Bug 180343

Summary: We need to disableCaching() in ErrorInstance when we materialize properties
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, ddkilzer, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, rmorisset, saam, ticaiolima, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
none
patch
none
patch none

Description Ryosuke Niwa 2017-12-03 22:32:54 PST 
Hit this while looking up words on https://www.merriam-webster.com and keep it open in a background window (not a background tab).

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000004
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

VM Regions Near 0x4:
--> 
    __TEXT                 000000010016a000-000000010016c000 [    8K] r-x/rwx SM=COW  /Applications/Safari Technology Preview.app/Contents/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

Application Specific Information:
Bundle controller class:
BrowserBundleController
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000104290a8e JSC::Structure::didCachePropertyReplacement(JSC::VM&, int) + 14
1   com.apple.JavaScriptCore      	0x00000001048d6830 JSC::repatchPutByID(JSC::ExecState*, JSC::JSValue, JSC::Structure*, JSC::Identifier const&, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind) + 448
2   com.apple.JavaScriptCore      	0x00000001040a5f4b operationPutByIdStrictOptimize + 1547
3   ???                           	0x0000358a79be4a64 0 + 58868864272996
4   ???                           	0x0000358a79c8737d 0 + 58868864938877
5   ???                           	0x0000358a79c6266a 0 + 58868864788074
6   com.apple.JavaScriptCore      	0x00000001040cdcd0 vmEntryToJavaScript + 304
7   com.apple.JavaScriptCore      	0x00000001048970af JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 127
8   com.apple.JavaScriptCore      	0x0000000103f5fd6a JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 522
9   com.apple.JavaScriptCore      	0x00000001049ecf15 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 197
10  com.apple.WebCore             	0x0000000101f91120 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1200
11  com.apple.WebCore             	0x0000000101b44af8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>) + 568
12  com.apple.WebCore             	0x0000000101b446dc WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 412
13  com.apple.WebCore             	0x0000000101b44525 WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 101
14  com.apple.WebCore             	0x000000010169d7e5 WebCore::XMLHttpRequest::callReadyStateChangeListener() + 149
15  com.apple.WebCore             	0x000000010297951e WebCore::XMLHttpRequest::networkErrorTimerFired() + 14
16  com.apple.WebCore             	0x00000001015f6690 WebCore::ThreadTimers::sharedTimerFiredInternal() + 176
17  com.apple.WebCore             	0x00000001015f65cf WebCore::timerFired(__CFRunLoopTimer*, void*) + 31
18  com.apple.CoreFoundation      	0x00007fff7a047e04 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
19  com.apple.CoreFoundation      	0x00007fff7a047a93 __CFRunLoopDoTimer + 1075
20  com.apple.CoreFoundation      	0x00007fff7a0475ea __CFRunLoopDoTimers + 298
21  com.apple.CoreFoundation      	0x00007fff7a03efc1 __CFRunLoopRun + 2081
22  com.apple.CoreFoundation      	0x00007fff7a03e544 CFRunLoopRunSpecific + 420
23  com.apple.HIToolbox           	0x00007fff7959debc RunCurrentEventLoopInMode + 240
24  com.apple.HIToolbox           	0x00007fff7959dcf1 ReceiveNextEventCommon + 432
25  com.apple.HIToolbox           	0x00007fff7959db26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
26  com.apple.AppKit              	0x00007fff77b36a54 _DPSNextEvent + 1120
27  com.apple.AppKit              	0x00007fff782b27ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
28  com.apple.AppKit              	0x00007fff77b2b3db -[NSApplication run] + 926
29  com.apple.AppKit              	0x00007fff77af5e0e NSApplicationMain + 1237
30  libxpc.dylib                  	0x00007fff8fe628c7 _xpc_objc_main + 775
31  libxpc.dylib                  	0x00007fff8fe612e4 xpc_main + 494
32  com.apple.WebKit.WebContent   	0x000000010016b695 0x10016a000 + 5781
33  libdyld.dylib                 	0x0000000101217235 start + 1
Comment 1 Ryosuke Niwa 2017-12-03 22:38:24 PST 
Hm... perhaps this happens after I've moved the tab to background.
Comment 2 Ryosuke Niwa 2017-12-03 22:42:50 PST 
Yeah, it looks like I need to bring the tab to the background and after 10-20s, the tab would crash. It's not 100% reliable though. It's like ~50% probability for me.
Comment 3 Saam Barati 2017-12-04 00:32:02 PST 
I’ll check this out
Comment 4 Radar WebKit Bug Importer 2017-12-04 10:52:01 PST 
<rdar://problem/35833002>
Comment 5 Ryosuke Niwa 2017-12-05 15:53:20 PST 
Hm... I can't reproduce this on STP44 so it might be already fixed now.
Comment 6 Saam Barati 2017-12-11 11:45:44 PST 
I can't reproduce this either but I know other people have seen this recently. I'm going to look for ways to repro.
Comment 7 Saam Barati 2017-12-11 17:00:33 PST 
patch forthcoming
Comment 8 Saam Barati 2017-12-11 17:47:25 PST 
Created attachment 329065 [details]
patch
Comment 9 Saam Barati 2017-12-11 17:48:10 PST 
Created attachment 329066 [details]
patch
Comment 10 Saam Barati 2017-12-11 17:49:49 PST 
Created attachment 329069 [details]
patch
Comment 11 Mark Lam 2017-12-11 17:54:37 PST 
Comment on attachment 329069 [details]
patch

r=me
Comment 12 WebKit Commit Bot 2017-12-11 19:24:48 PST 
Comment on attachment 329069 [details]
patch

Clearing flags on attachment: 329069

Committed r225768: <https://trac.webkit.org/changeset/225768>
Comment 13 WebKit Commit Bot 2017-12-11 19:24:49 PST 
All reviewed patches have been landed.  Closing bug.