Bug 147741

Summary: Overflow crash in CodeBlock::getArrayProfile under DFG::FixupPhase::attemptToMakeGetArrayLength running inspector tests under heavy system load
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: ap, ddkilzer, fpizlo, ggaren, joepeck, msaboff, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
[CRASH] Crash Report none

Description Joseph Pecoraro 2015-08-06 12:53:43 PDT 
Created attachment 258386 [details]
[CRASH] Crash Report

* SUMMARY
Overflow crash in CodeBlock::getArrayProfile under ::FixupPhase::attemptToMakeGetArrayLength running inspector tests under heavy system load.

I was at WebKit r188015.

* STEPS TO REPRODUCE
1. shell> run-webkit-tests --release inspector/dom --iterations=1000 --v
  => saw this crash happen 3 out of 10000 times, presumably on the Web Inspector process, causing 3 timeout failures (each on different inspector/dom tests)

* NOTES
The only times I saw the crashes happen were when the system was under heavy load (I was compiling a debug build of WebKit while the tests were running).

* CRASH SNIPPET (full log attached)

Crashed Thread:        14  DFG Worklist Worker Thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef

Thread 14 Crashed:: DFG Worklist Worker Thread
0   com.apple.JavaScriptCore      	0x000000010f3e2a1e WTFCrash + 62
1   com.apple.JavaScriptCore      	0x000000010edab849 WTF::CrashOnOverflow::crash() + 9
2   com.apple.JavaScriptCore      	0x000000010edab839 WTF::CrashOnOverflow::overflowed() + 9
3   com.apple.JavaScriptCore      	0x000000010ee0691f JSC::CodeBlock::getArrayProfile(unsigned int) + 111
4   com.apple.JavaScriptCore      	0x000000010eef8c25 JSC::DFG::FixupPhase::attemptToMakeGetArrayLength(JSC::DFG::Node*) + 165
5   com.apple.JavaScriptCore      	0x000000010eef22aa JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*) + 12618
6   com.apple.JavaScriptCore      	0x000000010eeeddc9 JSC::DFG::FixupPhase::run() + 121
7   com.apple.JavaScriptCore      	0x000000010eeedc71 bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&) + 113
8   com.apple.JavaScriptCore      	0x000000010eeedba9 JSC::DFG::performFixup(JSC::DFG::Graph&) + 9
9   com.apple.JavaScriptCore      	0x000000010ef60871 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 625
10  com.apple.JavaScriptCore      	0x000000010ef602e5 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 565
11  com.apple.JavaScriptCore      	0x000000010eff97c1 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 545
12  com.apple.JavaScriptCore      	0x000000010f4106c3 WTF::threadEntryPoint(void*) + 179
13  com.apple.JavaScriptCore      	0x000000010f410b2f WTF::wtfThreadEntryPoint(void*) + 15
14  libsystem_pthread.dylib       	0x00007fff8a56405a _pthread_body + 131
15  libsystem_pthread.dylib       	0x00007fff8a563fd7 _pthread_start + 176
16  libsystem_pthread.dylib       	0x00007fff8a5613ed thread_start + 13
Comment 1 David Kilzer (:ddkilzer) 2016-09-09 10:10:18 PDT 
<rdar://problem/28227251>
Comment 2 David Kilzer (:ddkilzer) 2016-09-09 10:23:57 PDT 
<rdar://problem/22591554>