Bug 148380

Summary: Web Inspector: REGRESSION: JSC crashes when pausing at console.assert statement
Product: WebKit Reporter: BJ Burg <bburg>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Major CC: fpizlo, ggaren, joepeck, mark.lam, saam, timothy, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac   
OS: OS X 10.10   
Attachments:
Description Flags
test case
none
better test case none

Description BJ Burg 2015-08-24 10:22:41 PDT 
Created attachment 259756 [details]
test case

STEPS TO REPRODUCE:

1. Open the attached test case.
2. Open Web Inspector
3. Open Inspector^2 (Right-click and "Inspecto Element" in the Web Inspector, if the option doesn't exist follow steps here: http://trac.webkit.org/wiki/WebInspectorDebugging)
4. In Debugger tab, enable "Break on [All] Exceptions".
5. Set a breakpoint in Inspector^1 at the line with `console.assert(...)`.
6. Reload the inspected page.

EXPECTED:

 * Should pause at console.assert line but not at the breakpoint, because of Step (4).

ACTUAL:

 * Crashes with this callstack (100% reproducible on my machine)

--


Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef

VM Regions Near 0xbbadbeef:
--> 
    __TEXT                 0000000106d1c000-0000000106d1e000 [    8K] r-x/rwx SM=COW  /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010d326fbe WTFCrash + 62
1   com.apple.JavaScriptCore      	0x000000010cd2b348 JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult(JSC::CompilationResult) + 776
2   com.apple.JavaScriptCore      	0x000000010d09af9c JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete(JSC::CodeBlock*, JSC::CompilationResult) + 140
3   com.apple.JavaScriptCore      	0x000000010cf31691 JSC::DFG::Worklist::completeAllReadyPlansForVM(JSC::VM&, JSC::DFG::CompilationKey) + 257
4   com.apple.JavaScriptCore      	0x000000010cf318ce JSC::DFG::Worklist::completeAllPlansForVM(JSC::VM&) + 62
5   com.apple.JavaScriptCore      	0x000000010cf32ca8 JSC::DFG::completeAllPlansForVM(JSC::VM&) + 56
6   com.apple.JavaScriptCore      	0x000000010cd6852c JSC::Debugger::exception(JSC::ExecState*, JSC::JSValue, bool) + 108
7   com.apple.JavaScriptCore      	0x000000010d043475 JSC::Interpreter::unwind(void*&, JSC::ExecState*&, JSC::Exception*) + 325
8   com.apple.JavaScriptCore      	0x000000010d06149a JSC::genericUnwind(JSC::VM*, JSC::ExecState*) + 90
9   com.apple.JavaScriptCore      	0x000000010d19c41d llint_slow_path_handle_exception + 45
10  com.apple.JavaScriptCore      	0x000000010d1a420a llint_entry + 15423
11  com.apple.JavaScriptCore      	0x000000010d1a5efd llint_entry + 22834
12  com.apple.JavaScriptCore      	0x000000010d1a03bb vmEntryToJavaScript + 326
13  com.apple.JavaScriptCore      	0x000000010d05fbe9 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169
14  com.apple.JavaScriptCore      	0x000000010d0464da JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 474
15  com.apple.JavaScriptCore      	0x000000010cd12a0e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62
16  com.apple.JavaScriptCore      	0x000000010d2d31ce JSC::JSJobMicrotask::run(JSC::ExecState*) + 734
17  com.apple.WebCore             	0x000000010de24add WebCore::JSGlobalObjectCallback::call() + 189 (JSMainThreadExecState.h:93)
18  com.apple.WebCore             	0x000000010d9eaf31 std::__1::__function::__func<WebCore::Document::postTask(WebCore::ScriptExecutionContext::Task)::$_0, std::__1::allocator<WebCore::Document::postTask(WebCore::ScriptExecutionContext::Task)::$_0>, void ()>::operator()() + 113 (memory:2624)
19  com.apple.JavaScriptCore      	0x000000010d33f97d WTF::dispatchFunctionsFromMainThread() + 525
20  com.apple.Foundation          	0x00007fff8941cdd0 __NSThreadPerformPerform + 293
21  com.apple.CoreFoundation      	0x00007fff8ed5da01 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
22  com.apple.CoreFoundation      	0x00007fff8ed4fb8d __CFRunLoopDoSources0 + 269
23  com.apple.CoreFoundation      	0x00007fff8ed4f1bf __CFRunLoopRun + 927
24  com.apple.CoreFoundation      	0x00007fff8ed4ebd8 CFRunLoopRunSpecific + 296
25  com.apple.HIToolbox           	0x00007fff890b656f RunCurrentEventLoopInMode + 235
26  com.apple.HIToolbox           	0x00007fff890b62ea ReceiveNextEventCommon + 431
27  com.apple.HIToolbox           	0x00007fff890b612b _BlockUntilNextEventMatchingListInModeWithFilter + 71
28  com.apple.AppKit              	0x00007fff852938ab _DPSNextEvent + 978
29  com.apple.AppKit              	0x00007fff85292e58 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
30  com.apple.AppKit              	0x00007fff85288af3 -[NSApplication run] + 594
31  com.apple.AppKit              	0x00007fff85205244 NSApplicationMain + 1832
32  libxpc.dylib                  	0x00007fff9295f928 _xpc_objc_main + 793
33  libxpc.dylib                  	0x00007fff92961030 xpc_main + 490
34  com.apple.WebKit.WebContent.Development	0x0000000106d1d675 main + 21 (XPCServiceMain.Development.mm:90)
35  libdyld.dylib                 	0x00007fff8cff55c9 start + 1
Comment 1 Geoffrey Garen 2015-08-24 10:55:49 PDT 
I can't seem to reproduce this using Spade-188767-74819.
Comment 2 BJ Burg 2015-08-24 11:07:26 PDT 
Possibly useful message that got dumped to console:

toLength#CIvpti:[0x121ad8250->0x113499800, BaselineFunctionCall, 66 (StrictMode) (FTLFail)]: we have result = CompilationSuccessful but we are our own replacement.
Comment 3 BJ Burg 2015-08-24 11:51:08 PDT 
I was able to reproduce this with a build from Sunday, prior to ggaren's two patches being rolled back in. So this might be unrelated to those patches after all.

Another one:

readToken#AvwLUZ:[0x12822a250->0x119dc5f00, BaselineFunctionCall, 388 (StrictMode) (FTLFail)]: we have result = CompilationSuccessful but we are our own replacement.
Comment 4 BJ Burg 2015-08-31 09:15:29 PDT 
Created attachment 260288 [details]
better test case
Comment 5 BJ Burg 2015-08-31 09:18:11 PDT 
Simpler steps to reproduce:

STEPS TO REPRODUCE:

1. Open the attached test case.
2. Open Web Inspector
3. In Debugger tab, enable "Break on [All] Exceptions" (at the top of the left sidebar).
4. Set a breakpoint at the line with `console.assert(...)`.
5. Reload the inspected page.

EXPECTED:

 * Should pause at at the breakpoint. Breakpoint should be hit before evaluating console.assert, which also pauses the debugger.

ACTUAL:

 * Crashes with this callstack in Debugger::pause underneath evaluating console.assert.

--
Comment 6 BJ Burg 2015-08-31 10:40:51 PDT 
I have bisected the regression to this commit:

http://trac.webkit.org/changeset/188714

Please advise whether this can be fixed quickly or it should be rolled out for further analysis.
Comment 7 Geoffrey Garen 2015-08-31 14:39:30 PDT 
I still can't seem to reproduce this crash, using a debug or release build. Is there anything special to how you toggle breakpoints or reload the page?

I can't promise a quick fix if I can't reproduce the crash -- but I also don't think the original patch will roll out cleanly :(.
Comment 8 BJ Burg 2015-08-31 16:16:01 PDT 
After a full rebuild on ToT, no longer able to reproduce. Closing for now.
Comment 9 BJ Burg 2015-09-01 14:46:35 PDT 
Saam was able to reproduce this last night on TOT.
Comment 10 Radar WebKit Bug Importer 2015-09-01 14:48:46 PDT 
<rdar://problem/22527158>
Comment 11 Saam Barati 2016-01-26 18:01:44 PST 
This no longer crashes for me