Bug 123940

Summary:

Reproducible crash when using Map (affects Web Inspector)

Product:

WebKit

Reporter:

Alexandru Chiculita <achicu>

Component:

JavaScriptCore

Assignee:

Oliver Hunt <oliver>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ggaren, joepeck, oliver, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Crash report	none
Test case	none
Patch	ggaren: review+

Alexandru Chiculita

Reported 2013-11-06 17:07:28 PST

I've used the Map structure in the WebInspector and I've found this crash. I will post more data on how to reproduce this with a test case as soon as I isolate the issue. Crashlog: 0 com.apple.JavaScriptCore 0x0000000109a923c9 JSC::MapData::get(JSC::ExecState*, JSC::MapData::KeyType) + 185 (WriteBarrier.h:168) 1 com.apple.JavaScriptCore 0x0000000109a9476e JSC::mapProtoFuncGet(JSC::ExecState*) + 334 (MapPrototype.cpp:138) 2 ??? 0x0000218ff54010a5 0 + 36902178656421 3 com.apple.JavaScriptCore 0x00000001099add78 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 40 (VM.h:361) 4 com.apple.JavaScriptCore 0x0000000109984651 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 529 (Interpreter.cpp:958) 5 com.apple.JavaScriptCore 0x000000010984dc7e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 (CallData.cpp:39) 6 com.apple.JavaScriptCore 0x00000001099fe4e3 JSC::boundFunctionCall(JSC::ExecState*) + 579 (JSBoundFunction.cpp:54) 7 com.apple.JavaScriptCore 0x0000000109984682 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 578 (Interpreter.cpp:961) 8 com.apple.JavaScriptCore 0x000000010984dc7e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 (CallData.cpp:39) 9 com.apple.WebCore 0x000000010a923a5f WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 479 (JSMainThreadExecState.h:76) 10 com.apple.WebCore 0x000000010a923697 WebCore::ScheduledAction::execute(WebCore::Document*) + 151 (ScheduledAction.cpp:133) 11 com.apple.WebCore 0x000000010a172090 WebCore::DOMTimer::fired() + 304 (InspectorInstrumentation.h:292) 12 com.apple.WebCore 0x000000010aab05cf WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 (ThreadTimers.cpp:132) 13 com.apple.WebCore 0x000000010a97405a WebCore::timerFired(__CFRunLoopTimer*, void*) + 58 (SharedTimerMac.mm:134) 14 com.apple.CoreFoundation 0x00007fff94d56724 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 15 com.apple.CoreFoundation 0x00007fff94d5625f __CFRunLoopDoTimer + 1151 16 com.apple.CoreFoundation 0x00007fff94dc776a __CFRunLoopDoTimers + 298 17 com.apple.CoreFoundation 0x00007fff94d11aa5 __CFRunLoopRun + 1525 18 com.apple.CoreFoundation 0x00007fff94d11275 CFRunLoopRunSpecific + 309 19 com.apple.HIToolbox 0x00007fff92e5bf0d RunCurrentEventLoopInMode + 226 20 com.apple.HIToolbox 0x00007fff92e5bcb7 ReceiveNextEventCommon + 479 21 com.apple.HIToolbox 0x00007fff92e5babc _BlockUntilNextEventMatchingListInModeWithFilter + 65 22 com.apple.AppKit 0x00007fff98b2f28e _DPSNextEvent + 1434 23 com.apple.AppKit 0x00007fff98b2e8db -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 24 com.apple.AppKit 0x00007fff98b229cc -[NSApplication run] + 553 25 com.apple.AppKit 0x00007fff98b0d803 NSApplicationMain + 940 26 com.apple.XPCService 0x00007fff948d3c0f _xpc_main + 385 27 libxpc.dylib 0x00007fff91082b2e xpc_main + 399 28 com.apple.WebKit.WebContent.Development 0x00000001034116a0 main + 16 (XPCServiceMain.Development.mm:91) 29 libdyld.dylib 0x00007fff98a425fd start + 1

Attachments
Crash report (57.65 KB, application/octet-stream) 2013-11-06 17:13 PST, Alexandru Chiculita	no flags	Details
Test case (970 bytes, text/html) 2013-11-06 17:33 PST, Alexandru Chiculita	no flags	Details
Patch (6.38 KB, patch) 2013-11-07 13:54 PST, Oliver Hunt	ggaren: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Oliver Hunt

Comment 1 2013-11-06 17:12:22 PST

Do you know what the key was?

Oliver Hunt

Comment 2 2013-11-06 17:12:48 PST

(as in object, string, something else?)

Alexandru Chiculita

Comment 3 2013-11-06 17:13:36 PST

Created attachment 216245 [details] Crash report

Joseph Pecoraro

Comment 4 2013-11-06 17:16:51 PST

The use of Map was added in:<http://trac.webkit.org/browser/trunk/Source/WebInspectorUI/UserInterface/ContentFlowTreeContentView.js?rev=158788> The keys being added to the map are numbers.

Alexandru Chiculita

Comment 5 2013-11-06 17:33:04 PST

Created attachment 216250 [details] Test case

Alexandru Chiculita

Comment 6 2013-11-07 09:13:18 PST

I've reduced the number of map calls to just a few. Removing any of the remaining calls will not reproduce the crash anymore: <script> var map = new Map(); var flow = {}; map.set(81, flow); map.set(83, flow); map.set(85, flow); map.set(87, flow); map.set(89, flow); map.set(91, flow); map.delete(91); map.set(93, flow); map.set(95, flow); map.set(97, flow); map.get(97); </script>

Alexey Proskuryakov

Comment 7 2013-11-07 09:42:02 PST

Re-titling to make it even clearer that it's a JSC bug, not a Web Inspector one.

Radar WebKit Bug Importer

Comment 8 2013-11-07 12:17:36 PST

<rdar://problem/15416909>

Oliver Hunt

Comment 9 2013-11-07 13:34:50 PST

Sorry, i've fixed this, but had errands all over today

Alexandru Chiculita

Comment 10 2013-11-07 13:44:58 PST

(In reply to comment #9) > Sorry, i've fixed this, but had errands all over today Do you think this could be related to this bug? It also happens in the WebInspector. I always see mapProtoFuncForEach on the stack. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010728fc8e llint_op_get_by_id + 56 1 com.apple.JavaScriptCore 0x00000001071a92a8 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 40 (VM.h:361) 2 com.apple.JavaScriptCore 0x00000001071802bd JSC::Interpreter::execute(JSC::CallFrameClosure&) + 269 (Interpreter.cpp:1141) 3 com.apple.JavaScriptCore 0x0000000107295755 JSC::mapProtoFuncForEach(JSC::ExecState*) + 789 (MapData.h:173) 4 ??? 0x00003286cfa010a5 0 + 55554590380197 5 com.apple.JavaScriptCore 0x00000001071a92a8 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 40 (VM.h:361) 6 com.apple.JavaScriptCore 0x000000010717fb81 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 529 (Interpreter.cpp:958) 7 com.apple.JavaScriptCore 0x000000010704fade JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 (CallData.cpp:39) 8 com.apple.JavaScriptCore 0x00000001072022c3 JSC::boundFunctionCall(JSC::ExecState*) + 579 (JSBoundFunction.cpp:54) 9 ??? 0x00003286cfa010a5 0 + 55554590380197 10 com.apple.JavaScriptCore 0x00000001071a92a8 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 40 (VM.h:361) 11 com.apple.JavaScriptCore 0x000000010717fb81 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 529 (Interpreter.cpp:958) 12 com.apple.JavaScriptCore 0x000000010704fade JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 (CallData.cpp:39) 13 com.apple.WebCore 0x0000000107cf6d4c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 892 (JSMainThreadExecState.h:53) 14 com.apple.WebCore 0x00000001079d5a5e WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 750 (EventTarget.cpp:285) 15 com.apple.WebCore 0x00000001079d5605 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 181 (EventTarget.cpp:232) 16 com.apple.WebCore 0x00000001079c0e2e WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const + 190 (EventContext.cpp:87) 17 com.apple.WebCore 0x00000001079c18c6 WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 1062 (Event.h:148) 18 com.apple.WebCore 0x0000000107f5521d WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 29 (Node.cpp:1972) 19 com.apple.WebCore 0x00000001079af157 WebCore::Element::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Element*) + 263 (Element.cpp:239) 20 com.apple.WebCore 0x00000001079c89a9 WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 105 (EventHandler.cpp:2341) 21 com.apple.WebCore 0x00000001079c8586 WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 1430 (EventHandler.cpp:1581) 22 com.apple.WebKit2 0x0000000106ad7f62 WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) + 207 (WebPage.cpp:1571) 23 com.apple.WebKit2 0x0000000106ad7e57 WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) + 221 (WebPage.cpp:1517) 24 com.apple.WebKit2 0x0000000106aeb866 void CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(CoreIPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) + 83 (HandleMessage.h:375) 25 com.apple.WebKit2 0x0000000106ae91b7 WebKit::WebPage::didReceiveWebPageMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 739 (WebPageMessageReceiver.cpp:119) 26 com.apple.WebKit2 0x0000000106a12675 CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 125 (MessageReceiverMap.cpp:86) 27 com.apple.WebKit2 0x0000000106b29120 WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 28 (WebProcess.cpp:636) 28 com.apple.WebKit2 0x00000001069e40d0 CoreIPC::Connection::dispatchMessage(std::__1::unique_ptr<CoreIPC::MessageDecoder, std::__1::default_delete<CoreIPC::MessageDecoder> >) + 94 (memory:2665) 29 com.apple.WebKit2 0x00000001069e5f46 CoreIPC::Connection::dispatchOneMessage() + 106 (memory:2684) 30 com.apple.WebCore 0x0000000108127500 WebCore::RunLoop::performWork() + 288 (RunLoop.cpp:106) 31 com.apple.WebCore 0x0000000108127c82 WebCore::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 32 com.apple.CoreFoundation 0x00007fff94d208f1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 33 com.apple.CoreFoundation 0x00007fff94d12062 __CFRunLoopDoSources0 + 242 34 com.apple.CoreFoundation 0x00007fff94d117ef __CFRunLoopRun + 831 35 com.apple.CoreFoundation 0x00007fff94d11275 CFRunLoopRunSpecific + 309 36 com.apple.HIToolbox 0x00007fff92e5bf0d RunCurrentEventLoopInMode + 226 37 com.apple.HIToolbox 0x00007fff92e5bcb7 ReceiveNextEventCommon + 479 38 com.apple.HIToolbox 0x00007fff92e5babc _BlockUntilNextEventMatchingListInModeWithFilter + 65 39 com.apple.AppKit 0x00007fff98b2f28e _DPSNextEvent + 1434 40 com.apple.AppKit 0x00007fff98b2e8db -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 41 com.apple.AppKit 0x00007fff98b229cc -[NSApplication run] + 553 42 com.apple.AppKit 0x00007fff98b0d803 NSApplicationMain + 940 43 com.apple.XPCService 0x00007fff948d3c0f _xpc_main + 385 44 libxpc.dylib 0x00007fff91082b2e xpc_main + 399 45 com.apple.WebKit.WebContent.Development 0x0000000100c316a0 main + 16 (XPCServiceMain.Development.mm:91) 46 libdyld.dylib 0x00007fff98a425fd start + 1

Oliver Hunt

Comment 11 2013-11-07 13:54:38 PST

Created attachment 216333 [details] Patch

Geoffrey Garen

Comment 12 2013-11-07 14:03:15 PST

Comment on attachment 216333 [details] Patch r=me

Oliver Hunt

Comment 13 2013-11-07 14:18:04 PST

Committed r158875: <http://trac.webkit.org/changeset/158875>

Alexandru Chiculita

Comment 14 2013-11-07 15:40:47 PST

(In reply to comment #10) > (In reply to comment #9) > > Sorry, i've fixed this, but had errands all over today > > Do you think this could be related to this bug? It also happens in the WebInspector. I always see mapProtoFuncForEach on the stack. > I've added https://bugs.webkit.org/show_bug.cgi?id=124017 to track that other issue. I've added a test case that reproduces it too.

Note You need to log in before you can comment on or make changes to this bug.