WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
147741
Overflow crash in CodeBlock::getArrayProfile under DFG::FixupPhase::attemptToMakeGetArrayLength running inspector tests under heavy system load
https://bugs.webkit.org/show_bug.cgi?id=147741
Summary
Overflow crash in CodeBlock::getArrayProfile under DFG::FixupPhase::attemptTo...
Joseph Pecoraro
Reported
2015-08-06 12:53:43 PDT
Created
attachment 258386
[details]
[CRASH] Crash Report * SUMMARY Overflow crash in CodeBlock::getArrayProfile under ::FixupPhase::attemptToMakeGetArrayLength running inspector tests under heavy system load. I was at WebKit
r188015
. * STEPS TO REPRODUCE 1. shell> run-webkit-tests --release inspector/dom --iterations=1000 --v => saw this crash happen 3 out of 10000 times, presumably on the Web Inspector process, causing 3 timeout failures (each on different inspector/dom tests) * NOTES The only times I saw the crashes happen were when the system was under heavy load (I was compiling a debug build of WebKit while the tests were running). * CRASH SNIPPET (full log attached) Crashed Thread: 14 DFG Worklist Worker Thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Thread 14 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x000000010f3e2a1e WTFCrash + 62 1 com.apple.JavaScriptCore 0x000000010edab849 WTF::CrashOnOverflow::crash() + 9 2 com.apple.JavaScriptCore 0x000000010edab839 WTF::CrashOnOverflow::overflowed() + 9 3 com.apple.JavaScriptCore 0x000000010ee0691f JSC::CodeBlock::getArrayProfile(unsigned int) + 111 4 com.apple.JavaScriptCore 0x000000010eef8c25 JSC::DFG::FixupPhase::attemptToMakeGetArrayLength(JSC::DFG::Node*) + 165 5 com.apple.JavaScriptCore 0x000000010eef22aa JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*) + 12618 6 com.apple.JavaScriptCore 0x000000010eeeddc9 JSC::DFG::FixupPhase::run() + 121 7 com.apple.JavaScriptCore 0x000000010eeedc71 bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&) + 113 8 com.apple.JavaScriptCore 0x000000010eeedba9 JSC::DFG::performFixup(JSC::DFG::Graph&) + 9 9 com.apple.JavaScriptCore 0x000000010ef60871 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 625 10 com.apple.JavaScriptCore 0x000000010ef602e5 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 565 11 com.apple.JavaScriptCore 0x000000010eff97c1 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 545 12 com.apple.JavaScriptCore 0x000000010f4106c3 WTF::threadEntryPoint(void*) + 179 13 com.apple.JavaScriptCore 0x000000010f410b2f WTF::wtfThreadEntryPoint(void*) + 15 14 libsystem_pthread.dylib 0x00007fff8a56405a _pthread_body + 131 15 libsystem_pthread.dylib 0x00007fff8a563fd7 _pthread_start + 176 16 libsystem_pthread.dylib 0x00007fff8a5613ed thread_start + 13
Attachments
[CRASH] Crash Report
(57.00 KB, application/octet-stream)
2015-08-06 12:53 PDT
,
Joseph Pecoraro
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1
2016-09-09 10:10:18 PDT
<
rdar://problem/28227251
>
David Kilzer (:ddkilzer)
Comment 2
2016-09-09 10:23:57 PDT
<
rdar://problem/22591554
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug