Bug 60580

Summary: Assertion failure in JSC::Structure::typeInfo when reloading weather.com video page
Product: WebKit Reporter: Adam Roben (:aroben) <aroben>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, oliver
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows 7   
URL: http://www.weather.com/outlook/videos/todays-top-forecast-4276
Attachments:
Description Flags
Patch ggaren: review+

Adam Roben (:aroben)
Reported 2011-05-10 14:07:30 PDT
Here's what I did. I haven't yet tried to reproduce: 1. Go to http://www.weather.com/outlook/videos/todays-top-forecast-4276 2. Pause the video 3. Reload I hit this assertion in JSC::Structure: const TypeInfo& typeInfo() const { ASSERT(structure()->classInfo() == &s_info); return m_typeInfo; } structure()->classInfo() is JSC::JSActivation::s_info. Here's the (partial) backtrace: > JavaScriptCore.dll!JSC::Structure::typeInfo() Line 101 + 0x43 bytes C++ JavaScriptCore.dll!JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState * exec=0x06b00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 510 + 0xf bytes C++ JavaScriptCore.dll!JSC::JSObject::getPropertySlot(JSC::ExecState * exec=0x06b00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 521 + 0x14 bytes C++ JavaScriptCore.dll!JSC::JSObject::hasProperty(JSC::ExecState * exec=0x06b00238, const JSC::Identifier & propertyName={...}) Line 208 C++ WebKit.dll!WebCore::runtimeObjectCustomGetOwnPropertySlot(JSC::ExecState * exec=0x06b00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}, WebCore::JSHTMLElement * element=0x0d563768) Line 119 + 0x10 bytes C++ WebKit.dll!WebCore::JSHTMLObjectElement::getOwnPropertySlotDelegate(JSC::ExecState * exec=0x06b00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 38 + 0x15 bytes C++ WebKit.dll!WebCore::JSHTMLObjectElement::getOwnPropertySlot(JSC::ExecState * exec=0x06b00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 181 + 0x14 bytes C++ JavaScriptCore.dll!JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState * exec=0x06b00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 512 + 0x1b bytes C++ JavaScriptCore.dll!cti_op_get_by_val(void * * args=0x0012c1d0) Line 2353 + 0x1b bytes C++ JavaScriptCore.dll!@cti_op_create_this@4() + 0x1cf bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x03dcadd4, JSC::ExecState * callFrame=0x06b00090, JSC::JSGlobalData * globalData=0x03db6e20) Line 77 + 0x22 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval=0x048c0cd8, JSC::ExecState * callFrame=0x06b00038, JSC::JSObject * thisObj=0x0a950128, int globalRegisterOffset=18, JSC::ScopeChainNode * scopeChain=0x1bd83068) Line 1138 + 0x2b bytes C++ JavaScriptCore.dll!JSC::Interpreter::callEval(JSC::ExecState * callFrame=0x06b00038, JSC::RegisterFile * registerFile=0x03dcadd4, JSC::Register * argv=0x06b00050, int argc=2, int registerOffset=11) Line 412 + 0x6c bytes C++ JavaScriptCore.dll!cti_op_call_eval(void * * args=0x0012c4c8) Line 3210 C++ JavaScriptCore.dll!@cti_op_create_this@4() + 0x1cf bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x03dcadd4, JSC::ExecState * callFrame=0x06b00038, JSC::JSGlobalData * globalData=0x03db6e20) Line 77 + 0x22 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program=0x048c0c80, JSC::ExecState * callFrame=0x0ba810a0, JSC::ScopeChainNode * scopeChain=0x1bd83068, JSC::JSObject * thisObj=0x0ba81028) Line 767 + 0x25 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x0ba810a0, JSC::ScopeChainNode * scopeChain=0x1bd83068, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 66 C++ WebKit.dll!WebKit::NPRuntimeObjectMap::evaluate(NPObject * npObject=0x0d121a90, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4) Line 196 + 0x4f bytes C++ WebKit.dll!WebKit::PluginView::evaluate(NPObject * npObject=0x0d121a90, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4, bool allowPopups=false) Line 983 + 0x1a bytes C++ WebKit.dll!WebKit::NetscapePlugin::evaluate(NPObject * npObject=0x0d121a90, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4) Line 215 + 0x2c bytes C++ WebKit.dll!WebKit::NPN_Evaluate(_NPP * npp=0x0cd59244, NPObject * npObject=0x0d121a90, _NPString * script=0x0012c7e4, _NPVariant * result=0x0012c7d4) Line 681 + 0x1b bytes C++ NPSWF32.dll!15e2e947() [Frames below may be incorrect and/or missing, no symbols loaded for NPSWF32.dll]
Attachments
Patch (4.14 KB, patch)
2011-05-10 18:36 PDT, Oliver Hunt 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2011-05-10 14:17:54 PDT
I don't know what symptoms this causes in a release build.
Adam Roben (:aroben)
Comment 2 2011-05-10 14:18:12 PDT
<rdar://problem/9415930>
Adam Roben (:aroben)
Comment 3 2011-05-10 14:19:45 PDT
The script being evaluated is: try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }
Adam Roben (:aroben)
Comment 4 2011-05-10 14:20:34 PDT
JSObject::hasProperty is looking for a property named callback5295
Adam Roben (:aroben)
Comment 5 2011-05-10 14:24:26 PDT
(In reply to comment #3) > The script being evaluated is: > > try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; } That is the script being passed to NPN_Evaluate. The script being dealt with in Interpreter::callEval is (unsurprisingly): if (typeof(onTemplateLoaded) != "undefined") onTemplateLoaded('myExperience');
Adam Roben (:aroben)
Comment 6 2011-05-10 14:25:45 PDT
Some more data from the debugger: > structure()->classInfo() 0x0317073c struct JSC::ClassInfo const JSC::JSActivation::s_info {className=0x02e2fd00 "JSActivation" parentClass=0x031707d4 staticPropHashTable=0x00000000 ...} className: 0x02e2fd00 "JSActivation" parentClass: 0x031707d4 struct JSC::ClassInfo const JSC::JSObject::s_info {className=0x02e83bc4 "Object" parentClass=0x00000000 staticPropHashTable=0x00000000 ...} staticPropHashTable: 0x00000000 {compactSize=??? compactHashSizeMask=??? values=??? ...} classPropHashTableGetterFunction: 0x00000000 > &s_info 0x03170914 struct JSC::ClassInfo const JSC::Structure::s_info {className=0x02f56614 "Structure" parentClass=0x00000000 staticPropHashTable=0x00000000 ...} className: 0x02f56614 "Structure" parentClass: 0x00000000 {className=??? parentClass=??? staticPropHashTable=??? ...} staticPropHashTable: 0x00000000 {compactSize=??? compactHashSizeMask=??? values=??? ...} classPropHashTableGetterFunction: 0x00000000
Geoffrey Garen
Comment 7 2011-05-10 14:29:31 PDT
This data seems to indicate that JSGlobalData::structureStructure was recycled to allocate JSGlobalData::activationStructure. That is very odd, since both objects are allocated before any webpages are loaded, and both are global roots. I'm flummoxed.
Geoffrey Garen
Comment 8 2011-05-10 14:39:19 PDT
I believe the release build symptom would be a crash.
Geoffrey Garen
Comment 9 2011-05-10 14:47:22 PDT
Oliver pointed out that what's more likely going on here is not that JSGlobalData::structureStructure was recycled, but instead that the current Structure was recycled, and an Activation allocated in its place.
Geoffrey Garen
Comment 10 2011-05-10 14:48:49 PDT
I couldn't reproduce this in a Mac release build.
Adam Roben (:aroben)
Comment 11 2011-05-10 14:56:54 PDT
I was able to reproduce this. It doesn't seem to happen every time, but happens maybe once out of every 3 times.
Adam Roben (:aroben)
Comment 12 2011-05-10 14:58:07 PDT
Here's the backtrace from another time I reproduced it: > JavaScriptCore.dll!JSC::Structure::typeInfo() Line 101 + 0x43 bytes C++ JavaScriptCore.dll!JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 510 + 0xf bytes C++ JavaScriptCore.dll!JSC::JSObject::getPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 521 + 0x14 bytes C++ JavaScriptCore.dll!JSC::JSObject::hasProperty(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}) Line 208 C++ WebKit.dll!WebCore::runtimeObjectCustomGetOwnPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}, WebCore::JSHTMLElement * element=0x0d3c3768) Line 119 + 0x10 bytes C++ WebKit.dll!WebCore::JSHTMLObjectElement::getOwnPropertySlotDelegate(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 38 + 0x15 bytes C++ WebKit.dll!WebCore::JSHTMLObjectElement::getOwnPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 181 + 0x14 bytes C++ JavaScriptCore.dll!JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState * exec=0x06a00238, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 512 + 0x1b bytes C++ JavaScriptCore.dll!cti_op_get_by_val(void * * args=0x0012c1d0) Line 2353 + 0x1b bytes C++ JavaScriptCore.dll!@cti_op_create_this@4() + 0x1cf bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x03dcaf94, JSC::ExecState * callFrame=0x06a00090, JSC::JSGlobalData * globalData=0x03d2fe50) Line 77 + 0x22 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval=0x0c200700, JSC::ExecState * callFrame=0x06a00038, JSC::JSObject * thisObj=0x0a940128, int globalRegisterOffset=18, JSC::ScopeChainNode * scopeChain=0x0d9a08c8) Line 1138 + 0x2b bytes C++ JavaScriptCore.dll!JSC::Interpreter::callEval(JSC::ExecState * callFrame=0x06a00038, JSC::RegisterFile * registerFile=0x03dcaf94, JSC::Register * argv=0x06a00050, int argc=2, int registerOffset=11) Line 412 + 0x6c bytes C++ JavaScriptCore.dll!cti_op_call_eval(void * * args=0x0012c4c8) Line 3210 C++ JavaScriptCore.dll!@cti_op_create_this@4() + 0x1cf bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x03dcaf94, JSC::ExecState * callFrame=0x06a00038, JSC::JSGlobalData * globalData=0x03d2fe50) Line 77 + 0x22 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program=0x0c2006a8, JSC::ExecState * callFrame=0x0e880ba0, JSC::ScopeChainNode * scopeChain=0x0d9a08c8, JSC::JSObject * thisObj=0x0e880b28) Line 767 + 0x25 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x0e880ba0, JSC::ScopeChainNode * scopeChain=0x0d9a08c8, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 66 C++ WebKit.dll!WebKit::NPRuntimeObjectMap::evaluate(NPObject * npObject=0x0b9debf0, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4) Line 196 + 0x4f bytes C++ WebKit.dll!WebKit::PluginView::evaluate(NPObject * npObject=0x0b9debf0, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4, bool allowPopups=false) Line 983 + 0x1a bytes C++ WebKit.dll!WebKit::NetscapePlugin::evaluate(NPObject * npObject=0x0b9debf0, const WTF::String & scriptString={try { __flash__toXML(eval("if (typeof(onTemplateLoaded) != \"undefined\") onTemplateLoaded('myExperience');")) ; } catch (e) { "<undefined/>"; }}, _NPVariant * result=0x0012c7d4) Line 215 + 0x2c bytes C++ WebKit.dll!WebKit::NPN_Evaluate(_NPP * npp=0x0d3498b4, NPObject * npObject=0x0b9debf0, _NPString * script=0x0012c7e4, _NPVariant * result=0x0012c7d4) Line 681 + 0x1b bytes C++ NPSWF32.dll!1652e947() [Frames below may be incorrect and/or missing, no symbols loaded for NPSWF32.dll] <many NPSWF32.dll frames omitted> NPSWF32.dll!1653262b() WebKit.dll!WTF::removeIterator<unsigned __int64,std::pair<unsigned __int64,RunLoop::TimerBase *>,WTF::PairFirstExtractor<std::pair<unsigned __int64,RunLoop::TimerBase *> >,WTF::IntHash<unsigned __int64>,WTF::PairHashTraits<WTF::HashTraits<unsigned __int64>,WTF::HashTraits<RunLoop::TimerBase *> >,WTF::HashTraits<unsigned __int64> >(WTF::HashTableConstIterator<unsigned __int64,std::pair<unsigned __int64,RunLoop::TimerBase *>,WTF::PairFirstExtractor<std::pair<unsigned __int64,RunLoop::TimerBase *> >,WTF::IntHash<unsigned __int64>,WTF::PairHashTraits<WTF::HashTraits<unsigned __int64>,WTF::HashTraits<RunLoop::TimerBase *> >,WTF::HashTraits<unsigned __int64> > * it=0x00070cf4) Line 1116 + 0xf bytes C++ user32.dll!_InternalCallWinProc@20() + 0x28 bytes user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes user32.dll!_DispatchMessageWorker@8() + 0xdc bytes user32.dll!_DispatchMessageW@4() + 0xf bytes WebKit.dll!RunLoop::run() Line 78 + 0xc bytes C++ WebKit.dll!WebKit::WebProcessMain(const WebKit::CommandLine & commandLine={...}) Line 82 C++ WebKit.dll!WebKitMain(const WebKit::CommandLine & commandLine={...}) Line 48 + 0x9 bytes C++ WebKit.dll!WebKitMain(HINSTANCE__ * hInstance=0x00400000, HINSTANCE__ * hPrevInstance=0x00000000, wchar_t * lpstrCmdLine=0x0002114c, int nCmdShow=10) Line 172 + 0x9 bytes C++ WebKit2WebProcess.exe!wWinMain(HINSTANCE__ * hInstance=0x00400000, HINSTANCE__ * hPrevInstance=0x00000000, wchar_t * lpstrCmdLine=0x0002114c, int nCmdShow=10) Line 66 + 0x18 bytes C++ WebKit2WebProcess.exe!__tmainCRTStartup() Line 589 + 0x1c bytes C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes This seems to indicate that there is no reentrancy involved.
Adam Roben (:aroben)
Comment 13 2011-05-10 15:41:22 PDT
In JSCell::fastGetOwnPropertySlot, "this" is a WebKit::JSNPObject.
Adam Roben (:aroben)
Comment 14 2011-05-10 15:42:07 PDT
I have Flash 10.2 r159 installed.
Oliver Hunt
Comment 15 2011-05-10 18:36:27 PDT
Created attachment 93058 [details] Patch
Geoffrey Garen
Comment 16 2011-05-10 18:39:20 PDT
Comment on attachment 93058 [details] Patch Nice! r=me
Oliver Hunt
Comment 17 2011-05-10 19:12:13 PDT
Committed r86206: <http://trac.webkit.org/changeset/86206>
Note You need to log in before you can comment on or make changes to this bug.