Bug 19716

Summary: REGRESSION (SquirrelFish): Reproducible crash after entering a username at mint.com
Product: WebKit Reporter: Aaron Gyes <floam>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: i.am, oliver, zwarich
Priority: P1 Keywords: InRadar, NeedsReduction, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://mint.com
Attachments:
Description Flags
Code dump
none
Destructor backtrace
none
Proposed patch oliver: review+

Aaron Gyes
Reported 2008-06-22 16:11:05 PDT
At Mint.com, once I'm logged in, if I try to enter a user name for a bank account, as soon as I hit tab to advance to the password field or click on the password field after entering my user name, Safari crashes. Here are the details: Identifier: org.webkit.nightly.WebKit Version: r34728 (34728) Code Type: X86 (Native) Parent Process: launchd [149] Date/Time: 2008-06-22 16:06:52.500 -0700 OS Version: Mac OS X 10.5.3 (9D34) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000044 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x003cbded KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 6909 1 com.apple.JavaScriptCore 0x003d2841 KJS::Machine::execute(KJS::FunctionBodyNode*, KJS::ExecState*, KJS::JSFunction*, KJS::JSObject*, KJS::ArgList const&, KJS::RegisterFileStack*, KJS::ScopeChainNode*, KJS::JSValue**) + 833 2 com.apple.JavaScriptCore 0x003101f9 KJS::JSFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 233 3 com.apple.JavaScriptCore 0x00390228 KJS::functionProtoFuncCall(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 200 4 com.apple.JavaScriptCore 0x003d171d KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 29741 5 com.apple.JavaScriptCore 0x003d2841 KJS::Machine::execute(KJS::FunctionBodyNode*, KJS::ExecState*, KJS::JSFunction*, KJS::JSObject*, KJS::ArgList const&, KJS::RegisterFileStack*, KJS::ScopeChainNode*, KJS::JSValue**) + 833 6 com.apple.JavaScriptCore 0x003101f9 KJS::JSFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 233 7 com.apple.JavaScriptCore 0x00390228 KJS::functionProtoFuncCall(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 200 8 com.apple.JavaScriptCore 0x003d171d KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 29741 9 com.apple.JavaScriptCore 0x003d2841 KJS::Machine::execute(KJS::FunctionBodyNode*, KJS::ExecState*, KJS::JSFunction*, KJS::JSObject*, KJS::ArgList const&, KJS::RegisterFileStack*, KJS::ScopeChainNode*, KJS::JSValue**) + 833 10 com.apple.JavaScriptCore 0x0031018a KJS::JSFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 122 11 com.apple.WebCore 0x011746a9 WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 1865 12 com.apple.WebCore 0x00d50196 WebCore::EventTarget::handleLocalEvents(WebCore::EventTargetNode*, WebCore::Event*, bool) + 182 13 com.apple.WebCore 0x00d50c6f WebCore::EventTargetNode::handleLocalEvents(WebCore::Event*, bool) + 79 14 com.apple.WebCore 0x00d505ab WebCore::EventTarget::dispatchGenericEvent(WebCore::EventTargetNode*, WTF::PassRefPtr<WebCore::Event>, int&, bool) + 1035 15 com.apple.WebCore 0x00d5151f WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 255 16 com.apple.WebCore 0x00d48da0 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 592 17 com.apple.WebCore 0x00d4eec8 WebCore::EventHandler::keyEvent(NSEvent*) + 296 18 com.apple.WebKit 0x001d8577 -[WebHTMLView keyDown:] + 455 19 com.apple.AppKit 0x95f164c5 -[NSWindow sendEvent:] + 8511 20 com.apple.Safari 0x000296d3 0x1000 + 165587 21 com.apple.AppKit 0x95ee2431 -[NSApplication sendEvent:] + 2941 22 com.apple.Safari 0x00029250 0x1000 + 164432 23 com.apple.AppKit 0x95e3fe27 -[NSApplication run] + 847 24 com.apple.AppKit 0x95e0d030 NSApplicationMain + 574 25 com.apple.Safari 0x000b4de6 0x1000 + 736742 Thread 1: 0 libSystem.B.dylib 0x96e1768e __semwait_signal + 10 1 libSystem.B.dylib 0x96e4236d pthread_cond_wait$UNIX2003 + 73 2 com.apple.WebCore 0x00e11fcf WebCore::IconDatabase::syncThreadMainLoop() + 239 3 com.apple.WebCore 0x00e120e5 WebCore::IconDatabase::iconDatabaseSyncThread() + 181 4 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 5 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 2: 0 libSystem.B.dylib 0x96e605e2 select$DARWIN_EXTSN + 10 1 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 2 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 3: 0 libSystem.B.dylib 0x96e1768e __semwait_signal + 10 1 libSystem.B.dylib 0x96e4236d pthread_cond_wait$UNIX2003 + 73 2 com.apple.WebCore 0x01218a8b WebCore::LocalStorageThread::localStorageThread() + 427 3 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 4 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 4: 0 libSystem.B.dylib 0x96e104a6 mach_msg_trap + 10 1 libSystem.B.dylib 0x96e17c9c mach_msg + 72 2 com.apple.CoreFoundation 0x973230be CFRunLoopRunSpecific + 1806 3 com.apple.CoreFoundation 0x97323cf8 CFRunLoopRunInMode + 88 4 com.apple.CFNetwork 0x906c4afe CFURLCacheWorkerThread(void*) + 396 5 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 6 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 5: 0 libSystem.B.dylib 0x96e1768e __semwait_signal + 10 1 libSystem.B.dylib 0x96e4236d pthread_cond_wait$UNIX2003 + 73 2 com.apple.QuartzCore 0x95280e51 fe_fragment_thread + 54 3 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 4 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 6: 0 libSystem.B.dylib 0x96e1768e __semwait_signal + 10 1 libSystem.B.dylib 0x96e4236d pthread_cond_wait$UNIX2003 + 73 2 com.apple.QuartzCore 0x95280e51 fe_fragment_thread + 54 3 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 4 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 7: 0 libSystem.B.dylib 0x96e1768e __semwait_signal + 10 1 libSystem.B.dylib 0x96e4236d pthread_cond_wait$UNIX2003 + 73 2 com.apple.QuartzCore 0x95280e51 fe_fragment_thread + 54 3 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 4 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 8: 0 com.apple.CoreFoundation 0x972c4e33 __CFFromUTF8 + 675 1 com.apple.CoreFoundation 0x97355adf __CFStringDecodeByteStream3 + 1967 2 com.apple.CoreFoundation 0x9733d109 __CFStringCreateImmutableFunnel3 + 409 3 com.apple.CoreFoundation 0x9733e36e CFStringCreateWithBytes + 94 4 com.apple.CoreFoundation 0x9731b79b _CFPropertyListCreateFromXMLData + 379 5 com.apple.CoreFoundation 0x9731c4b7 CFPropertyListCreateFromStream + 551 6 com.apple.CFNetwork 0x906d27df CFHTTPCookieStorageRead + 120 7 com.apple.CFNetwork 0x906e97f6 CFHTTPCookieStorageSync + 115 8 com.apple.CFNetwork 0x906e9734 CFHTTPCookieStorageSyncStorageObserver + 22 9 com.apple.CFNetwork 0x906e728b CFHTTPCookieStorageObserverCallback + 32 10 com.apple.CoreFoundation 0x9732360e CFRunLoopRunSpecific + 3166 11 com.apple.CoreFoundation 0x97323cf8 CFRunLoopRunInMode + 88 12 com.apple.Foundation 0x92eb0460 +[NSURLConnection(NSURLConnectionReallyInternal) _resourceLoadLoop:] + 320 13 com.apple.Foundation 0x92e4cf1d -[NSThread main] + 45 14 com.apple.Foundation 0x92e4cac4 __NSThread__main__ + 308 15 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 16 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 9: 0 libSystem.B.dylib 0x96e10506 semaphore_timedwait_signal_trap + 10 1 libSystem.B.dylib 0x96e4284f _pthread_cond_wait + 1244 2 libSystem.B.dylib 0x96e440d3 pthread_cond_timedwait_relative_np + 47 3 com.apple.Foundation 0x92e92e8c -[NSCondition waitUntilDate:] + 236 4 com.apple.Foundation 0x92e92ca0 -[NSConditionLock lockWhenCondition:beforeDate:] + 144 5 com.apple.Foundation 0x92e92c05 -[NSConditionLock lockWhenCondition:] + 69 6 com.apple.AppKit 0x95ead470 -[NSUIHeartBeat _heartBeatThread:] + 753 7 com.apple.Foundation 0x92e4cf1d -[NSThread main] + 45 8 com.apple.Foundation 0x92e4cac4 __NSThread__main__ + 308 9 libSystem.B.dylib 0x96e416f5 _pthread_start + 321 10 libSystem.B.dylib 0x96e415b2 thread_start + 34 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00000048 ebx: 0x003ca301 ecx: 0x00000001 edx: 0x00000000 edi: 0x18926914 esi: 0xffffffff ebp: 0xbfffd628 esp: 0xbfffcba0 ss: 0x0000001f efl: 0x00010206 eip: 0x003cbded cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 cr2: 0x00000044
Attachments
Code dump (1.06 KB, text/plain)
2008-06-22 19:21 PDT, Cameron Zwarich (cpst) 		no flags
Details
Destructor backtrace (1.86 KB, text/plain)
2008-06-23 02:59 PDT, Cameron Zwarich (cpst) 		no flags
Details
Proposed patch (4.40 KB, patch)
2008-06-23 17:09 PDT, Cameron Zwarich (cpst) 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-06-22 16:33:05 PDT
I can reproduce this by creating a new account and trying to add an E*trade account to it. Hopefully I can reduce it.
Cameron Zwarich (cpst)
Comment 2 2008-06-22 17:55:49 PDT
The crashes occurs in the body of get_scoped_var. It seems that there is a problem with the multiscope lookup optimization. I will disable it and try again.
Cameron Zwarich (cpst)
Comment 3 2008-06-22 17:59:28 PDT
Interestingly enough, it still crashes even when I disable multiscope lookup optimization.
Mark Rowe (bdash)
Comment 4 2008-06-22 18:28:49 PDT
<rdar://problem/6026833>
Cameron Zwarich (cpst)
Comment 5 2008-06-22 19:21:27 PDT
Created attachment 21877 [details] Code dump Here is the code with multiscope lookup optimization turned off. It dies in resolve_with_base. I wanted to get the call frame as well, but gdb didn't agree. I'll get it by just printing it every time it enters that opcode body.
Cameron Zwarich (cpst)
Comment 6 2008-06-22 23:27:00 PDT
The problem is that the registerBase of the JSVariableObject (the value pointed to by JSVariableObject::registerBase()) is 0. The register base is a valid pointer to m_base of some RegisterFile. However, setBase() is never called on that RegisterFile to make it null, and it's not the default value (I made it something other than null to test). Since m_base is private, this means that the cause is likely random corruption from something else going wrong.
Cameron Zwarich (cpst)
Comment 7 2008-06-23 02:27:34 PDT
The RegisterFile instance containing the offending m_base field has already been freed when the field is being used by JSVariableObject::valueAt(). I'll try to figure out why it is being incorrectly freed.
Cameron Zwarich (cpst)
Comment 8 2008-06-23 02:59:30 PDT
Created attachment 21879 [details] Destructor backtrace Here's a destructor backtrace of the RegisterFile. The problem isn't really that a RegisterFile is being freed, it is that the JSActivation instance still refers to it. The copyRegisters() method should have been called on the JSActivation instance, but it seems that it wasn't.
Cameron Zwarich (cpst)
Comment 9 2008-06-23 17:09:58 PDT
Created attachment 21892 [details] Proposed patch
Oliver Hunt
Comment 10 2008-06-23 17:11:24 PDT
Comment on attachment 21892 [details] Proposed patch good detectoring
Cameron Zwarich (cpst)
Comment 11 2008-06-23 17:20:35 PDT
Landed in r34751.
Cameron Zwarich (cpst)
Comment 12 2008-06-24 14:46:53 PDT
*** Bug 19467 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.