Bug 128149
| Summary: | REGRESSION: Crash using Web Inspector - Overflow of variablesAtTail in ByteCodeParser::setLocal() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Michael Saboff <msaboff> |
| Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | Normal | CC: | bburg |
| Priority: | P2 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Michael Saboff
From Radar <rdar://problem/15974955>:
I get this by opening the Web Inspector of www.apple.com and navigating around. Clicking on a script in the navigator seems to be the best way to make this happen.
Here is the crash trace in the debugger;
(lldb) bt
* thread #15: tid = 0x14187e, 0x0000000108767b0a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333, name = 'JSC Compilation Thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
frame #0: 0x0000000108767b0a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333
frame #1: 0x000000010808e289 JavaScriptCore`WTF::CrashOnOverflow::overflowed() + 9 at CheckedArithmetic.h:78
frame #2: 0x00000001081acf8f JavaScriptCore`WTF::Vector<JSC::DFG::Node*, 16ul, WTF::CrashOnOverflow>::at(this=0x00007fa6fa587b80, i=31) + 79 at Vector.h:584
frame #3: 0x00000001081acf2d JavaScriptCore`WTF::Vector<JSC::DFG::Node*, 16ul, WTF::CrashOnOverflow>::operator[](this=0x00007fa6fa587b80, i=31) + 29 at Vector.h:604
frame #4: 0x00000001081e42cf JavaScriptCore`JSC::Operands<JSC::DFG::Node*, JSC::DFG::NodePointerTraits>::local(this=0x00007fa6fa587b30, idx=31) + 47 at Operands.h:74
frame #5: 0x00000001081e4282 JavaScriptCore`JSC::DFG::ByteCodeParser::setLocal(this=0x000000011105f9b0, operand=VirtualRegister at 0x000000011105ac10, value=0x00000001190d8500, setMode=ImmediateSet) + 514 at DFGByteCodeParser.cpp:341
frame #6: 0x00000001081ce011 JavaScriptCore`JSC::DFG::ByteCodeParser::DelayedSetLocal::execute(this=0x000000011105aca0, parser=0x000000011105f9b0, setMode=ImmediateSet) + 113 at DFGByteCodeParser.cpp:1122
frame #7: 0x00000001081cfbd9 JavaScriptCore`JSC::DFG::ByteCodeParser::setDirect(this=0x000000011105f9b0, operand=VirtualRegister at 0x000000011105acc8, value=0x00000001190d8500, setMode=ImmediateSet) + 201 at DFGByteCodeParser.cpp:249
frame #8: 0x00000001081cc7e9 JavaScriptCore`JSC::DFG::ByteCodeParser::set(this=0x000000011105f9b0, operand=VirtualRegister at 0x000000011105ad10, value=0x00000001190d8500, setMode=ImmediateSet) + 73 at DFGByteCodeParser.cpp:254
frame #9: 0x00000001081c7883 JavaScriptCore`JSC::DFG::ByteCodeParser::parseBlock(this=0x000000011105f9b0, limit=46) + 33235 at DFGByteCodeParser.cpp:3046
frame #10: 0x00000001081be548 JavaScriptCore`JSC::DFG::ByteCodeParser::parseCodeBlock(this=0x000000011105f9b0) + 1960 at DFGByteCodeParser.cpp:3681
frame #11: 0x00000001081bd4df JavaScriptCore`JSC::DFG::ByteCodeParser::handleInlining(this=0x000000011105f9b0, callTargetNode=0x00000001190d4b80, resultOperand=-1, callLinkStatus=0x000000011105d3f8, registerOffset=-16, argumentCountIncludingThis=9, nextOffset=1220, kind=CodeForCall) + 1615 at DFGByteCodeParser.cpp:1391
frame #12: 0x00000001081bb945 JavaScriptCore`JSC::DFG::ByteCodeParser::handleCall(this=0x000000011105f9b0, result=-1, op=Call, kind=CodeForCall, instructionSize=8, callee=-1, argumentCountIncludingThis=9, registerOffset=-16) + 1045 at DFGByteCodeParser.cpp:1218
frame #13: 0x00000001081bb527 JavaScriptCore`JSC::DFG::ByteCodeParser::handleCall(this=0x000000011105f9b0, pc=0x00007fa6fb3c59e8, op=Call, kind=CodeForCall) + 87 at DFGByteCodeParser.cpp:1157
frame #14: 0x00000001081c75b8 JavaScriptCore`JSC::DFG::ByteCodeParser::parseBlock(this=0x000000011105f9b0, limit=1222) + 32520 at DFGByteCodeParser.cpp:3010
frame #15: 0x00000001081be548 JavaScriptCore`JSC::DFG::ByteCodeParser::parseCodeBlock(this=0x000000011105f9b0) + 1960 at DFGByteCodeParser.cpp:3681
frame #16: 0x00000001081cb88e JavaScriptCore`JSC::DFG::ByteCodeParser::parse(this=0x000000011105f9b0) + 910 at DFGByteCodeParser.cpp:3737
frame #17: 0x00000001081cbbbe JavaScriptCore`JSC::DFG::parse(graph=0x00000001110603b0) + 62 at DFGByteCodeParser.cpp:3762
frame #18: 0x00000001082e899e JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x00007fa7026abe70, longLivedState=0x0000000111060d00) + 190 at DFGPlan.cpp:189
frame #19: 0x00000001082e8618 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x00007fa7026abe70, longLivedState=0x0000000111060d00) + 264 at DFGPlan.cpp:150
frame #20: 0x000000010838ad74 JavaScriptCore`JSC::DFG::Worklist::runThread(this=0x00007fa6f9f8c260) + 468 at DFGWorklist.cpp:240
frame #21: 0x0000000108389e55 JavaScriptCore`JSC::DFG::Worklist::threadFunction(argument=0x00007fa6f9f8c260) + 21 at DFGWorklist.cpp:261
frame #22: 0x00000001087b65a8 JavaScriptCore`WTF::threadEntryPoint(contextData=0x00007fa6f9f45670) + 152 at Threading.cpp:69
frame #23: 0x00000001087b7208 JavaScriptCore`WTF::wtfThreadEntryPoint(param=0x00007fa6f9f88a20) + 296 at ThreadingPthreads.cpp:170
frame #24: 0x00007fff89aa2899 libsystem_pthread.dylib`_pthread_body + 138
frame #25: 0x00007fff89aa272a libsystem_pthread.dylib`_pthread_start + 137
frame #26: 0x00007fff89aa6fc9 libsystem_pthread.dylib`thread_start + 13
The VirtualRegister in question which is beyond the size of variablesAtTail is from an inlined call frame. Turning off inlining seems to workaround the issue.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Blaze Burg
Another way to reproduce is to inspect most any GitHub webpage, and then viewing some of the hashcode-named JS files with the navigation sidebar.
Michael Saboff
I can no longer reproduce this, either with www.apple.com or a github page (https://github.com/sampsyo/beets/tree/master/beets).
I hit another crash and file <https://bugs.webkit.org/show_bug.cgi?id=129763> - "Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()"