0x00007fa653728a42 in JSC::call (exec=0x7fa60010f4b0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39 #12 0x00007fa64f26d334 in WebCore::JSMainThreadExecState::call (exec=0x7fa60010f4b0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:53 #13 0x00007fa64f2973f5 in WebCore::JSEventListener::handleEvent (this=0x2e412d0, scriptExecutionContext=0x36a4900, event=0x27e21f0) at ../../Source/WebCore/bindings/js/JSEventListener.cpp:133 #14 0x00007fa64f54a45f in WebCore::EventTarget::fireEventListeners (this=0x36a4850, event=0x27e21f0, d=0x3169240, entry=...) at ../../Source/WebCore/dom/EventTarget.cpp:277 #15 0x00007fa64f54a177 in WebCore::EventTarget::fireEventListeners (this=0x36a4850, event=0x27e21f0) at ../../Source/WebCore/dom/EventTarget.cpp:233 #16 0x00007fa64f5744c9 in WebCore::Node::handleLocalEvents (this=0x36a4850, event=0x27e21f0) at ../../Source/WebCore/dom/Node.cpp:2067 #17 0x00007fa64f53deca in WebCore::EventContext::handleLocalEvents (this=0x3a55570, event=0x27e21f0) at ../../Source/WebCore/dom/EventContext.cpp:58 #18 0x00007fa64f53f9f9 in WebCore::EventDispatcher::dispatchEventAtTarget (this=0x7fff449590b0) at ../../Source/WebCore/dom/EventDispatcher.cpp:160 #19 0x00007fa64f53f248 in WebCore::EventDispatcher::dispatch (this=0x7fff449590b0) at ../../Source/WebCore/dom/EventDispatcher.cpp:121 #20 0x00007fa64f53e4ed in WebCore::EventDispatchMediator::dispatchEvent (this=0x36add90, dispatcher=0x7fff449590b0) at ../../Source/WebCore/dom/EventDispatchMediator.cpp:54 #21 0x00007fa64f53e77a in WebCore::EventDispatcher::dispatchEvent (node=0x36a4850, mediator=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:52 #22 0x00007fa64f57466d in WebCore::Node::dispatchEvent (this=0x36a4850, event=...) at ../../Source/WebCore/dom/Node.cpp:2088 #23 0x00007fa64f4e1623 in WebCore::Document::finishedParsing (this=0x36a4850) at ../../Source/WebCore/dom/Document.cpp:4438 #24 0x00007fa64f797371 in WebCore::HTMLConstructionSite::finishedParsing (this=0x36ad538) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:352 #25 0x00007fa64f7cf793 in WebCore::HTMLTreeBuilder::finished (this=0x36ad520) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2908 #26 0x00007fa64f79e5ac in WebCore::HTMLDocumentParser::end (this=0x36ac790) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:758 #27 0x00007fa64f79e699 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x36ac790) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:769 #28 0x00007fa64f79d27c in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x36ac790)
Attachments
Add attachment proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1 2013-10-07 05:08:54 PDT
This looks like a JSC crash.
Carlos Garcia Campos
Comment 2 2013-10-07 05:10:21 PDT
And it's not specific to WebKit2 either, it crashes for me with GtkLauncher too.
Alexey Proskuryakov
Comment 3 2013-10-07 09:43:46 PDT
I could reproduce this page crash with a reload on Mac, but the stack trace wasn't very helpful. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 ??? 0x0000599bcb97cd32 0 + 98525670526258 1 com.apple.JavaScriptCore 0x000000010716c047 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 71 (JITCode.cpp:46) 2 com.apple.JavaScriptCore 0x000000010714f12f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1455 (Interpreter.cpp:957) 3 com.apple.JavaScriptCore 0x0000000106ed2b6e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:39)
Alexey Proskuryakov
Comment 4 2013-10-07 09:44:01 PDT
<rdar://problem/15166040>
Mark Lam
Comment 5 2013-10-07 12:39:55 PDT
After a lot of tries on a debug build of r157033, I am able to get a crash in JITted code, but not at JSC::MacroAssemblerCodeRef::operator!(). The crash (at least the one I reproduced) seems to be intermittent. It didn't reproduce for many tries initially, but seems to reproduce more consistently now.
Mark Lam
Comment 6 2013-10-07 12:56:50 PDT
On r157033, here's the crash I'm actually seeing: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00005a8339477d26 in ?? () (gdb) bt #0 0x00005a8339477d26 in ?? () #1 0x00000001103515f7 in JSC::JITCode::execute (this=0x7fc8a29b4af0, stack=0x7fc89d804ba8, callFrame=0x11d4aff98, vm=0x7fc89e026c00) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/jit/JITCode.cpp:46 #2 0x000000011033474f in JSC::Interpreter::executeCall (this=0x7fc89d804b90, callFrame=0x11d4feab0, function=0x11e1f4930, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/interpreter/Interpreter.cpp:957 #3 0x00000001100b0a5e in JSC::call (exec=0x11d4feab0, functionObject={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4800334128, ptr = 0x11e1f4930, asBits = {payload = 505366832, tag = 1}}}, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/runtime/CallData.cpp:39 #4 0x000000011210576b in WebCore::JSMainThreadExecState::call (exec=0x11d4feab0, functionObject={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4800334128, ptr = 0x11e1f4930, asBits = {payload = 505366832, tag = 1}}}, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at JSMainThreadExecState.h:53 #5 0x000000011223b53f in WebCore::JSEventListener::handleEvent (this=0x7fc89aca4410, scriptExecutionContext=0x7fc89b0b92b0, event=0x7fc8a29bb7c0) at /Volumes/Data/ws7/OpenSource/Source/WebCore/bindings/js/JSEventListener.cpp:132 #6 0x0000000111baf3b2 in WebCore::EventTarget::fireEventListeners (this=0x7fc89b0b9200, event=0x7fc8a29bb7c0, d=0x7fc8a16dbdd0, entry=@0x7fc89ac1c850) at /Volumes/Data/ws7/OpenSource/Source/WebCore/dom/EventTarget.cpp:277 ... (gdb) x /20i $pc 0x5a8339477d27: int3 0x5a8339477d28: int3 0x5a8339477d29: int3 0x5a8339477d2a: int3 0x5a8339477d2b: int3 0x5a8339477d2c: mov %rsp,%rdi 0x5a8339477d2f: mov %r13,0x58(%rsp) 0x5a8339477d34: movl $0x80000001,0x34(%r13) 0x5a8339477d3c: mov $0x11036c320,%r11 0x5a8339477d46: callq *%r11 0x5a8339477d49: jmpq 0x5a8339477b8d 0x5a8339477d4e: pop %rcx 0x5a8339477d4f: mov %rcx,0x10(%r13) 0x5a8339477d53: mov $0x7fc89bdd0140,%r11 0x5a8339477d5d: mov %r11,0x8(%r13) 0x5a8339477d61: mov 0x30(%r13),%edx 0x5a8339477d65: cmp $0x2,%edx 0x5a8339477d68: jae 0x5a8339477b73 0x5a8339477d6e: mov %rsp,%rdi 0x5a8339477d71: mov %r13,0x58(%rsp) This issue may be related to https://bugs.webkit.org/show_bug.cgi?id=122462.
Mark Lam
Comment 7 2013-10-07 17:24:16 PDT
(In reply to comment #6) > This issue may be related to https://bugs.webkit.org/show_bug.cgi?id=122462. Filip said that the int3 is just the way the DFG fails an assertion. Hence, these issues may not be related at all.
Mark Lam
Comment 8 2013-10-08 08:56:03 PDT
It appears that the crash started manifesting after we allow JIT inlining in debug builds: http://trac.webkit.org/changeset/155889. I verified that the crash does not manifest in r155888.
Mark Lam
Comment 9 2013-10-08 17:23:01 PDT
With the help of some JIT probes sprinkled at all the call sites of breakpoint() and bail() in the DFG, we find that the SIGTRAP is due to "!m_state.isValid()" in SpeculativeJIT::compileCurrentBlock() (in DFGSpeculativeJIT.cpp). Again, this only happens if DFG inlining is enabled.
Alberto Garcia
Comment 10 2013-10-09 04:32:54 PDT
(In reply to comment #8) > It appears that the crash started manifesting after we allow JIT > inlining in debug builds: http://trac.webkit.org/changeset/155889. > I verified that the crash does not manifest in r155888. Yes, I can confirm it too. Thanks!
Carlos Garcia Campos
Comment 11 2013-10-09 06:30:20 PDT
(In reply to comment #10) > (In reply to comment #8) > > It appears that the crash started manifesting after we allow JIT > > inlining in debug builds: http://trac.webkit.org/changeset/155889. > > I verified that the crash does not manifest in r155888. > > Yes, I can confirm it too. Thanks! It still crashes for me even after reverting r155889, with a release build.
Alberto Garcia
Comment 12 2013-12-08 10:21:35 PST
This seems to be working fine now. Carlos, can you double-check?
Carlos Garcia Campos
Comment 13 2013-12-10 03:16:42 PST
(In reply to comment #12) > This seems to be working fine now. > > Carlos, can you double-check? Seems to work fine now :-)
Note You need to log in before you can comment on or make changes to this bug.