| Summary: | Reproducible crash when using Map (affects Web Inspector) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Alexandru Chiculita <achicu> | ||||||||
| Component: | JavaScriptCore | Assignee: | Oliver Hunt <oliver> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | ggaren, joepeck, oliver, webkit-bug-importer | ||||||||
| Priority: | P1 | Keywords: | InRadar | ||||||||
| Version: | 528+ (Nightly build) | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Alexandru Chiculita
2013-11-06 17:07:28 PST
Do you know what the key was? (as in object, string, something else?) Created attachment 216245 [details]
Crash report
The use of Map was added in:<http://trac.webkit.org/browser/trunk/Source/WebInspectorUI/UserInterface/ContentFlowTreeContentView.js?rev=158788> The keys being added to the map are numbers. Created attachment 216250 [details]
Test case
I've reduced the number of map calls to just a few. Removing any of the remaining calls will not reproduce the crash anymore:
<script>
var map = new Map();
var flow = {};
map.set(81, flow);
map.set(83, flow);
map.set(85, flow);
map.set(87, flow);
map.set(89, flow);
map.set(91, flow);
map.delete(91);
map.set(93, flow);
map.set(95, flow);
map.set(97, flow);
map.get(97);
</script>
Re-titling to make it even clearer that it's a JSC bug, not a Web Inspector one. Sorry, i've fixed this, but had errands all over today (In reply to comment #9) > Sorry, i've fixed this, but had errands all over today Do you think this could be related to this bug? It also happens in the WebInspector. I always see mapProtoFuncForEach on the stack. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010728fc8e llint_op_get_by_id + 56 1 com.apple.JavaScriptCore 0x00000001071a92a8 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 40 (VM.h:361) 2 com.apple.JavaScriptCore 0x00000001071802bd JSC::Interpreter::execute(JSC::CallFrameClosure&) + 269 (Interpreter.cpp:1141) 3 com.apple.JavaScriptCore 0x0000000107295755 JSC::mapProtoFuncForEach(JSC::ExecState*) + 789 (MapData.h:173) 4 ??? 0x00003286cfa010a5 0 + 55554590380197 5 com.apple.JavaScriptCore 0x00000001071a92a8 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 40 (VM.h:361) 6 com.apple.JavaScriptCore 0x000000010717fb81 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 529 (Interpreter.cpp:958) 7 com.apple.JavaScriptCore 0x000000010704fade JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 (CallData.cpp:39) 8 com.apple.JavaScriptCore 0x00000001072022c3 JSC::boundFunctionCall(JSC::ExecState*) + 579 (JSBoundFunction.cpp:54) 9 ??? 0x00003286cfa010a5 0 + 55554590380197 10 com.apple.JavaScriptCore 0x00000001071a92a8 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 40 (VM.h:361) 11 com.apple.JavaScriptCore 0x000000010717fb81 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 529 (Interpreter.cpp:958) 12 com.apple.JavaScriptCore 0x000000010704fade JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 (CallData.cpp:39) 13 com.apple.WebCore 0x0000000107cf6d4c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 892 (JSMainThreadExecState.h:53) 14 com.apple.WebCore 0x00000001079d5a5e WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 750 (EventTarget.cpp:285) 15 com.apple.WebCore 0x00000001079d5605 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 181 (EventTarget.cpp:232) 16 com.apple.WebCore 0x00000001079c0e2e WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const + 190 (EventContext.cpp:87) 17 com.apple.WebCore 0x00000001079c18c6 WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 1062 (Event.h:148) 18 com.apple.WebCore 0x0000000107f5521d WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 29 (Node.cpp:1972) 19 com.apple.WebCore 0x00000001079af157 WebCore::Element::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Element*) + 263 (Element.cpp:239) 20 com.apple.WebCore 0x00000001079c89a9 WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 105 (EventHandler.cpp:2341) 21 com.apple.WebCore 0x00000001079c8586 WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 1430 (EventHandler.cpp:1581) 22 com.apple.WebKit2 0x0000000106ad7f62 WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) + 207 (WebPage.cpp:1571) 23 com.apple.WebKit2 0x0000000106ad7e57 WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) + 221 (WebPage.cpp:1517) 24 com.apple.WebKit2 0x0000000106aeb866 void CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(CoreIPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) + 83 (HandleMessage.h:375) 25 com.apple.WebKit2 0x0000000106ae91b7 WebKit::WebPage::didReceiveWebPageMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 739 (WebPageMessageReceiver.cpp:119) 26 com.apple.WebKit2 0x0000000106a12675 CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 125 (MessageReceiverMap.cpp:86) 27 com.apple.WebKit2 0x0000000106b29120 WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 28 (WebProcess.cpp:636) 28 com.apple.WebKit2 0x00000001069e40d0 CoreIPC::Connection::dispatchMessage(std::__1::unique_ptr<CoreIPC::MessageDecoder, std::__1::default_delete<CoreIPC::MessageDecoder> >) + 94 (memory:2665) 29 com.apple.WebKit2 0x00000001069e5f46 CoreIPC::Connection::dispatchOneMessage() + 106 (memory:2684) 30 com.apple.WebCore 0x0000000108127500 WebCore::RunLoop::performWork() + 288 (RunLoop.cpp:106) 31 com.apple.WebCore 0x0000000108127c82 WebCore::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 32 com.apple.CoreFoundation 0x00007fff94d208f1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 33 com.apple.CoreFoundation 0x00007fff94d12062 __CFRunLoopDoSources0 + 242 34 com.apple.CoreFoundation 0x00007fff94d117ef __CFRunLoopRun + 831 35 com.apple.CoreFoundation 0x00007fff94d11275 CFRunLoopRunSpecific + 309 36 com.apple.HIToolbox 0x00007fff92e5bf0d RunCurrentEventLoopInMode + 226 37 com.apple.HIToolbox 0x00007fff92e5bcb7 ReceiveNextEventCommon + 479 38 com.apple.HIToolbox 0x00007fff92e5babc _BlockUntilNextEventMatchingListInModeWithFilter + 65 39 com.apple.AppKit 0x00007fff98b2f28e _DPSNextEvent + 1434 40 com.apple.AppKit 0x00007fff98b2e8db -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 41 com.apple.AppKit 0x00007fff98b229cc -[NSApplication run] + 553 42 com.apple.AppKit 0x00007fff98b0d803 NSApplicationMain + 940 43 com.apple.XPCService 0x00007fff948d3c0f _xpc_main + 385 44 libxpc.dylib 0x00007fff91082b2e xpc_main + 399 45 com.apple.WebKit.WebContent.Development 0x0000000100c316a0 main + 16 (XPCServiceMain.Development.mm:91) 46 libdyld.dylib 0x00007fff98a425fd start + 1 Created attachment 216333 [details]
Patch
Comment on attachment 216333 [details]
Patch
r=me
Committed r158875: <http://trac.webkit.org/changeset/158875> (In reply to comment #10) > (In reply to comment #9) > > Sorry, i've fixed this, but had errands all over today > > Do you think this could be related to this bug? It also happens in the WebInspector. I always see mapProtoFuncForEach on the stack. > I've added https://bugs.webkit.org/show_bug.cgi?id=124017 to track that other issue. I've added a test case that reproduces it too. |