Bug 150220

Summary: REGRESSION (r190289): Repro crash clicking back button on netflix.com
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, ossy
Priority: P2    
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch ggaren: review+

Michael Saboff
Reported 2015-10-15 20:42:25 PDT
1. login to netflix.com 2. start playing a video 3. click back button --- CRASH --- Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: EXC_I386_GPFLT Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001070c281e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 1 com.apple.JavaScriptCore 0x0000000106c38cdf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447 2 com.apple.JavaScriptCore 0x0000000106c38b0e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 3 com.apple.JavaScriptCore 0x0000000106d5503a JSC::boundFunctionCall(JSC::ExecState*) + 586 4 ??? 0x00005fb9baa01028 0 + 105251304640552 5 ??? 0x00005fb9bab0d066 0 + 105251305738342 6 ??? 0x00005fb9bad5aef7 0 + 105251308154615 7 ??? 0x00005fb9bad6aa00 0 + 105251308218880 8 ??? 0x00005fb9bab4b425 0 + 105251305993253 9 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 10 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 11 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 12 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 13 ??? 0x00005fb9baa9b626 0 + 105251305272870 14 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 15 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 16 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 17 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 18 ??? 0x00005fb9baa9b646 0 + 105251305272902 19 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 20 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 21 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 22 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 23 ??? 0x00005fb9baa9b646 0 + 105251305272902 24 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 25 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 26 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 27 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 28 ??? 0x00005fb9baa9b646 0 + 105251305272902 29 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 30 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 31 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 32 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 33 ??? 0x00005fb9baa9b646 0 + 105251305272902 34 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 35 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 36 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 37 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 38 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 39 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 40 ??? 0x00005fb9baa9b626 0 + 105251305272870 41 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 42 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 43 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 44 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 45 ??? 0x00005fb9baa9b646 0 + 105251305272902 46 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 47 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 48 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 49 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 50 ??? 0x00005fb9baa9b646 0 + 105251305272902 51 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 52 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 53 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 54 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 55 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 56 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 57 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 58 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 59 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 60 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 61 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 62 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 63 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 64 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 65 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 66 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 67 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 68 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 69 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 70 com.apple.JavaScriptCore 0x000000010719ab94 vmEntryToJavaScript + 299 71 com.apple.JavaScriptCore 0x00000001070c281e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 72 com.apple.JavaScriptCore 0x0000000106c38cdf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447 73 com.apple.JavaScriptCore 0x0000000106c38b0e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 74 com.apple.JavaScriptCore 0x0000000106d5503a JSC::boundFunctionCall(JSC::ExecState*) + 586 75 ??? 0x00005fb9baa01028 0 + 105251304640552 76 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 77 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 78 com.apple.JavaScriptCore 0x00000001071a0767 llint_entry + 23024 79 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 80 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 81 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 82 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 83 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 84 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 85 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 86 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 87 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 88 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 89 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 90 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 91 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 92 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 93 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 94 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 95 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 96 com.apple.JavaScriptCore 0x000000010719ab94 vmEntryToJavaScript + 299 97 com.apple.JavaScriptCore 0x00000001070c281e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 98 com.apple.JavaScriptCore 0x0000000106c38cdf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447 99 com.apple.JavaScriptCore 0x0000000106c38b0e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 100 com.apple.JavaScriptCore 0x0000000106d5503a JSC::boundFunctionCall(JSC::ExecState*) + 586 101 ??? 0x00005fb9baa01028 0 + 105251304640552 102 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 103 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 104 ??? 0x00005fb9bae03119 0 + 105251308843289 105 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 106 com.apple.JavaScriptCore 0x00000001071a07d9 llint_entry + 23138 107 com.apple.JavaScriptCore 0x000000010719ab94 vmEntryToJavaScript + 299 108 com.apple.JavaScriptCore 0x00000001070c281e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 109 com.apple.JavaScriptCore 0x0000000106c38cdf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447 110 com.apple.JavaScriptCore 0x0000000106de71b7 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 71 111 com.apple.WebCore 0x0000000107627934 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 996 112 com.apple.WebCore 0x0000000107a73a5b WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) + 635 113 com.apple.WebCore 0x0000000107538e20 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 224 114 com.apple.WebCore 0x000000010758f164 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 260 115 com.apple.WebCore 0x00000001075a0f26 WebCore::Document::enqueuePopstateEvent(WTF::PassRefPtr<WebCore::SerializedScriptValue>) + 134 116 com.apple.WebCore 0x0000000107702fd0 WebCore::Document::statePopped(WTF::PassRefPtr<WebCore::SerializedScriptValue>) + 48 117 com.apple.WebCore 0x0000000107ae78eb WebCore::FrameLoader::loadInSameDocument(WebCore::URL const&, WTF::PassRefPtr<WebCore::SerializedScriptValue>, bool) + 619 118 com.apple.WebCore 0x0000000107aed05a WebCore::FrameLoader::loadSameDocumentItem(WebCore::HistoryItem&) + 122 119 com.apple.WebCore 0x0000000107b409b6 WebCore::HistoryController::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType) + 198 120 com.apple.WebCore 0x00000001080ecd71 WebCore::Page::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType) + 81 121 com.apple.WebCore 0x00000001080ce5f1 WebCore::ScheduledHistoryNavigation::fire(WebCore::Frame&) + 65 122 com.apple.WebCore 0x00000001080cbdc6 WebCore::NavigationScheduler::timerFired() + 102 123 com.apple.WebCore 0x000000010751a2af WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 124 com.apple.WebCore 0x000000010751a1c8 WebCore::timerFired(__CFRunLoopTimer*, void*) + 24 125 com.apple.CoreFoundation 0x00007fff93849514 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 126 com.apple.CoreFoundation 0x00007fff938491a3 __CFRunLoopDoTimer + 1075 127 com.apple.CoreFoundation 0x00007fff93848cfa __CFRunLoopDoTimers + 298 128 com.apple.CoreFoundation 0x00007fff93840281 __CFRunLoopRun + 1841 129 com.apple.CoreFoundation 0x00007fff9383f8e8 CFRunLoopRunSpecific + 296 130 com.apple.HIToolbox 0x00007fff9589cff1 RunCurrentEventLoopInMode + 235 131 com.apple.HIToolbox 0x00007fff9589ce2b ReceiveNextEventCommon + 432 132 com.apple.HIToolbox 0x00007fff9589cc6b _BlockUntilNextEventMatchingListInModeWithFilter + 71 133 com.apple.AppKit 0x00007fff9227f870 _DPSNextEvent + 1067 134 com.apple.AppKit 0x00007fff9227ec9d -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 135 com.apple.AppKit 0x00007fff9227375a -[NSApplication run] + 682 136 com.apple.AppKit 0x00007fff9223cbae NSApplicationMain + 1176 137 libxpc.dylib 0x00007fff911693a6 _xpc_objc_main + 793 138 libxpc.dylib 0x00007fff91167dd3 xpc_main + 494 139 com.apple.WebKit.WebContent.Development 0x000000010200241c 0x102001000 + 5148 140 libdyld.dylib 0x00007fff9be894ed start + 1 This bug also seems to be responsible for other web sites failing, including navigating around Facebook. rdar://problem/22951399
Attachments
Patch (11.90 KB, patch)
2015-10-15 21:43 PDT, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2015-10-15 21:43:58 PDT
Created attachment 263247 [details] Patch
Geoffrey Garen
Comment 2 2015-10-16 01:11:59 PDT
Comment on attachment 263247 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=263247&action=review > LayoutTests/js/script-tests/regress-150220.js:3 > +// This test verifies that a tail call from a constructor is treated as a normal call. It's more accurate to say that we're verifying that a tail call from a constructor doesn't crash. The whole "treated as a" thing is a fraught topic, given our discussion of what the spec says vs what its observable effects are.
Michael Saboff
Comment 3 2015-10-16 07:28:56 PDT
(In reply to comment #2) > Comment on attachment 263247 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=263247&action=review > > > LayoutTests/js/script-tests/regress-150220.js:3 > > +// This test verifies that a tail call from a constructor is treated as a normal call. > > It's more accurate to say that we're verifying that a tail call from a > constructor doesn't crash. The whole "treated as a" thing is a fraught > topic, given our discussion of what the spec says vs what its observable > effects are. I changed the comment to say: // This test verifies that a tail call from a constructor doesn't crash and works correctly.
Michael Saboff
Comment 4 2015-10-16 07:43:36 PDT
Committed r191175: <http://trac.webkit.org/changeset/191175>
Csaba Osztrogonác
Comment 5 2015-10-16 09:23:41 PDT
(In reply to comment #4) > Committed r191175: <http://trac.webkit.org/changeset/191175> It broke JSC stress testing everywhere: Tools/Scripts/run-jsc-stress-tests:1314:in `eval': No such file or directory - /Volumes/Data/slave/yosemite-debug-tests-jsc/build/LayoutTests/js/regress-150220-expected.txt (Errno::ENOENT) from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/fileutils.rb:1552:in `block in fu_each_src_dest' from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/fileutils.rb:1568:in `fu_each_src_dest0' from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/fileutils.rb:1550:in `fu_each_src_dest' from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/fileutils.rb:393:in `cp' from Tools/Scripts/run-jsc-stress-tests:1053:in `block (2 levels) in prepareExtraRelativeFiles' from Tools/Scripts/run-jsc-stress-tests:1051:in `each' from Tools/Scripts/run-jsc-stress-tests:1051:in `block in prepareExtraRelativeFiles' from Tools/Scripts/run-jsc-stress-tests:1050:in `chdir' from Tools/Scripts/run-jsc-stress-tests:1050:in `prepareExtraRelativeFiles' from Tools/Scripts/run-jsc-stress-tests:968:in `runLayoutTest' from Tools/Scripts/run-jsc-stress-tests:979:in `runLayoutTestDefault' from Tools/Scripts/run-jsc-stress-tests:1028:in `defaultRunLayoutTest' from (eval):1:in `block (4 levels) in handleCollectionFile' from Tools/Scripts/run-jsc-stress-tests:1314:in `eval' from Tools/Scripts/run-jsc-stress-tests:1314:in `block (4 levels) in handleCollectionFile' from Tools/Scripts/run-jsc-stress-tests:1307:in `each' from Tools/Scripts/run-jsc-stress-tests:1307:in `block (3 levels) in handleCollectionFile' from Tools/Scripts/run-jsc-stress-tests:1305:in `each' from Tools/Scripts/run-jsc-stress-tests:1305:in `block (2 levels) in handleCollectionFile' from Tools/Scripts/run-jsc-stress-tests:1293:in `chdir' from Tools/Scripts/run-jsc-stress-tests:1293:in `block in handleCollectionFile' from Tools/Scripts/run-jsc-stress-tests:1259:in `each' from Tools/Scripts/run-jsc-stress-tests:1259:in `handleCollectionFile' from Tools/Scripts/run-jsc-stress-tests:1350:in `handleCollection' from Tools/Scripts/run-jsc-stress-tests:1435:in `block in prepareBundle' from Tools/Scripts/run-jsc-stress-tests:1433:in `each' from Tools/Scripts/run-jsc-stress-tests:1433:in `prepareBundle' from Tools/Scripts/run-jsc-stress-tests:1797:in `runNormal' from Tools/Scripts/run-jsc-stress-tests:1830:in `<main>'
Csaba Osztrogonác
Comment 6 2015-10-16 09:24:33 PDT
js/regress-150220-expected.tx: Added. --> It should be txt not tx.
Csaba Osztrogonác
Comment 7 2015-10-16 09:27:20 PDT
(In reply to comment #6) > js/regress-150220-expected.tx: Added. --> It should be txt not tx. and it is completely missing ...
Csaba Osztrogonác
Comment 8 2015-10-16 09:32:05 PDT
Fixed in http://trac.webkit.org/changeset/191179
Michael Saboff
Comment 9 2015-10-16 09:33:14 PDT
(In reply to comment #8) > Fixed in http://trac.webkit.org/changeset/191179 You beat me to it. I was in the process of checking it in as well.
Note You need to log in before you can comment on or make changes to this bug.