Bug 122445 - Crash while browsing GitHub
Summary: Crash while browsing GitHub
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P1 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2013-10-07 04:11 PDT by Alberto Garcia
Modified: 2014-01-27 15:43 PST (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alberto Garcia 2013-10-07 04:11:43 PDT
This happens with MiniBrowser and the latest trunk (r157033) when loading https://github.com/WebKit/webkit

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007fa601ed6f26 in ?? ()
#0  0x00007fa601ed6f26 in ?? ()
#1  0x00007fa5f1797f98 in ?? ()
#2  0x000000000000000a in ?? ()
#3  0x0000000002a2b688 in ?? ()
#4  0x0000000002a2f210 in ?? ()
#5  0x00007fa601ec3b66 in ?? ()
#6  0x00007fa5dae68820 in ?? ()
#7  0x00007fff449589c0 in ?? ()
#8  0x00007fa653647e34 in JSC::MacroAssemblerCodeRef::operator! (this=0x0) at ../../Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:409
#9  0x00007fa6536476f6 in JSC::JITCode::execute (this=0x3af8050, stack=0x26fd8f8, callFrame=0x7fa5f1797f98, vm=0x281b9a0)
    at ../../Source/JavaScriptCore/jit/JITCode.cpp:46
#10 0x00007fa6536303a8 in JSC::Interpreter::executeCall (this=0x26fd8e0, callFrame=0x7fa60010f4b0, function=0x7fa5db3e4e30, 
    callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:957
#11 0x00007fa653728a42 in JSC::call (exec=0x7fa60010f4b0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at ../../Source/JavaScriptCore/runtime/CallData.cpp:39
#12 0x00007fa64f26d334 in WebCore::JSMainThreadExecState::call (exec=0x7fa60010f4b0, functionObject=..., callType=JSC::CallTypeJS, callData=..., 
    thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:53
#13 0x00007fa64f2973f5 in WebCore::JSEventListener::handleEvent (this=0x2e412d0, scriptExecutionContext=0x36a4900, event=0x27e21f0)
    at ../../Source/WebCore/bindings/js/JSEventListener.cpp:133
#14 0x00007fa64f54a45f in WebCore::EventTarget::fireEventListeners (this=0x36a4850, event=0x27e21f0, d=0x3169240, entry=...)
    at ../../Source/WebCore/dom/EventTarget.cpp:277
#15 0x00007fa64f54a177 in WebCore::EventTarget::fireEventListeners (this=0x36a4850, event=0x27e21f0) at ../../Source/WebCore/dom/EventTarget.cpp:233
#16 0x00007fa64f5744c9 in WebCore::Node::handleLocalEvents (this=0x36a4850, event=0x27e21f0) at ../../Source/WebCore/dom/Node.cpp:2067
#17 0x00007fa64f53deca in WebCore::EventContext::handleLocalEvents (this=0x3a55570, event=0x27e21f0) at ../../Source/WebCore/dom/EventContext.cpp:58
#18 0x00007fa64f53f9f9 in WebCore::EventDispatcher::dispatchEventAtTarget (this=0x7fff449590b0) at ../../Source/WebCore/dom/EventDispatcher.cpp:160
#19 0x00007fa64f53f248 in WebCore::EventDispatcher::dispatch (this=0x7fff449590b0) at ../../Source/WebCore/dom/EventDispatcher.cpp:121
#20 0x00007fa64f53e4ed in WebCore::EventDispatchMediator::dispatchEvent (this=0x36add90, dispatcher=0x7fff449590b0)
    at ../../Source/WebCore/dom/EventDispatchMediator.cpp:54
#21 0x00007fa64f53e77a in WebCore::EventDispatcher::dispatchEvent (node=0x36a4850, mediator=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:52
#22 0x00007fa64f57466d in WebCore::Node::dispatchEvent (this=0x36a4850, event=...) at ../../Source/WebCore/dom/Node.cpp:2088
#23 0x00007fa64f4e1623 in WebCore::Document::finishedParsing (this=0x36a4850) at ../../Source/WebCore/dom/Document.cpp:4438
#24 0x00007fa64f797371 in WebCore::HTMLConstructionSite::finishedParsing (this=0x36ad538)
    at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:352
#25 0x00007fa64f7cf793 in WebCore::HTMLTreeBuilder::finished (this=0x36ad520) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2908
#26 0x00007fa64f79e5ac in WebCore::HTMLDocumentParser::end (this=0x36ac790) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:758
#27 0x00007fa64f79e699 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x36ac790)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:769
#28 0x00007fa64f79d27c in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x36ac790)
Comment 1 Carlos Garcia Campos 2013-10-07 05:08:54 PDT
This looks like a JSC crash.
Comment 2 Carlos Garcia Campos 2013-10-07 05:10:21 PDT
And it's not specific to WebKit2 either, it crashes for me with GtkLauncher too.
Comment 3 Alexey Proskuryakov 2013-10-07 09:43:46 PDT
I could reproduce this page crash with a reload on Mac, but the stack trace wasn't very helpful.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   ???                           	0x0000599bcb97cd32 0 + 98525670526258
1   com.apple.JavaScriptCore      	0x000000010716c047 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 71 (JITCode.cpp:46)
2   com.apple.JavaScriptCore      	0x000000010714f12f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1455 (Interpreter.cpp:957)
3   com.apple.JavaScriptCore      	0x0000000106ed2b6e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:39)
Comment 4 Alexey Proskuryakov 2013-10-07 09:44:01 PDT
<rdar://problem/15166040>
Comment 5 Mark Lam 2013-10-07 12:39:55 PDT
After a lot of tries on a debug build of r157033, I am able to get a crash in JITted code, but not at JSC::MacroAssemblerCodeRef::operator!().  The crash (at least the one I reproduced) seems to be intermittent.  It didn't reproduce for many tries initially, but seems to reproduce more consistently now.
Comment 6 Mark Lam 2013-10-07 12:56:50 PDT
On r157033, here's the crash I'm actually seeing:

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00005a8339477d26 in ?? ()
(gdb) bt
#0  0x00005a8339477d26 in ?? ()
#1  0x00000001103515f7 in JSC::JITCode::execute (this=0x7fc8a29b4af0, stack=0x7fc89d804ba8, callFrame=0x11d4aff98, vm=0x7fc89e026c00) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/jit/JITCode.cpp:46
#2  0x000000011033474f in JSC::Interpreter::executeCall (this=0x7fc89d804b90, callFrame=0x11d4feab0, function=0x11e1f4930, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/interpreter/Interpreter.cpp:957
#3  0x00000001100b0a5e in JSC::call (exec=0x11d4feab0, functionObject={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4800334128, ptr = 0x11e1f4930, asBits = {payload = 505366832, tag = 1}}}, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/runtime/CallData.cpp:39
#4  0x000000011210576b in WebCore::JSMainThreadExecState::call (exec=0x11d4feab0, functionObject={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4800334128, ptr = 0x11e1f4930, asBits = {payload = 505366832, tag = 1}}}, callType=JSC::CallTypeJS, callData=@0x7fff5152e038, thisValue={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4787337872, ptr = 0x11d58fa90, asBits = {payload = 492370576, tag = 1}}}, args=@0x7fff5152df38) at JSMainThreadExecState.h:53
#5  0x000000011223b53f in WebCore::JSEventListener::handleEvent (this=0x7fc89aca4410, scriptExecutionContext=0x7fc89b0b92b0, event=0x7fc8a29bb7c0) at /Volumes/Data/ws7/OpenSource/Source/WebCore/bindings/js/JSEventListener.cpp:132
#6  0x0000000111baf3b2 in WebCore::EventTarget::fireEventListeners (this=0x7fc89b0b9200, event=0x7fc8a29bb7c0, d=0x7fc8a16dbdd0, entry=@0x7fc89ac1c850) at /Volumes/Data/ws7/OpenSource/Source/WebCore/dom/EventTarget.cpp:277
...

(gdb) x /20i $pc
0x5a8339477d27:	int3   
0x5a8339477d28:	int3   
0x5a8339477d29:	int3   
0x5a8339477d2a:	int3   
0x5a8339477d2b:	int3   
0x5a8339477d2c:	mov    %rsp,%rdi
0x5a8339477d2f:	mov    %r13,0x58(%rsp)
0x5a8339477d34:	movl   $0x80000001,0x34(%r13)
0x5a8339477d3c:	mov    $0x11036c320,%r11
0x5a8339477d46:	callq  *%r11
0x5a8339477d49:	jmpq   0x5a8339477b8d
0x5a8339477d4e:	pop    %rcx
0x5a8339477d4f:	mov    %rcx,0x10(%r13)
0x5a8339477d53:	mov    $0x7fc89bdd0140,%r11
0x5a8339477d5d:	mov    %r11,0x8(%r13)
0x5a8339477d61:	mov    0x30(%r13),%edx
0x5a8339477d65:	cmp    $0x2,%edx
0x5a8339477d68:	jae    0x5a8339477b73
0x5a8339477d6e:	mov    %rsp,%rdi
0x5a8339477d71:	mov    %r13,0x58(%rsp)


This issue may be related to https://bugs.webkit.org/show_bug.cgi?id=122462.
Comment 7 Mark Lam 2013-10-07 17:24:16 PDT
(In reply to comment #6)
> This issue may be related to https://bugs.webkit.org/show_bug.cgi?id=122462.

Filip said that the int3 is just the way the DFG fails an assertion. 
Hence, these issues may not be related at all.
Comment 8 Mark Lam 2013-10-08 08:56:03 PDT
It appears that the crash started manifesting after we allow JIT inlining in debug builds: http://trac.webkit.org/changeset/155889.  I verified that the crash does not manifest in r155888.
Comment 9 Mark Lam 2013-10-08 17:23:01 PDT
With the help of some JIT probes sprinkled at all the call sites of breakpoint() and bail() in the DFG, we find that the SIGTRAP is due to "!m_state.isValid()" in SpeculativeJIT::compileCurrentBlock() (in DFGSpeculativeJIT.cpp).

Again, this only happens if DFG inlining is enabled.
Comment 10 Alberto Garcia 2013-10-09 04:32:54 PDT
(In reply to comment #8)
> It appears that the crash started manifesting after we allow JIT
> inlining in debug builds: http://trac.webkit.org/changeset/155889.
> I verified that the crash does not manifest in r155888.

Yes, I can confirm it too. Thanks!
Comment 11 Carlos Garcia Campos 2013-10-09 06:30:20 PDT
(In reply to comment #10)
> (In reply to comment #8)
> > It appears that the crash started manifesting after we allow JIT
> > inlining in debug builds: http://trac.webkit.org/changeset/155889.
> > I verified that the crash does not manifest in r155888.
> 
> Yes, I can confirm it too. Thanks!

It still crashes for me even after reverting r155889, with a release build.
Comment 12 Alberto Garcia 2013-12-08 10:21:35 PST
This seems to be working fine now.

Carlos, can you double-check?
Comment 13 Carlos Garcia Campos 2013-12-10 03:16:42 PST
(In reply to comment #12)
> This seems to be working fine now.
> 
> Carlos, can you double-check?

Seems to work fine now :-)