Bug 180343

Summary:

We need to disableCaching() in ErrorInstance when we materialize properties

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, commit-queue, ddkilzer, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, rmorisset, saam, ticaiolima, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

Safari Technology Preview

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
patch	none
patch	none
patch	none

Ryosuke Niwa

Reported 2017-12-03 22:32:54 PST

Hit this while looking up words on https://www.merriam-webster.com and keep it open in a background window (not a background tab). Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000004 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0x4: --> __TEXT 000000010016a000-000000010016c000 [ 8K] r-x/rwx SM=COW /Applications/Safari Technology Preview.app/Contents/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000104290a8e JSC::Structure::didCachePropertyReplacement(JSC::VM&, int) + 14 1 com.apple.JavaScriptCore 0x00000001048d6830 JSC::repatchPutByID(JSC::ExecState*, JSC::JSValue, JSC::Structure*, JSC::Identifier const&, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind) + 448 2 com.apple.JavaScriptCore 0x00000001040a5f4b operationPutByIdStrictOptimize + 1547 3 ??? 0x0000358a79be4a64 0 + 58868864272996 4 ??? 0x0000358a79c8737d 0 + 58868864938877 5 ??? 0x0000358a79c6266a 0 + 58868864788074 6 com.apple.JavaScriptCore 0x00000001040cdcd0 vmEntryToJavaScript + 304 7 com.apple.JavaScriptCore 0x00000001048970af JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 127 8 com.apple.JavaScriptCore 0x0000000103f5fd6a JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 522 9 com.apple.JavaScriptCore 0x00000001049ecf15 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 197 10 com.apple.WebCore 0x0000000101f91120 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1200 11 com.apple.WebCore 0x0000000101b44af8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>) + 568 12 com.apple.WebCore 0x0000000101b446dc WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 412 13 com.apple.WebCore 0x0000000101b44525 WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 101 14 com.apple.WebCore 0x000000010169d7e5 WebCore::XMLHttpRequest::callReadyStateChangeListener() + 149 15 com.apple.WebCore 0x000000010297951e WebCore::XMLHttpRequest::networkErrorTimerFired() + 14 16 com.apple.WebCore 0x00000001015f6690 WebCore::ThreadTimers::sharedTimerFiredInternal() + 176 17 com.apple.WebCore 0x00000001015f65cf WebCore::timerFired(__CFRunLoopTimer*, void*) + 31 18 com.apple.CoreFoundation 0x00007fff7a047e04 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 19 com.apple.CoreFoundation 0x00007fff7a047a93 __CFRunLoopDoTimer + 1075 20 com.apple.CoreFoundation 0x00007fff7a0475ea __CFRunLoopDoTimers + 298 21 com.apple.CoreFoundation 0x00007fff7a03efc1 __CFRunLoopRun + 2081 22 com.apple.CoreFoundation 0x00007fff7a03e544 CFRunLoopRunSpecific + 420 23 com.apple.HIToolbox 0x00007fff7959debc RunCurrentEventLoopInMode + 240 24 com.apple.HIToolbox 0x00007fff7959dcf1 ReceiveNextEventCommon + 432 25 com.apple.HIToolbox 0x00007fff7959db26 _BlockUntilNextEventMatchingListInModeWithFilter + 71 26 com.apple.AppKit 0x00007fff77b36a54 _DPSNextEvent + 1120 27 com.apple.AppKit 0x00007fff782b27ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796 28 com.apple.AppKit 0x00007fff77b2b3db -[NSApplication run] + 926 29 com.apple.AppKit 0x00007fff77af5e0e NSApplicationMain + 1237 30 libxpc.dylib 0x00007fff8fe628c7 _xpc_objc_main + 775 31 libxpc.dylib 0x00007fff8fe612e4 xpc_main + 494 32 com.apple.WebKit.WebContent 0x000000010016b695 0x10016a000 + 5781 33 libdyld.dylib 0x0000000101217235 start + 1

Attachments
patch (7.88 KB, patch) 2017-12-11 17:47 PST, Saam Barati	no flags	Details Formatted Diff Diff
patch (7.90 KB, patch) 2017-12-11 17:48 PST, Saam Barati	no flags	Details Formatted Diff Diff
patch (7.14 KB, patch) 2017-12-11 17:49 PST, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2017-12-03 22:38:24 PST

Hm... perhaps this happens after I've moved the tab to background.

Ryosuke Niwa

Comment 2 2017-12-03 22:42:50 PST

Yeah, it looks like I need to bring the tab to the background and after 10-20s, the tab would crash. It's not 100% reliable though. It's like ~50% probability for me.

Saam Barati

Comment 3 2017-12-04 00:32:02 PST

I’ll check this out

Radar WebKit Bug Importer

Comment 4 2017-12-04 10:52:01 PST

<rdar://problem/35833002>

Ryosuke Niwa

Comment 5 2017-12-05 15:53:20 PST

Hm... I can't reproduce this on STP44 so it might be already fixed now.

Saam Barati

Comment 6 2017-12-11 11:45:44 PST

I can't reproduce this either but I know other people have seen this recently. I'm going to look for ways to repro.