Bug 146285

Summary:

Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

Keywords:

InRadar

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

146292

Bug Blocks:

Attachments:

Description	Flags
Patch	none
Rebased patch, updated the ChangeLog with suggestions and removed Options.h change	none
Patch after CallLinkInfo refactoring was landed separately. Reviewed in person.	none

Description Michael Saboff 2015-06-24 11:31:45 PDT

CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains a collection of PolymorphicCallNode.  Those PolymorphicCallNodes have a reference back to the CallLinkInfo.  When a CallLinkInfo replaces or clears "stub", the ref count of the PolymorphicCallStubRoutine is decremented as expected, but since it inherits from GCAwareJITStubRoutine, it isn't actually deleted until GC.  In the mean time, the original CallLinkInfo can go away.  If PolymorphicCallNode::unlink() is called at that point, it will try to unlink a now deleted CallLinkInfo and crash as a result.

The fix is to clear the CallLinkInfo* in the contained PolymorphicCallNode of a PolymorphicCallStubRoutine when that CallLinkInfo no longer references the PolymorphicCallStubRoutine.

rdar://problem/20701417

Comment 1 Michael Saboff 2015-06-24 12:35:58 PDT

Created attachment 255504 [details]
Patch

Comment 2 Michael Saboff 2015-06-24 12:53:35 PDT

I'll remove the inadvertent change to runtime/Options.h.  That was from debugging.

Comment 3 Michael Saboff 2015-06-24 13:05:46 PDT

Created attachment 255507 [details]
Rebased patch, updated the ChangeLog with suggestions and removed Options.h change

Comment 4 Darin Adler 2015-06-24 14:48:47 PDT

Comment on attachment 255507 [details]
Rebased patch, updated the ChangeLog with suggestions and removed Options.h change

View in context: https://bugs.webkit.org/attachment.cgi?id=255507&action=review

> Source/JavaScriptCore/ChangeLog:25
> +        In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
> +        made all the data elements private.

I know this is a pain, but ideally we would land a first patch with just the refactoring, and the review a second patch with the actual change in behavior.

Comment 5 Michael Saboff 2015-06-24 15:00:36 PDT

(In reply to comment #4)
> Comment on attachment 255507 [details]
> Rebased patch, updated the ChangeLog with suggestions and removed Options.h
> change
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=255507&action=review
> 
> > Source/JavaScriptCore/ChangeLog:25
> > +        In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
> > +        made all the data elements private.
> 
> I know this is a pain, but ideally we would land a first patch with just the
> refactoring, and the review a second patch with the actual change in
> behavior.

I'll refactor in https://bugs.webkit.org/show_bug.cgi?id=146292 and then land the simple clearing change here.

Comment 6 Michael Saboff 2015-06-24 15:45:55 PDT

Created attachment 255520 [details]
Patch after CallLinkInfo refactoring was landed separately.  Reviewed in person.

Comment 7 Michael Saboff 2015-06-24 15:51:30 PDT

Committed r185932: <http://trac.webkit.org/changeset/185932>