Bug 145527

Summary: Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: 312.x   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 145578    
Attachments:
Description Flags
Patch fpizlo: review+

Michael Saboff
Reported 2015-06-01 15:02:38 PDT
Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fff8681a709 VM Regions Near 0x7fff8681a709: __TEXT 00007fff86817000-00007fff86818000 [ 4K] r-x/rwx SM=COW /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate --> __TEXT 00007fff86818000-00007fff86835000 [ 116K] r-x/rwx SM=COW /usr/lib/system/libsystem_malloc.dylib __TEXT 00007fff86835000-00007fff8687c000 [ 284K] r-x/rwx SM=COW /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/DictionaryServices Application Specific Information: Bundle controller class: BrowserBundleController Process Model: Multiple Web Processes Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00007fff8fd20c28 JSC::revertCall(JSC::RepatchBuffer&, JSC::VM*, JSC::CallLinkInfo&, JSC::MacroAssemblerCodeRef (*)(JSC::VM*)) + 24 1 com.apple.JavaScriptCore 0x00007fff8f9e62d8 JSC::CallLinkInfo::unlink(JSC::RepatchBuffer&) + 104 2 com.apple.JavaScriptCore 0x00007fff8fb4d708 JSC::PolymorphicCallNode::unlink(JSC::RepatchBuffer&) + 184 3 com.apple.JavaScriptCore 0x00007fff8f859ce8 JSC::CodeBlock::unlinkIncomingCalls() + 232 4 com.apple.JavaScriptCore 0x00007fff8fb3adaa JSC::ScriptExecutable::installCode(JSC::CodeBlock*) + 538 5 com.apple.JavaScriptCore 0x00007fff8fc265dd JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete(JSC::CodeBlock*, JSC::CompilationResult) + 125 6 com.apple.JavaScriptCore 0x00007fff8fb3407d JSC::DFG::Worklist::completeAllReadyPlansForVM(JSC::VM&, JSC::DFG::CompilationKey) + 301 7 com.apple.JavaScriptCore 0x00007fff8fc19880 operationOptimize + 704 8 ??? 0x00002d1b2efa0044 0 + 49594775502916 9 ??? 0x00002d1b2f15ea25 0 + 49594777332261 10 ??? 0x00002d1b2f110a40 0 + 49594777012800 11 ??? 0x00002d1b2eeb7fba 0 + 49594774552506 12 ??? 0x00002d1b2f12b235 0 + 49594777121333 13 ??? 0x00002d1b2efa0511 0 + 49594775504145 14 com.apple.JavaScriptCore 0x00007fff8fcae268 llint_entry + 22722 15 com.apple.JavaScriptCore 0x00007fff8fcae268 llint_entry + 22722 16 com.apple.JavaScriptCore 0x00007fff8fcae268 llint_entry + 22722 17 com.apple.JavaScriptCore 0x00007fff8fcae1fd llint_entry + 22615 18 ??? 0x00002d1b2ef23746 0 + 49594774992710 19 com.apple.JavaScriptCore 0x00007fff8fcae1fd llint_entry + 22615 20 com.apple.JavaScriptCore 0x00007fff8fcae268 llint_entry + 22722 21 com.apple.JavaScriptCore 0x00007fff8fcae1fd llint_entry + 22615 22 com.apple.JavaScriptCore 0x00007fff8fcae1fd llint_entry + 22615 23 ??? 0x00002d1b2eeb1e5b 0 + 49594774527579 24 ??? 0x00002d1b2ee02afa 0 + 49594773809914 25 ??? 0x00002d1b2ef6ad78 0 + 49594775285112 26 com.apple.JavaScriptCore 0x00007fff8fca8796 vmEntryToJavaScript + 326 27 com.apple.JavaScriptCore 0x00007fff8fc0e809 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169 28 com.apple.JavaScriptCore 0x00007fff8f832d7d JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 493 29 com.apple.JavaScriptCore 0x00007fff8f9e5e3f JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 63 30 com.apple.WebCore 0x00007fff934d8e89 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) + 537 31 com.apple.WebCore 0x00007fff934d8ae9 WebCore::ScheduledAction::execute(WebCore::Document&) + 137 32 com.apple.WebCore 0x00007fff929a0a6d WebCore::DOMTimer::fired() + 301 33 com.apple.WebCore 0x00007fff928520af WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 34 com.apple.WebCore 0x00007fff92851fc4 WebCore::timerFired(__CFRunLoopTimer*, void*) + 20 35 com.apple.CoreFoundation 0x00007fff9069b964 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 36 com.apple.CoreFoundation 0x00007fff9069b5fe __CFRunLoopDoTimer + 1022 37 com.apple.CoreFoundation 0x00007fff90715c7a __CFRunLoopDoTimers + 298 38 com.apple.CoreFoundation 0x00007fff9065726c __CFRunLoopRun + 1804 39 com.apple.CoreFoundation 0x00007fff906568f8 CFRunLoopRunSpecific + 296 40 com.apple.HIToolbox 0x00007fff8603769d RunCurrentEventLoopInMode + 235 41 com.apple.HIToolbox 0x00007fff86037429 ReceiveNextEventCommon + 432 42 com.apple.HIToolbox 0x00007fff86037261 _BlockUntilNextEventMatchingListInModeWithFilter + 71 43 com.apple.AppKit 0x00007fff8b937b84 _DPSNextEvent + 915 44 com.apple.AppKit 0x00007fff8b937152 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 324 45 com.apple.AppKit 0x00007fff8b92cefb -[NSApplication run] + 561 46 com.apple.AppKit 0x00007fff8b8ac5b4 NSApplicationMain + 1176 47 libxpc.dylib 0x00007fff88daef98 _xpc_objc_main + 793 48 libxpc.dylib 0x00007fff88db06e7 xpc_main + 494 49 com.apple.WebKit.WebContent 0x1049e5b30 main + 16 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7601.1.23.4/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:80) 50 libdyld.dylib 0x00007fff855cb5ad start + 1
Attachments
Patch (4.35 KB, patch)
2015-06-01 15:13 PDT, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2015-06-01 15:03:04 PDT
<rdar://problem/20701417>
Michael Saboff
Comment 2 2015-06-01 15:13:39 PDT
Created attachment 254016 [details] Patch
Filip Pizlo
Comment 3 2015-06-01 16:11:52 PDT
Comment on attachment 254016 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=254016&action=review > Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:116 > + for (Bag<PolymorphicCallNode>::iterator iter = m_callNodes.begin(); !!iter; ++iter) { > + PolymorphicCallNode& node = **iter; > + if (node.hasCallLinkInfo(info)) > + node.clearCallLinkInfo(); > + } All of the nodes for a stub routine should have the same CallLinkInfo. I agree that being conservative is great, but maybe you could add a comment that you're just being paranoid.
Michael Saboff
Comment 4 2015-06-01 16:15:09 PDT
(In reply to comment #3) > Comment on attachment 254016 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=254016&action=review > > > Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:116 > > + for (Bag<PolymorphicCallNode>::iterator iter = m_callNodes.begin(); !!iter; ++iter) { > > + PolymorphicCallNode& node = **iter; > > + if (node.hasCallLinkInfo(info)) > > + node.clearCallLinkInfo(); > > + } > > All of the nodes for a stub routine should have the same CallLinkInfo. I > agree that being conservative is great, but maybe you could add a comment > that you're just being paranoid. I'll add such a comment.
Michael Saboff
Comment 5 2015-06-01 16:35:22 PDT
Committed r185084: <http://trac.webkit.org/changeset/185084>
Note You need to log in before you can comment on or make changes to this bug.