Bug 70689

Summary: Crash in void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)
Product: WebKit Reporter: Dimitris Apostolou <dimitris.apostolou>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, ggaren, msaboff, oliver, rniwa
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.7   
URL: http://www.imdb.com/name/nm0000241/
Attachments:
Description Flags
Crash log.
none
Patch fpizlo: review+

Description Dimitris Apostolou 2011-10-23 01:30:51 PDT 
Created attachment 112105 [details]
Crash log.

r98197

Reproducibility: once

Steps:
1. I opened http://www.imdb.com/title/tt1764651/
2. I clicked on http://www.imdb.com/name/nm0000241/
3. I clicked on the "Back" button in Safari.

What happened:
3. Crash while the page was loading.

1   0x1022cd9e4 void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)
2   0x1022cd905 JSC::WriteBarrierBase<JSC::RegExp>::set(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*)
3   0x1022cd888 JSC::WriteBarrier<JSC::RegExp>::WriteBarrier(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*)
4   0x1022cd83d JSC::WriteBarrier<JSC::RegExp>::WriteBarrier(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*)
5   0x1024c5e27 JSC::RegExpObject::RegExpObjectData::RegExpObjectData(JSC::JSGlobalData&, JSC::RegExpObject*, JSC::RegExp*)
6   0x1024c53ed JSC::RegExpObject::RegExpObjectData::RegExpObjectData(JSC::JSGlobalData&, JSC::RegExpObject*, JSC::RegExp*)
7   0x1024c4667 JSC::RegExpObject::RegExpObject(JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*)
8   0x1024c45ad JSC::RegExpObject::RegExpObject(JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*)
9   0x102340f9d JSC::RegExpObject::create(JSC::JSGlobalData&, JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*)
10  0x1023be397 cti_op_new_regexp
11  0x1023c12f0 jscGeneratedNativeCode
12  0x10237e069 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
13  0x102379fcd JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*)
14  0x1022ed91a JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
15  0x103a619f1 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
16  0x10410de8f WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*)
17  0x1034d552b WebCore::Frame::injectUserScriptsForWorld(WebCore::DOMWrapperWorld*, WTF::Vector<WTF::OwnPtr<WebCore::UserScript>, 0ul> const&, WebCore::UserScriptInjectionTime)
18  0x1034d5327 WebCore::Frame::injectUserScripts(WebCore::UserScriptInjectionTime)
19  0x1034f0ab4 WebCore::FrameLoader::dispatchDocumentElementAvailable()
20  0x1035c3955 WebCore::HTMLConstructionSite::dispatchDocumentElementAvailableIfNeeded()
21  0x1035c3a8c WebCore::HTMLConstructionSite::insertHTMLHtmlStartTagBeforeHTML(WebCore::AtomicHTMLToken&)
22  0x10368725e WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&)
23  0x103686f19 WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&)
24  0x103686da4 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&)
25  0x103686cdc WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&)
26  0x1035e17b9 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
27  0x1035e1268 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
28  0x1035e22cf WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&)
29  0x10322637d WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, unsigned long)
30  0x1032b2b9d WebCore::DocumentWriter::addData(char const*, unsigned long)
31  0x10329259e WebCore::DocumentLoader::commitData(char const*, unsigned long)

Expected result:
3. WebKit does not crash.
Comment 1 Geoffrey Garen 2011-10-24 13:22:01 PDT 
Can you reproduce this at will, or did it happen just that once?
Comment 2 Oliver Hunt 2011-10-24 13:24:45 PDT 
I believe I've found a lifetime issue, essentially there's a window between codeblock being created and it being bound to its owner executable.  Unfortunately during that window we perform codegen which can trigger GC.

With this knowledge it should be trivial to create a repro case, however thus far my attempts have failed :-/
Comment 3 Oliver Hunt 2011-10-24 14:50:34 PDT 
<rdar://problem/10336511>
Comment 4 Oliver Hunt 2011-10-24 17:15:48 PDT 
Created attachment 112281 [details]
Patch
Comment 5 Filip Pizlo 2011-10-24 17:18:02 PDT 
Comment on attachment 112281 [details]
Patch

r=me
Comment 6 Oliver Hunt 2011-10-24 17:20:49 PDT 
Committed r98302: <http://trac.webkit.org/changeset/98302>
Comment 7 Ryosuke Niwa 2011-10-24 23:19:18 PDT 
It appears that 2 js tests started failing after this patch was landed: http://build.webkit.org/builders/SnowLeopard%20Intel%20Release%20%28Tests%29/builds/34169
Comment 8 Oliver Hunt 2011-10-25 08:41:45 PDT 
(In reply to comment #7)
> It appears that 2 js tests started failing after this patch was landed: http://build.webkit.org/builders/SnowLeopard%20Intel%20Release%20%28Tests%29/builds/34169

wth?  I'll look at this once I get to work sorry about that.
Comment 9 Ryosuke Niwa 2011-10-25 13:43:10 PDT 
In addition, it appears two tests started hitting assertions after this patch:
http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r98304%20(2698)/results.html