Bug 125314

Summary:

C Loop LLINT layout test regressions

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

fpizlo, ggaren, mhahnenberg, msaboff, oliver

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
the patch.	ggaren: review+

Description Mark Lam 2013-12-05 12:45:01 PST

A release build will yield the following crashes.

Regressions: Unexpected crashes (15)
  http/tests/plugins/third-party-cookie-accept-policy.html [ Crash ]
  plugins/keyboard-events.html [ Crash ]
  plugins/mouse-events.html [ Crash ]
  plugins/netscape-dom-access-and-reload.html [ Crash ]
  plugins/netscape-dom-access.html [ Crash ]
  plugins/netscape-plugin-map-data-to-src.html [ Crash ]
  plugins/netscape-plugin-setwindow-size-2.html [ Crash ]
  plugins/netscape-plugin-setwindow-size.html [ Crash ]
  plugins/no-mime-with-valid-extension.html [ Crash ]
  plugins/npruntime/overrides-all-properties.html [ Crash ]
  plugins/npruntime/tostring.html [ Crash ]
  plugins/pass-different-npp-struct.html [ Crash ]
  plugins/resize-from-plugin.html [ Crash ]
  plugins/script-object-invoke.html [ Crash ]
  plugins/window-open.html [ Crash ]

The list may vary with runs. Hence, the root cause may be racy.

On release builds, the crash stack trace often looks like this:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000106de1b31 JSC::VM::clearExceptionStack() + 33 (RefCountedArray.h:98)
1   com.apple.JavaScriptCore      	0x0000000106cbf160 JSC::VMEntryScope::VMEntryScope(JSC::VM&, JSC::JSGlobalObject*) + 272 (VMEntryScope.cpp:67)
2   com.apple.JavaScriptCore      	0x0000000106c433ec JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 156 (Interpreter.cpp:926)
3   com.apple.JavaScriptCore      	0x0000000106c0723e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 (CallData.cpp:39)
4   com.apple.WebKit              	0x000000010712bc4b WebKit::NetscapePluginInstanceProxy::invoke(unsigned int, JSC::Identifier const&, char*, unsigned int, char*&, unsigned int&) + 667 (NetscapePluginInstanceProxy.mm:929)
5   com.apple.WebKit              	0x00000001071252b0 WKPCInvoke + 272 (NetscapePluginInstanceProxy.h:79)
6   com.apple.WebKit              	0x0000000107191e07 _XPCInvoke + 103 (WebKitPluginClientServer.c:1700)
7   com.apple.WebKit              	0x0000000107192821 WebKitPluginClient_server + 81 (WebKitPluginClientServer.c:3535)
8   com.apple.WebKit              	0x00000001071240e9 WebKit::NetscapePluginHostProxy::processRequests() + 185 (NetscapePluginHostProxy.mm:301) 
…

On debug builds, the crash stack trace often looks like 1 of the 2 following (same trace but different depending on who captured it e.g. one has the assertion that failed, the other has line numbers):

ASSERTION FAILED: !heap.vm()->isInitializingObject()
/Volumes/Data/ws6/OpenSource/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/JSCellInlines.h(92) : void *JSC::allocateCell(JSC::Heap &, size_t) [T = JSC::Structure]
1   0x1083d4780 WTFCrash
2   0x10911d984 void* JSC::allocateCell<JSC::Structure>(JSC::Heap&, unsigned long)
3   0x10911d72f void* JSC::allocateCell<JSC::Structure>(JSC::Heap&)
4   0x10911d4af JSC::Structure::create(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::TypeInfo const&, JSC::ClassInfo const*, unsigned char, unsigned int)
5   0x10911d350 WebKit::ProxyRuntimeObject::createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue)
6   0x10911d1fd JSC::Structure* WebCore::getDOMStructure<WebKit::ProxyRuntimeObject>(JSC::VM&, WebCore::JSDOMGlobalObject*)
7   0x109117f0e JSC::Structure* WebCore::deprecatedGetDOMStructure<WebKit::ProxyRuntimeObject>(JSC::ExecState*)
8   0x10911625d WebKit::ProxyInstance::newRuntimeObject(JSC::ExecState*)
9   0x10996e626 JSC::Bindings::Instance::createRuntimeObject(JSC::ExecState*)
10  0x10a74da3a WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*)
11  0x10a74dbb5 WebCore::pluginElementCustomGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLElement*)
12  0x10a6423d2 bool WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLEmbedElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLEmbedElement*)
13  0x10a642235 WebCore::JSHTMLEmbedElement::getOwnPropertySlotDelegate(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
14  0x10a640489 WebCore::JSHTMLEmbedElement::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
15  0x107f7cdaf JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
16  0x107f7cb2d JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
17  0x107f9800d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
18  0x1081d058b llint_slow_path_get_by_id
19  0x1081e54ad JSC::LLInt::CLoop::execute(JSC::ExecState*, void*, bool)
20  0x1081daaba JSC::executeJS(JSC::ExecState*, void*)
21  0x1081da80a long long JSC::doCallToJavaScript<&(JSC::executeJS(JSC::ExecState*, void*))>(void*, JSC::ProtoCallFrame*)
22  0x1081da675 callToJavaScript
23  0x10809913f JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*, JSC::Register*)
24  0x108090808 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
25  0x107fe389e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
26  0x10a47bf3b WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
27  0x10a5be914 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
28  0x109eb5f21 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&)
29  0x109eb586e WebCore::EventTarget::fireEventListeners(WebCore::Event*)
30  0x109dfc4b0 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>)
31  0x109e032c8 WebCore::DOMWindow::dispatchLoadEvent()

or:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000104a4d78a WTFCrash + 42 (Assertions.cpp:341)
1   com.apple.WebKit              	0x0000000105797984 void* JSC::allocateCell<JSC::Structure>(JSC::Heap&, unsigned long) + 196 (JSCellInlines.h:92)
2   com.apple.WebKit              	0x000000010579772f void* JSC::allocateCell<JSC::Structure>(JSC::Heap&) + 31 (JSCellInlines.h:109)
3   com.apple.WebKit              	0x00000001057974af JSC::Structure::create(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::TypeInfo const&, JSC::ClassInfo const*, unsigned char, unsigned int) + 191 (StructureInlines.h:39)
4   com.apple.WebKit              	0x0000000105797350 WebKit::ProxyRuntimeObject::createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue) + 112 (ProxyRuntimeObject.h:53)
5   com.apple.WebKit              	0x00000001057971fd JSC::Structure* WebCore::getDOMStructure<WebKit::ProxyRuntimeObject>(JSC::VM&, WebCore::JSDOMGlobalObject*) + 141 (JSDOMBinding.h:104)
6   com.apple.WebKit              	0x0000000105791f0e JSC::Structure* WebCore::deprecatedGetDOMStructure<WebKit::ProxyRuntimeObject>(JSC::ExecState*) + 46 (JSDOMBinding.h:110)
7   com.apple.WebKit              	0x000000010579025d WebKit::ProxyInstance::newRuntimeObject(JSC::ExecState*) + 45 (ProxyInstance.mm:134)
8   com.apple.WebCore             	0x0000000105fe9626 JSC::Bindings::Instance::createRuntimeObject(JSC::ExecState*) + 278 (BridgeJSC.cpp:79)
9   com.apple.WebCore             	0x0000000106dc8a3a WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*) + 282 (JSPluginElementFunctions.cpp:100)
10  com.apple.WebCore             	0x0000000106dc8bb5 WebCore::pluginElementCustomGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLElement*) + 37 (JSPluginElementFunctions.cpp:115)
11  com.apple.WebCore             	0x0000000106cbd3d2 bool WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLEmbedElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLEmbedElement*) + 274 (JSPluginElementFunctions.h:57)
12  com.apple.WebCore             	0x0000000106cbd235 WebCore::JSHTMLEmbedElement::getOwnPropertySlotDelegate(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 53 (JSHTMLEmbedElementCustom.cpp:38)
13  com.apple.WebCore             	0x0000000106cbb489 WebCore::JSHTMLEmbedElement::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 313 (JSHTMLEmbedElement.cpp:126)
14  com.apple.JavaScriptCore      	0x00000001045f5daf JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 159 (JSObject.h:1219)
15  com.apple.JavaScriptCore      	0x00000001045f5b2d JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 61 (JSObject.h:1228)
16  com.apple.JavaScriptCore      	0x000000010461100d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 253 (JSCJSValueInlines.h:669)
17  com.apple.JavaScriptCore      	0x000000010484958b llint_slow_path_get_by_id + 235 (LLIntSlowPaths.cpp:518)
18  com.apple.JavaScriptCore      	0x000000010485e4ad JSC::LLInt::CLoop::execute(JSC::ExecState*, void*, bool) + 39965 (LLIntAssembly.h:2053)
19  com.apple.JavaScriptCore      	0x0000000104853aba JSC::executeJS(JSC::ExecState*, void*) + 42 (LLIntThunks.cpp:132)
20  com.apple.JavaScriptCore      	0x000000010485380a long long JSC::doCallToJavaScript<&(JSC::executeJS(JSC::ExecState*, void*))>(void*, JSC::ProtoCallFrame*) + 394 (LLIntThunks.cpp:122)
21  com.apple.JavaScriptCore      	0x0000000104853675 callToJavaScript + 37 (LLIntThunks.cpp:137)
22  com.apple.JavaScriptCore      	0x000000010471213f JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*, JSC::Register*) + 159 (JITCode.cpp:48)
23  com.apple.JavaScriptCore      	0x0000000104709108 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4520 (Interpreter.cpp:880)
24  com.apple.JavaScriptCore      	0x00000001046a2f0f JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 479 (Completion.cpp:82)
25  com.apple.WebKit              	0x00000001057621a9 WebKit::NetscapePluginInstanceProxy::evaluate(unsigned int, WTF::String const&, char*&, unsigned int&, bool) + 633 (SourceCode.h:116)
26  com.apple.WebKit              	0x00000001057503e2 WKPCEvaluate + 370 (NetscapePluginHostProxy.mm:592)
27  com.apple.WebKit              	0x000000010585d8ca _XPCEvaluate + 154 (WebKitPluginClientServer.c:1612)
28  com.apple.WebKit              	0x000000010585e9ac WebKitPluginClient_server + 236 (WebKitPluginClientServer.c:3536)
29  com.apple.WebKit              	0x000000010574dd5f WebKit::NetscapePluginHostProxy::processRequests() + 431 (NetscapePluginHostProxy.mm:301)
30  com.apple.WebKit              	0x00000001057617dd WebKit::NetscapePluginInstanceProxy::processRequestsAndWaitForReply(unsigned int) + 1101 (NetscapePluginInstanceProxy.mm:822)
31  com.apple.WebKit              	0x0000000105767afa std::__1::unique_ptr<WebKit::NetscapePluginInstanceProxy::BooleanReply, std::__1::default_delete<WebKit::NetscapePluginInstanceProxy::BooleanReply> > WebKit::NetscapePluginInstanceProxy::waitForReply<WebKit::NetscapePluginInstanceProxy::BooleanReply>(unsigned int) + 122 (NetscapePluginInstanceProxy.h:265)
32  com.apple.WebKit              	0x000000010575cd67 WebKit::NetscapePluginInstanceProxy::resize(CGRect, CGRect) + 183 (NetscapePluginInstanceProxy.mm:277)
33  com.apple.WebKit              	0x000000010581c391 -[WebHostedNetscapePluginView updateAndSetWindow] + 1297 (WebHostedNetscapePluginView.mm:260)
34  com.apple.WebKit              	0x00000001057a7558 -[WebBaseNetscapePluginView start] + 584 (WebBaseNetscapePluginView.mm:412)
35  com.apple.WebKit              	0x00000001057a7e46 -[WebBaseNetscapePluginView viewDidMoveToWindow] + 262 (WebBaseNetscapePluginView.mm:548)
36  com.apple.AppKit              	0x00007fff9803d2e7 -[NSView _setWindow:] + 2788
37  com.apple.AppKit              	0x00007fff98046a77 -[NSView addSubview:] + 407
38  com.apple.WebKit              	0x0000000105832f69 -[WebHTMLView addSubview:] + 73 (WebHTMLView.mm:2982)
39  com.apple.WebCore             	0x000000010762f5b6 WebCore::ScrollView::platformAddChild(WebCore::Widget*) + 358 (ScrollViewMac.mm:71)
40  com.apple.WebCore             	0x0000000107625a8c WebCore::ScrollView::addChild(WTF::PassRefPtr<WebCore::Widget>) + 236 (ScrollView.cpp:72)
41  com.apple.WebCore             	0x000000010755bf19 WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets() + 313 (RenderWidget.cpp:68)
42  com.apple.WebCore             	0x0000000106059a8c WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 108 (RenderWidget.h:43)
43  com.apple.WebCore             	0x0000000106059a15 WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 21 (RenderWidget.h:45)
44  com.apple.WebCore             	0x0000000106646486 WebCore::FrameView::updateEmbeddedObjects() + 406 (FrameView.cpp:2690)
45  com.apple.WebCore             	0x0000000106640605 WebCore::FrameView::performPostLayoutTasks() + 629 (FrameView.cpp:2751)
46  com.apple.WebCore             	0x000000010663ff21 WebCore::FrameView::layout(bool) + 4385 (FrameView.cpp:1338)
47  com.apple.WebCore             	0x000000010635e338 WebCore::Document::updateLayout() + 328 (Document.cpp:1804)
48  com.apple.WebCore             	0x00000001063614ff WebCore::Document::updateLayoutIgnorePendingStylesheets() + 207 (Document.cpp:1838)
49  com.apple.WebCore             	0x00000001067e115f WebCore::HTMLEmbedElement::renderWidgetForJSBindings() const + 111 (HTMLEmbedElement.cpp:76)
50  com.apple.WebCore             	0x00000001068552fb WebCore::HTMLPlugInElement::pluginWidget() const + 59 (HTMLPlugInElement.cpp:168)
51  com.apple.WebCore             	0x0000000106dc8a69 WebCore::pluginScriptObjectFromPluginViewBase(WebCore::HTMLPlugInElement&, JSC::JSGlobalObject*) + 25 (JSPluginElementFunctions.cpp:56)
52  com.apple.WebCore             	0x0000000106dc89b3 WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*) + 147 (JSPluginElementFunctions.cpp:90)
53  com.apple.WebCore             	0x0000000106dc8bb5 WebCore::pluginElementCustomGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLElement*) + 37 (JSPluginElementFunctions.cpp:115)
54  com.apple.WebCore             	0x0000000106cbd3d2 bool WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLEmbedElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, WebCore::JSHTMLEmbedElement*) + 274 (JSPluginElementFunctions.h:57)
…

Comment 1 Mark Lam 2013-12-05 20:00:47 PST

Created attachment 218566 [details]
the patch.

Comment 2 Geoffrey Garen 2013-12-05 20:25:42 PST

Comment on attachment 218566 [details]
the patch.

r=me

Comment 3 Mark Lam 2013-12-05 21:13:34 PST

Thanks for the review.  Landed in r160211: <http://trac.webkit.org/r160211>.