RESOLVED FIXED 146285
Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo 
https://bugs.webkit.org/show_bug.cgi?id=146285
Summary Crash on gog.com due to PolymorphicCallNode's having stale references to Call...
Michael Saboff
Reported 2015-06-24 11:31:45 PDT
CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains a collection of PolymorphicCallNode. Those PolymorphicCallNodes have a reference back to the CallLinkInfo. When a CallLinkInfo replaces or clears "stub", the ref count of the PolymorphicCallStubRoutine is decremented as expected, but since it inherits from GCAwareJITStubRoutine, it isn't actually deleted until GC. In the mean time, the original CallLinkInfo can go away. If PolymorphicCallNode::unlink() is called at that point, it will try to unlink a now deleted CallLinkInfo and crash as a result. The fix is to clear the CallLinkInfo* in the contained PolymorphicCallNode of a PolymorphicCallStubRoutine when that CallLinkInfo no longer references the PolymorphicCallStubRoutine. rdar://problem/20701417
Attachments
Patch (42.31 KB, patch)
2015-06-24 12:35 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Rebased patch, updated the ChangeLog with suggestions and removed Options.h change (42.37 KB, patch)
2015-06-24 13:05 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Patch after CallLinkInfo refactoring was landed separately. Reviewed in person. (3.31 KB, patch)
2015-06-24 15:45 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2015-06-24 12:35:58 PDT
Created attachment 255504 [details] Patch
Michael Saboff
Comment 2 2015-06-24 12:53:35 PDT
I'll remove the inadvertent change to runtime/Options.h. That was from debugging.
Michael Saboff
Comment 3 2015-06-24 13:05:46 PDT
Created attachment 255507 [details] Rebased patch, updated the ChangeLog with suggestions and removed Options.h change
Darin Adler
Comment 4 2015-06-24 14:48:47 PDT
Comment on attachment 255507 [details] Rebased patch, updated the ChangeLog with suggestions and removed Options.h change View in context: https://bugs.webkit.org/attachment.cgi?id=255507&action=review > Source/JavaScriptCore/ChangeLog:25 > + In the process I refactored CallLinkInfo from a struct to a class with proper accessors and > + made all the data elements private. I know this is a pain, but ideally we would land a first patch with just the refactoring, and the review a second patch with the actual change in behavior.
Michael Saboff
Comment 5 2015-06-24 15:00:36 PDT
(In reply to comment #4) > Comment on attachment 255507 [details] > Rebased patch, updated the ChangeLog with suggestions and removed Options.h > change > > View in context: > https://bugs.webkit.org/attachment.cgi?id=255507&action=review > > > Source/JavaScriptCore/ChangeLog:25 > > + In the process I refactored CallLinkInfo from a struct to a class with proper accessors and > > + made all the data elements private. > > I know this is a pain, but ideally we would land a first patch with just the > refactoring, and the review a second patch with the actual change in > behavior. I'll refactor in https://bugs.webkit.org/show_bug.cgi?id=146292 and then land the simple clearing change here.
Michael Saboff
Comment 6 2015-06-24 15:45:55 PDT
Created attachment 255520 [details] Patch after CallLinkInfo refactoring was landed separately. Reviewed in person.
Michael Saboff
Comment 7 2015-06-24 15:51:30 PDT
Committed r185932: <http://trac.webkit.org/changeset/185932>
Note You need to log in before you can comment on or make changes to this bug.