Bug 156842

Summary: REGRESSION (r199734): WebKit crashes loading numerous websites in iOS Simulator
Product: WebKit Reporter: Andy Estes <aestes>
Component: JavaScriptCoreAssignee: Andy Estes <aestes>
Status: RESOLVED FIXED    
Severity: Blocker CC: admenstolen, ap, beetvapk.xyz, commit-queue, dbates, ggaren, keith_miller, mark.lam, msaboff, oliver, saam, webkit-bug-importer
Priority: P1 Keywords: InRadar, Regression
Version: WebKit Local Build   
Hardware: iPhone / iPad   
OS: All   
Bug Depends on: 156720    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Andy Estes
Reported 2016-04-21 03:05:19 PDT
Due to http://trac.webkit.org/changeset/199734, Safari in iOS Simulator crashes loading most sites, including apple.com and webkit.org. Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x000005f45b2511ff Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x5f45b2511ff: JS JIT generated code 000005f45b250000-000005f45b251000 [ 4K] rwx/rwx SM=SHM --> JS JIT generated code 000005f45b251000-000005f49b250000 [ 1.0G] r-x/rwx SM=SHM JS JIT generated code 000005f49b250000-000005f49b251000 [ 4K] ---/rwx SM=NUL Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 JavaScriptCore 0x0000000110fd38c2 JSC::X86Assembler::setInt32(void*, int) + 18 (X86Assembler.h:2975) 1 JavaScriptCore 0x0000000110fd387f JSC::X86Assembler::setRel32(void*, void*) + 111 (X86Assembler.h:2989) 2 JavaScriptCore 0x0000000111316645 JSC::X86Assembler::linkJump(void*, JSC::AssemblerLabel, void*) + 101 (X86Assembler.h:2720) 3 JavaScriptCore 0x00000001113168ac JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::linkJump(void*, JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, JSC::CodeLocationLabel) + 60 (AbstractMacroAssembler.h:968) 4 JavaScriptCore 0x000000011130fe7b JSC::LinkBuffer::link(JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, JSC::CodeLocationLabel) + 91 (LinkBuffer.h:145) 5 JavaScriptCore 0x000000011168387d JSC::LinkBuffer::link(JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::JumpList const&, JSC::CodeLocationLabel) + 125 (LinkBuffer.h:149) 6 JavaScriptCore 0x0000000111a97239 JSC::SpecializedThunkJIT::finalize(JSC::MacroAssemblerCodePtr, char const*) + 153 (SpecializedThunkJIT.h:174) 7 JavaScriptCore 0x0000000111a97450 JSC::charAtThunkGenerator(JSC::VM*) + 208 (ThunkGenerators.cpp:586) 8 JavaScriptCore 0x00000001116a6697 JSC::JITThunks::hostFunctionStub(JSC::VM*, long long (*)(JSC::ExecState*), JSC::MacroAssemblerCodeRef (*)(JSC::VM*), JSC::Intrinsic, WTF::String const&) + 983 (JITThunks.cpp:112) 9 JavaScriptCore 0x0000000111ac8562 JSC::VM::getHostFunction(long long (*)(JSC::ExecState*), JSC::Intrinsic, WTF::String const&) + 210 (VM.cpp:510) 10 JavaScriptCore 0x00000001116f7a4e JSC::JSFunction::lookUpOrCreateNativeExecutable(JSC::VM&, long long (*)(JSC::ExecState*), JSC::Intrinsic, long long (*)(JSC::ExecState*), WTF::String const&) + 142 (JSFunction.cpp:92) 11 JavaScriptCore 0x00000001116f7abf JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, long long (*)(JSC::ExecState*), JSC::Intrinsic, long long (*)(JSC::ExecState*)) + 63 (JSFunction.cpp:100) 12 JavaScriptCore 0x0000000111784087 JSC::JSObject::putDirectNativeFunctionWithoutTransition(JSC::VM&, JSC::JSGlobalObject*, JSC::PropertyName const&, unsigned int, long long (*)(JSC::ExecState*), JSC::Intrinsic, unsigned int) + 247 (JSObject.cpp:2622) 13 JavaScriptCore 0x0000000111a57256 JSC::StringPrototype::finishCreation(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*) + 662 (StringPrototype.cpp:132) 14 JavaScriptCore 0x0000000111a5c833 JSC::StringPrototype::create(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*) + 115 (StringPrototype.cpp:187) 15 JavaScriptCore 0x000000011170280f JSC::JSGlobalObject::init(JSC::VM&) + 16735 (JSGlobalObject.cpp:400) 16 com.apple.WebCore 0x00000001148cce5c JSC::JSGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) + 124 (JSGlobalObject.h:394) 17 com.apple.WebCore 0x00000001148ccd7a WebCore::JSDOMGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) + 58 (JSDOMGlobalObject.cpp:114) 18 com.apple.WebCore 0x000000011496ab68 WebCore::JSDOMWindowBase::finishCreation(JSC::VM&, WebCore::JSDOMWindowShell*) + 72 (JSDOMWindowBase.cpp:80) 19 com.apple.WebCore 0x0000000114901ed6 WebCore::JSDOMWindow::finishCreation(JSC::VM&, WebCore::JSDOMWindowShell*) + 70 (JSDOMWindow.cpp:5816) 20 com.apple.WebCore 0x0000000114988a09 WebCore::JSDOMWindow::create(JSC::VM&, JSC::Structure*, WTF::Ref<WebCore::DOMWindow>&&, WebCore::JSDOMWindowShell*) + 137 (JSDOMWindow.h:38) 21 com.apple.WebCore 0x0000000114988545 WebCore::JSDOMWindowShell::setWindow(WTF::PassRefPtr<WebCore::DOMWindow>) + 341 (JSDOMWindowShell.cpp:86) 22 com.apple.WebCore 0x00000001149883af WebCore::JSDOMWindowShell::finishCreation(JSC::VM&, WTF::PassRefPtr<WebCore::DOMWindow>) + 143 (JSDOMWindowShell.cpp:56) 23 com.apple.WebCore 0x00000001156262dc WebCore::JSDOMWindowShell::create(JSC::VM&, WTF::PassRefPtr<WebCore::DOMWindow>, JSC::Structure*, WebCore::DOMWrapperWorld&) + 140 (JSDOMWindowShell.h:56) 24 com.apple.WebCore 0x0000000115626135 WebCore::ScriptController::createWindowShell(WebCore::DOMWrapperWorld&) + 229 (ScriptController.cpp:133) 25 com.apple.WebCore 0x0000000115626e3d WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) + 125 (ScriptController.cpp:252) 26 com.apple.WebKit 0x00000001094318d1 WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) + 145 (ScriptController.h:90) 27 com.apple.WebKit 0x00000001094310cd WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) + 29 (ScriptController.h:99) 28 com.apple.WebKit 0x0000000109605626 WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) + 54 (WebFrame.cpp:482) 29 com.apple.WebKit 0x0000000109abdd18 -[WKWebProcessPlugInFrame jsContextForWorld:] + 88 (WKWebProcessPlugInFrame.mm:66) 30 com.apple.mobilesafari.Safari 0x0000000120d7901b 0x120d74000 + 20507 31 com.apple.WebKit 0x0000000109aba9d9 globalObjectIsAvailableForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, OpaqueWKBundleScriptWorld const*, void const*) + 265 (WKWebProcessPlugInBrowserContextController.mm:114) 32 com.apple.WebKit 0x000000010921d36c WebKit::InjectedBundlePageLoaderClient::globalObjectIsAvailableForFrame(WebKit::WebPage*, WebKit::WebFrame*, WebCore::DOMWrapperWorld&) + 172 (InjectedBundlePageLoaderClient.cpp:303) 33 com.apple.WebKit 0x0000000109613586 WebKit::WebFrameLoaderClient::dispatchGlobalObjectAvailable(WebCore::DOMWrapperWorld&) + 86 (WebFrameLoaderClient.cpp:1599) 34 com.apple.WebCore 0x00000001142aa991 WebCore::FrameLoader::dispatchGlobalObjectAvailableInAllWorlds() + 145 (FrameLoader.cpp:3451) 35 com.apple.WebCore 0x00000001142aa457 WebCore::FrameLoader::receivedFirstData() + 55 (FrameLoader.cpp:642) 36 com.apple.WebCore 0x0000000113f61181 WebCore::DocumentLoader::commitData(char const*, unsigned long) + 337 (DocumentLoader.cpp:879) 37 com.apple.WebKit 0x000000010960ff3f WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 79 (WebFrameLoaderClient.cpp:950) 38 com.apple.WebCore 0x0000000113f6415d WebCore::DocumentLoader::commitLoad(char const*, int) + 205 (DocumentLoader.cpp:832) 39 com.apple.WebCore 0x0000000113f649f9 WebCore::DocumentLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 585 (DocumentLoader.cpp:943) 40 com.apple.WebCore 0x0000000113ad07e8 WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) + 152 (CachedRawResource.cpp:118) 41 com.apple.WebCore 0x0000000113ad0672 WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) + 194 (CachedRawResource.cpp:70) 42 com.apple.WebCore 0x000000011589d0f5 WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::PassRefPtr<WebCore::SharedBuffer>, long long, WebCore::DataPayloadType) + 485 (SubresourceLoader.cpp:322) 43 com.apple.WebCore 0x000000011589d212 WebCore::SubresourceLoader::didReceiveBuffer(WTF::PassRefPtr<WebCore::SharedBuffer>, long long, WebCore::DataPayloadType) + 66 (SubresourceLoader.cpp:303) 44 com.apple.WebKit 0x00000001098d05ad WebKit::WebResourceLoader::didReceiveResource(WebKit::ShareableResource::Handle const&, double) + 765 (WebResourceLoader.cpp:206) 45 com.apple.WebKit 0x00000001098d582d void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&, double), std::__1::tuple<WebKit::ShareableResource::Handle, double>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&, double), std::__1::tuple<WebKit::ShareableResource::Handle, double>&&, std::index_sequence<0ul, 1ul>) + 189 (HandleMessage.h:17) 46 com.apple.WebKit 0x00000001098d5608 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&, double), std::__1::tuple<WebKit::ShareableResource::Handle, double>, std::make_index_sequence<2ul> >(std::__1::tuple<WebKit::ShareableResource::Handle, double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&, double)) + 88 (HandleMessage.h:23) 47 com.apple.WebKit 0x00000001098d4823 void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveResource, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&, double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&, double)) + 291 (HandleMessage.h:93) 48 com.apple.WebKit 0x00000001098d3d1e WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 1038 (WebResourceLoaderMessageReceiver.cpp:81) 49 com.apple.WebKit 0x000000010936b28d WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 157 (NetworkProcessConnection.cpp:60) 50 com.apple.WebKit 0x000000010913fa93 IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 51 (Connection.cpp:896) 51 com.apple.WebKit 0x0000000109135422 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 770 (Connection.cpp:928) 52 com.apple.WebKit 0x0000000109140080 IPC::Connection::dispatchOneMessage() + 1504 (Connection.cpp:957) 53 com.apple.WebKit 0x00000001091623bd IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const + 29 (Connection.cpp:890) 54 com.apple.WebKit 0x000000010916238d void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) + 45 (__functional_base:469) 55 com.apple.WebKit 0x00000001091621f9 std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() + 41 (functional:1437) 56 JavaScriptCore 0x000000011156b5ea std::__1::function<void ()>::operator()() const + 26 (functional:1817) 57 JavaScriptCore 0x0000000111b79e67 WTF::RunLoop::performWork() + 631 (RunLoop.cpp:123) 58 JavaScriptCore 0x0000000111b7a4d4 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38) 59 com.apple.CoreFoundation 0x000000010c0017e1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 60 com.apple.CoreFoundation 0x000000010bfe6637 __CFRunLoopDoSources0 + 423 61 com.apple.CoreFoundation 0x000000010bfe5ba6 __CFRunLoopRun + 918 62 com.apple.CoreFoundation 0x000000010bfe55ad CFRunLoopRunSpecific + 285 63 com.apple.Foundation 0x0000000108b4b600 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 274 64 com.apple.Foundation 0x0000000108b4b4db -[NSRunLoop(NSRunLoop) run] + 76 65 libxpc.dylib 0x000000010d801759 _xpc_objc_main + 400 66 libxpc.dylib 0x000000010d803a84 xpc_main + 189 67 com.apple.WebKit.WebContent.Development 0x0000000108ab1dcc main + 892 (XPCServiceMain.mm:114) 68 libdyld.dylib 0x000000010d508679 st
Attachments
Patch (1.51 KB, patch)
2016-04-21 03:50 PDT, Andy Estes 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-04-21 03:07:19 PDT
<rdar://problem/25850543>
Andy Estes
Comment 2 2016-04-21 03:50:42 PDT
Created attachment 276906 [details] Patch
Daniel Bates
Comment 3 2016-04-21 08:56:49 PDT
Comment on attachment 276906 [details] Patch r=me
Oliver Hunt
Comment 4 2016-04-21 09:23:28 PDT
Ugh, sorry!
WebKit Commit Bot
Comment 5 2016-04-21 09:44:31 PDT
Comment on attachment 276906 [details] Patch Clearing flags on attachment: 276906 Committed r199820: <http://trac.webkit.org/changeset/199820>
WebKit Commit Bot
Comment 6 2016-04-21 09:44:35 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.