145527 – Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24

Bug 145527 - Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24

Summary: Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revert...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	312.x
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:	145578
	Show dependency tree / graph

Reported:	2015-06-01 15:02 PDT by Michael Saboff
Modified:	2015-06-02 16:33 PDT (History)
CC List:	0 users

See Also:

Attachments
Patch (4.35 KB, patch) 2015-06-01 15:13 PDT, Michael Saboff	fpizlo: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2015-06-01 15:02:38 PDT

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGBUS)
Exception Codes:       KERN_PROTECTION_FAILURE at 0x00007fff8681a709

VM Regions Near 0x7fff8681a709:
    __TEXT                 00007fff86817000-00007fff86818000 [    4K] r-x/rwx SM=COW  /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
--> __TEXT                 00007fff86818000-00007fff86835000 [  116K] r-x/rwx SM=COW  /usr/lib/system/libsystem_malloc.dylib
    __TEXT                 00007fff86835000-00007fff8687c000 [  284K] r-x/rwx SM=COW  /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/DictionaryServices

Application Specific Information:
Bundle controller class:
BrowserBundleController
 
Process Model:
Multiple Web Processes
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00007fff8fd20c28 JSC::revertCall(JSC::RepatchBuffer&, JSC::VM*, JSC::CallLinkInfo&, JSC::MacroAssemblerCodeRef (*)(JSC::VM*)) + 24
1   com.apple.JavaScriptCore      	0x00007fff8f9e62d8 JSC::CallLinkInfo::unlink(JSC::RepatchBuffer&) + 104
2   com.apple.JavaScriptCore      	0x00007fff8fb4d708 JSC::PolymorphicCallNode::unlink(JSC::RepatchBuffer&) + 184
3   com.apple.JavaScriptCore      	0x00007fff8f859ce8 JSC::CodeBlock::unlinkIncomingCalls() + 232
4   com.apple.JavaScriptCore      	0x00007fff8fb3adaa JSC::ScriptExecutable::installCode(JSC::CodeBlock*) + 538
5   com.apple.JavaScriptCore      	0x00007fff8fc265dd JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete(JSC::CodeBlock*, JSC::CompilationResult) + 125
6   com.apple.JavaScriptCore      	0x00007fff8fb3407d JSC::DFG::Worklist::completeAllReadyPlansForVM(JSC::VM&, JSC::DFG::CompilationKey) + 301
7   com.apple.JavaScriptCore      	0x00007fff8fc19880 operationOptimize + 704
8   ???                           	0x00002d1b2efa0044 0 + 49594775502916
9   ???                           	0x00002d1b2f15ea25 0 + 49594777332261
10  ???                           	0x00002d1b2f110a40 0 + 49594777012800
11  ???                           	0x00002d1b2eeb7fba 0 + 49594774552506
12  ???                           	0x00002d1b2f12b235 0 + 49594777121333
13  ???                           	0x00002d1b2efa0511 0 + 49594775504145
14  com.apple.JavaScriptCore      	0x00007fff8fcae268 llint_entry + 22722
15  com.apple.JavaScriptCore      	0x00007fff8fcae268 llint_entry + 22722
16  com.apple.JavaScriptCore      	0x00007fff8fcae268 llint_entry + 22722
17  com.apple.JavaScriptCore      	0x00007fff8fcae1fd llint_entry + 22615
18  ???                           	0x00002d1b2ef23746 0 + 49594774992710
19  com.apple.JavaScriptCore      	0x00007fff8fcae1fd llint_entry + 22615
20  com.apple.JavaScriptCore      	0x00007fff8fcae268 llint_entry + 22722
21  com.apple.JavaScriptCore      	0x00007fff8fcae1fd llint_entry + 22615
22  com.apple.JavaScriptCore      	0x00007fff8fcae1fd llint_entry + 22615
23  ???                           	0x00002d1b2eeb1e5b 0 + 49594774527579
24  ???                           	0x00002d1b2ee02afa 0 + 49594773809914
25  ???                           	0x00002d1b2ef6ad78 0 + 49594775285112
26  com.apple.JavaScriptCore      	0x00007fff8fca8796 vmEntryToJavaScript + 326
27  com.apple.JavaScriptCore      	0x00007fff8fc0e809 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169
28  com.apple.JavaScriptCore      	0x00007fff8f832d7d JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 493
29  com.apple.JavaScriptCore      	0x00007fff8f9e5e3f JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 63
30  com.apple.WebCore             	0x00007fff934d8e89 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) + 537
31  com.apple.WebCore             	0x00007fff934d8ae9 WebCore::ScheduledAction::execute(WebCore::Document&) + 137
32  com.apple.WebCore             	0x00007fff929a0a6d WebCore::DOMTimer::fired() + 301
33  com.apple.WebCore             	0x00007fff928520af WebCore::ThreadTimers::sharedTimerFiredInternal() + 175
34  com.apple.WebCore             	0x00007fff92851fc4 WebCore::timerFired(__CFRunLoopTimer*, void*) + 20
35  com.apple.CoreFoundation      	0x00007fff9069b964 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
36  com.apple.CoreFoundation      	0x00007fff9069b5fe __CFRunLoopDoTimer + 1022
37  com.apple.CoreFoundation      	0x00007fff90715c7a __CFRunLoopDoTimers + 298
38  com.apple.CoreFoundation      	0x00007fff9065726c __CFRunLoopRun + 1804
39  com.apple.CoreFoundation      	0x00007fff906568f8 CFRunLoopRunSpecific + 296
40  com.apple.HIToolbox           	0x00007fff8603769d RunCurrentEventLoopInMode + 235
41  com.apple.HIToolbox           	0x00007fff86037429 ReceiveNextEventCommon + 432
42  com.apple.HIToolbox           	0x00007fff86037261 _BlockUntilNextEventMatchingListInModeWithFilter + 71
43  com.apple.AppKit              	0x00007fff8b937b84 _DPSNextEvent + 915
44  com.apple.AppKit              	0x00007fff8b937152 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 324
45  com.apple.AppKit              	0x00007fff8b92cefb -[NSApplication run] + 561
46  com.apple.AppKit              	0x00007fff8b8ac5b4 NSApplicationMain + 1176
47  libxpc.dylib                  	0x00007fff88daef98 _xpc_objc_main + 793
48  libxpc.dylib                  	0x00007fff88db06e7 xpc_main + 494
49  com.apple.WebKit.WebContent   	0x1049e5b30 main + 16 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7601.1.23.4/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:80)
50  libdyld.dylib                 	0x00007fff855cb5ad start + 1

Comment 1 Michael Saboff 2015-06-01 15:03:04 PDT

<rdar://problem/20701417>

Comment 2 Michael Saboff 2015-06-01 15:13:39 PDT

Created attachment 254016 [details]
Patch

Comment 3 Filip Pizlo 2015-06-01 16:11:52 PDT

Comment on attachment 254016 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=254016&action=review

> Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:116
> +    for (Bag<PolymorphicCallNode>::iterator iter = m_callNodes.begin(); !!iter; ++iter) {
> +        PolymorphicCallNode& node = **iter;
> +        if (node.hasCallLinkInfo(info))
> +            node.clearCallLinkInfo();
> +    }

All of the nodes for a stub routine should have the same CallLinkInfo.  I agree that being conservative is great, but maybe you could add a comment that you're just being paranoid.

Comment 4 Michael Saboff 2015-06-01 16:15:09 PDT

(In reply to comment #3)
> Comment on attachment 254016 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=254016&action=review
> 
> > Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:116
> > +    for (Bag<PolymorphicCallNode>::iterator iter = m_callNodes.begin(); !!iter; ++iter) {
> > +        PolymorphicCallNode& node = **iter;
> > +        if (node.hasCallLinkInfo(info))
> > +            node.clearCallLinkInfo();
> > +    }
> 
> All of the nodes for a stub routine should have the same CallLinkInfo.  I
> agree that being conservative is great, but maybe you could add a comment
> that you're just being paranoid.

I'll add such a comment.

Comment 5 Michael Saboff 2015-06-01 16:35:22 PDT

Committed r185084: <http://trac.webkit.org/changeset/185084>