Bug 141098

Summary:

Google doc spreadsheet reproducibly crashes when sorting

Product:

WebKit

Reporter:

Gavin Sherlock <gsherloc>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bfulgham, ggaren, mark.lam, ossy, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.10

Bug Depends on:

141577, 141671, 141676

Bug Blocks:

Attachments:

Description	Flags
crash log	none
Patch	oliver: review+

Description Gavin Sherlock 2015-01-30 13:59:46 PST

Created attachment 245739 [details]
crash log

Step 1.  Go to a google spreadsheet
Step 2.  Sort the spreadsheet by one of the columns

Expected:  Spreadsheet sorts
Actual: tab crashes

Happens reproducibly, in the latest Safari released on OS X Yosemite - Version 8.0.3 (10600.3.18), and on the latest nightly build (r179398).  The fact that it crashes in release safari makes it a showstopper for me.  Relevant part of attached crash log is below.  I don't really want to put the google doc in the public domain, but email me privately if you need access to a copy to reproduce.

Thread 23 Crashed:: WebCore: Worker
0   com.apple.JavaScriptCore      	0x0000000110149317 llint_entry + 4863
1   com.apple.JavaScriptCore      	0x0000000110147e08 vmEntryToJavaScript + 326
2   com.apple.JavaScriptCore      	0x0000000110040a29 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169
3   com.apple.JavaScriptCore      	0x000000011002160d JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) + 1613
4   com.apple.JavaScriptCore      	0x0000000110020f80 JSC::eval(JSC::ExecState*) + 2512
5   com.apple.JavaScriptCore      	0x00000001101435c1 llint_slow_path_call_eval + 273
6   com.apple.JavaScriptCore      	0x000000011014da0b llint_entry + 23027
7   com.apple.JavaScriptCore      	0x000000011014d6bc llint_entry + 22180
8   com.apple.JavaScriptCore      	0x000000011014d6bc llint_entry + 22180
9   ???                           	0x00003ab311785af5 0 + 64540766657269
10  ???                           	0x00003ab3117854d6 0 + 64540766655702
11  ???                           	0x00003ab311780c1e 0 + 64540766637086
12  ???                           	0x00003ab311782474 0 + 64540766643316
13  ???                           	0x00003ab311785240 0 + 64540766655040
14  com.apple.JavaScriptCore      	0x0000000110147e08 vmEntryToJavaScript + 326
15  com.apple.JavaScriptCore      	0x0000000110040a29 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169
16  com.apple.JavaScriptCore      	0x000000011002500d JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 477
17  com.apple.JavaScriptCore      	0x000000010fdad3cf JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 63
18  com.apple.WebCore             	0x0000000110b127de WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1134
19  com.apple.WebCore             	0x00000001107a00ac WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 652
20  com.apple.WebCore             	0x000000011079fd4f WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 239
21  com.apple.WebCore             	0x000000011079fc45 WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 85
22  com.apple.WebCore             	0x0000000111383b87 WebCore::XMLHttpRequestProgressEventThrottle::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 199
23  com.apple.WebCore             	0x0000000111383c18 WebCore::XMLHttpRequestProgressEventThrottle::dispatchReadyStateChangeEvent(WTF::PassRefPtr<WebCore::Event>, WebCore::ProgressEventAction) + 56
24  com.apple.WebCore             	0x000000011137f168 WebCore::XMLHttpRequest::callReadyStateChangeListener() + 168
25  com.apple.WebCore             	0x0000000111383339 WebCore::XMLHttpRequest::didReceiveData(char const*, int) + 1465
26  com.apple.WebCore             	0x000000011136a8b3 std::__1::__function::__func<WebCore::WorkerThreadableLoader::MainThreadBridge::didReceiveData(char const*, int)::$_5, std::__1::allocator<WebCore::WorkerThreadableLoader::MainThreadBridge::didReceiveData(char const*, int)::$_5>, void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) + 35
27  com.apple.WebCore             	0x0000000111364a68 WebCore::WorkerRunLoop::runInMode(WebCore::WorkerGlobalScope*, WebCore::ModePredicate const&, WebCore::WorkerRunLoop::WaitMode) + 216
28  com.apple.WebCore             	0x0000000111364940 WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) + 112
29  com.apple.WebCore             	0x0000000111368401 WebCore::WorkerThread::workerThread() + 657
30  com.apple.JavaScriptCore      	0x00000001102c5f23 WTF::threadEntryPoint(void*) + 179
31  com.apple.JavaScriptCore      	0x00000001102c640f WTF::wtfThreadEntryPoint(void*) + 15
32  libsystem_pthread.dylib       	0x00007fff94aa0268 _pthread_body + 131
33  libsystem_pthread.dylib       	0x00007fff94aa01e5 _pthread_start + 176
34  libsystem_pthread.dylib       	0x00007fff94a9e41d thread_start + 13

Comment 1 Radar WebKit Bug Importer 2015-01-30 19:54:51 PST

<rdar://problem/19673627>

Comment 2 Geoffrey Garen 2015-02-02 15:50:58 PST

Can you supply an example spreadsheet that causes this crash when viewed and sorted?

Comment 3 Gavin Sherlock 2015-02-02 17:43:15 PST

Shared a google spreadsheet with you that has the behavior.  I couldn't successfully reduce it unfortunately.

Comment 4 Geoffrey Garen 2015-02-02 17:45:33 PST

Thanks! I can reproduce this crash now.

Comment 5 Michael Saboff 2015-02-12 21:02:43 PST

Created attachment 246503 [details]
Patch

This fixes the crash.  Now we throw an out of stack exception.  There is still an issue with the webpage after the fix.  Now a dialog pops up after the sort completes saying the File is unavailable and that there was a problem.  This is probably due to the out of stack exception.

Comment 6 Oliver Hunt 2015-02-13 07:33:57 PST

Comment on attachment 246503 [details]
Patch

R=me we should work out what is causing the pathological growth in intermediates. I suspect we're trying to simplify something else in a bad way :(

Comment 7 Michael Saboff 2015-02-13 10:58:01 PST

Committed r180060: <http://trac.webkit.org/changeset/180060>

Comment 8 Csaba Osztrogonác 2015-02-13 11:15:52 PST

(In reply to comment #7)
> Committed r180060: <http://trac.webkit.org/changeset/180060>

It broke the cloop bot:

2015-02-13 10:59:03.659 testapi[3268:12127526] Testing Objective-C API
testAPI completed with rc=11 (254)

Comment 9 Michael Saboff 2015-02-13 12:08:07 PST

(In reply to comment #8)
> (In reply to comment #7)
> > Committed r180060: <http://trac.webkit.org/changeset/180060>
> 
> It broke the cloop bot:
> 
> 2015-02-13 10:59:03.659 testapi[3268:12127526] Testing Objective-C API
> testAPI completed with rc=11 (254)

Looking at the loop now.

Comment 10 Brent Fulgham 2015-02-13 12:48:52 PST

It looks like this may have broken JSC tests on Windows (one test):

** The following JSC stress test failures have been introduced:
	jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint

Comment 11 Michael Saboff 2015-02-13 12:54:52 PST

(In reply to comment #10)
> It looks like this may have broken JSC tests on Windows (one test):
> 
> ** The following JSC stress test failures have been introduced:
> 	jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint

That is the new test.

Comment 12 Michael Saboff 2015-02-13 12:59:10 PST

Here is the Windows test failure from the log:

jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint: Regression test for https://webkit.org/b/141098. Make sure eval() properly handles running out of stack space. This test should run without crashing.
jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint: 
jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint: On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint: 
jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint: 
jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint: test_script_9825: line 2:  1584 Segmentation fault      "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --enableFunctionDotArguments\=true --useLLInt\=false resources/standalone-pre.js regress-141098.js resources/standalone-post.js
jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint: ERROR: Unexpected exit code: 139
FAIL: jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint

Comment 13 Michael Saboff 2015-02-13 12:59:40 PST

Need to fix the C Loop and Windows as noted above.

Comment 14 Michael Saboff 2015-02-19 11:38:19 PST

Windows / Baseline crash tracked in https://bugs.webkit.org/show_bug.cgi?id=141577 and landed with change set r180083: <http://trac.webkit.org/changeset/180083>.

C Loop issue tracked in https://bugs.webkit.org/show_bug.cgi?id=141671

Similar issue in DFG discovered via code inspection and tracked in https://bugs.webkit.org/show_bug.cgi?id=141676.

Comment 15 Michael Saboff 2015-03-04 12:18:00 PST

Closing this defect as the primary issue is resolved for non-C Loop builds.

The C Loop issue is tracked in https://bugs.webkit.org/show_bug.cgi?id=141671