Bug 147741

Summary: Overflow crash in CodeBlock::getArrayProfile under DFG::FixupPhase::attemptToMakeGetArrayLength running inspector tests under heavy system load
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ap, ddkilzer, fpizlo, ggaren, joepeck, msaboff, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
[CRASH] Crash Report none

Joseph Pecoraro
Reported 2015-08-06 12:53:43 PDT
Created attachment 258386 [details] [CRASH] Crash Report * SUMMARY Overflow crash in CodeBlock::getArrayProfile under ::FixupPhase::attemptToMakeGetArrayLength running inspector tests under heavy system load. I was at WebKit r188015. * STEPS TO REPRODUCE 1. shell> run-webkit-tests --release inspector/dom --iterations=1000 --v => saw this crash happen 3 out of 10000 times, presumably on the Web Inspector process, causing 3 timeout failures (each on different inspector/dom tests) * NOTES The only times I saw the crashes happen were when the system was under heavy load (I was compiling a debug build of WebKit while the tests were running). * CRASH SNIPPET (full log attached) Crashed Thread: 14 DFG Worklist Worker Thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Thread 14 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x000000010f3e2a1e WTFCrash + 62 1 com.apple.JavaScriptCore 0x000000010edab849 WTF::CrashOnOverflow::crash() + 9 2 com.apple.JavaScriptCore 0x000000010edab839 WTF::CrashOnOverflow::overflowed() + 9 3 com.apple.JavaScriptCore 0x000000010ee0691f JSC::CodeBlock::getArrayProfile(unsigned int) + 111 4 com.apple.JavaScriptCore 0x000000010eef8c25 JSC::DFG::FixupPhase::attemptToMakeGetArrayLength(JSC::DFG::Node*) + 165 5 com.apple.JavaScriptCore 0x000000010eef22aa JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*) + 12618 6 com.apple.JavaScriptCore 0x000000010eeeddc9 JSC::DFG::FixupPhase::run() + 121 7 com.apple.JavaScriptCore 0x000000010eeedc71 bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&) + 113 8 com.apple.JavaScriptCore 0x000000010eeedba9 JSC::DFG::performFixup(JSC::DFG::Graph&) + 9 9 com.apple.JavaScriptCore 0x000000010ef60871 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 625 10 com.apple.JavaScriptCore 0x000000010ef602e5 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 565 11 com.apple.JavaScriptCore 0x000000010eff97c1 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 545 12 com.apple.JavaScriptCore 0x000000010f4106c3 WTF::threadEntryPoint(void*) + 179 13 com.apple.JavaScriptCore 0x000000010f410b2f WTF::wtfThreadEntryPoint(void*) + 15 14 libsystem_pthread.dylib 0x00007fff8a56405a _pthread_body + 131 15 libsystem_pthread.dylib 0x00007fff8a563fd7 _pthread_start + 176 16 libsystem_pthread.dylib 0x00007fff8a5613ed thread_start + 13
Attachments
[CRASH] Crash Report (57.00 KB, application/octet-stream)
2015-08-06 12:53 PDT, Joseph Pecoraro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2016-09-09 10:10:18 PDT
<rdar://problem/28227251>
David Kilzer (:ddkilzer)
Comment 2 2016-09-09 10:23:57 PDT
<rdar://problem/22591554>
Note You need to log in before you can comment on or make changes to this bug.