Bug 146285 - Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo
Summary: Crash on gog.com due to PolymorphicCallNode's having stale references to Call...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on: 146292
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-24 11:31 PDT by Michael Saboff
Modified: 2015-06-24 15:51 PDT (History)
0 users

See Also:

Attachments
Patch (42.31 KB, patch)
2015-06-24 12:35 PDT, Michael Saboff 		no flags Details | Formatted Diff | Diff
Rebased patch, updated the ChangeLog with suggestions and removed Options.h change (42.37 KB, patch)
2015-06-24 13:05 PDT, Michael Saboff 		no flags Details | Formatted Diff | Diff
Patch after CallLinkInfo refactoring was landed separately. Reviewed in person. (3.31 KB, patch)
2015-06-24 15:45 PDT, Michael Saboff 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2015-06-24 11:31:45 PDT 
CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains a collection of PolymorphicCallNode.  Those PolymorphicCallNodes have a reference back to the CallLinkInfo.  When a CallLinkInfo replaces or clears "stub", the ref count of the PolymorphicCallStubRoutine is decremented as expected, but since it inherits from GCAwareJITStubRoutine, it isn't actually deleted until GC.  In the mean time, the original CallLinkInfo can go away.  If PolymorphicCallNode::unlink() is called at that point, it will try to unlink a now deleted CallLinkInfo and crash as a result.

The fix is to clear the CallLinkInfo* in the contained PolymorphicCallNode of a PolymorphicCallStubRoutine when that CallLinkInfo no longer references the PolymorphicCallStubRoutine.

rdar://problem/20701417
Comment 1 Michael Saboff 2015-06-24 12:35:58 PDT 
Created attachment 255504 [details]
Patch
Comment 2 Michael Saboff 2015-06-24 12:53:35 PDT 
I'll remove the inadvertent change to runtime/Options.h.  That was from debugging.
Comment 3 Michael Saboff 2015-06-24 13:05:46 PDT 
Created attachment 255507 [details]
Rebased patch, updated the ChangeLog with suggestions and removed Options.h change
Comment 4 Darin Adler 2015-06-24 14:48:47 PDT 
Comment on attachment 255507 [details]
Rebased patch, updated the ChangeLog with suggestions and removed Options.h change

View in context: https://bugs.webkit.org/attachment.cgi?id=255507&action=review

> Source/JavaScriptCore/ChangeLog:25
> +        In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
> +        made all the data elements private.

I know this is a pain, but ideally we would land a first patch with just the refactoring, and the review a second patch with the actual change in behavior.
Comment 5 Michael Saboff 2015-06-24 15:00:36 PDT 
(In reply to comment #4)
> Comment on attachment 255507 [details]
> Rebased patch, updated the ChangeLog with suggestions and removed Options.h
> change
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=255507&action=review
> 
> > Source/JavaScriptCore/ChangeLog:25
> > +        In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
> > +        made all the data elements private.
> 
> I know this is a pain, but ideally we would land a first patch with just the
> refactoring, and the review a second patch with the actual change in
> behavior.

I'll refactor in https://bugs.webkit.org/show_bug.cgi?id=146292 and then land the simple clearing change here.
Comment 6 Michael Saboff 2015-06-24 15:45:55 PDT 
Created attachment 255520 [details]
Patch after CallLinkInfo refactoring was landed separately.  Reviewed in person.
Comment 7 Michael Saboff 2015-06-24 15:51:30 PDT 
Committed r185932: <http://trac.webkit.org/changeset/185932>