Bug 70689

Summary: Crash in void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)
Product: WebKit Reporter: Dimitris Apostolou <dimitris.apostolou>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, ggaren, msaboff, oliver, rniwa
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.7   
URL: http://www.imdb.com/name/nm0000241/
Attachments:
Description Flags
Crash log.
none
Patch fpizlo: review+

Dimitris Apostolou
Reported 2011-10-23 01:30:51 PDT
Created attachment 112105 [details] Crash log. r98197 Reproducibility: once Steps: 1. I opened http://www.imdb.com/title/tt1764651/ 2. I clicked on http://www.imdb.com/name/nm0000241/ 3. I clicked on the "Back" button in Safari. What happened: 3. Crash while the page was loading. 1 0x1022cd9e4 void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*) 2 0x1022cd905 JSC::WriteBarrierBase<JSC::RegExp>::set(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*) 3 0x1022cd888 JSC::WriteBarrier<JSC::RegExp>::WriteBarrier(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*) 4 0x1022cd83d JSC::WriteBarrier<JSC::RegExp>::WriteBarrier(JSC::JSGlobalData&, JSC::JSCell const*, JSC::RegExp*) 5 0x1024c5e27 JSC::RegExpObject::RegExpObjectData::RegExpObjectData(JSC::JSGlobalData&, JSC::RegExpObject*, JSC::RegExp*) 6 0x1024c53ed JSC::RegExpObject::RegExpObjectData::RegExpObjectData(JSC::JSGlobalData&, JSC::RegExpObject*, JSC::RegExp*) 7 0x1024c4667 JSC::RegExpObject::RegExpObject(JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*) 8 0x1024c45ad JSC::RegExpObject::RegExpObject(JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*) 9 0x102340f9d JSC::RegExpObject::create(JSC::JSGlobalData&, JSC::JSGlobalObject*, JSC::Structure*, JSC::RegExp*) 10 0x1023be397 cti_op_new_regexp 11 0x1023c12f0 jscGeneratedNativeCode 12 0x10237e069 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 13 0x102379fcd JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) 14 0x1022ed91a JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 15 0x103a619f1 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 16 0x10410de8f WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) 17 0x1034d552b WebCore::Frame::injectUserScriptsForWorld(WebCore::DOMWrapperWorld*, WTF::Vector<WTF::OwnPtr<WebCore::UserScript>, 0ul> const&, WebCore::UserScriptInjectionTime) 18 0x1034d5327 WebCore::Frame::injectUserScripts(WebCore::UserScriptInjectionTime) 19 0x1034f0ab4 WebCore::FrameLoader::dispatchDocumentElementAvailable() 20 0x1035c3955 WebCore::HTMLConstructionSite::dispatchDocumentElementAvailableIfNeeded() 21 0x1035c3a8c WebCore::HTMLConstructionSite::insertHTMLHtmlStartTagBeforeHTML(WebCore::AtomicHTMLToken&) 22 0x10368725e WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&) 23 0x103686f19 WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) 24 0x103686da4 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) 25 0x103686cdc WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) 26 0x1035e17b9 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 27 0x1035e1268 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) 28 0x1035e22cf WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) 29 0x10322637d WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, unsigned long) 30 0x1032b2b9d WebCore::DocumentWriter::addData(char const*, unsigned long) 31 0x10329259e WebCore::DocumentLoader::commitData(char const*, unsigned long) Expected result: 3. WebKit does not crash.
Attachments
Crash log. (46.81 KB, text/plain)
2011-10-23 01:30 PDT, Dimitris Apostolou 		no flags
Details
Patch (6.63 KB, patch)
2011-10-24 17:15 PDT, Oliver Hunt 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2011-10-24 13:22:01 PDT
Can you reproduce this at will, or did it happen just that once?
Oliver Hunt
Comment 2 2011-10-24 13:24:45 PDT
I believe I've found a lifetime issue, essentially there's a window between codeblock being created and it being bound to its owner executable. Unfortunately during that window we perform codegen which can trigger GC. With this knowledge it should be trivial to create a repro case, however thus far my attempts have failed :-/
Oliver Hunt
Comment 3 2011-10-24 14:50:34 PDT
<rdar://problem/10336511>
Oliver Hunt
Comment 4 2011-10-24 17:15:48 PDT
Created attachment 112281 [details] Patch
Filip Pizlo
Comment 5 2011-10-24 17:18:02 PDT
Comment on attachment 112281 [details] Patch r=me
Oliver Hunt
Comment 6 2011-10-24 17:20:49 PDT
Committed r98302: <http://trac.webkit.org/changeset/98302>
Ryosuke Niwa
Comment 7 2011-10-24 23:19:18 PDT
It appears that 2 js tests started failing after this patch was landed: http://build.webkit.org/builders/SnowLeopard%20Intel%20Release%20%28Tests%29/builds/34169
Oliver Hunt
Comment 8 2011-10-25 08:41:45 PDT
(In reply to comment #7) > It appears that 2 js tests started failing after this patch was landed: http://build.webkit.org/builders/SnowLeopard%20Intel%20Release%20%28Tests%29/builds/34169 wth? I'll look at this once I get to work sorry about that.
Ryosuke Niwa
Comment 9 2011-10-25 13:43:10 PDT
In addition, it appears two tests started hitting assertions after this patch: http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r98304%20(2698)/results.html
Note You need to log in before you can comment on or make changes to this bug.