NEW 149957
[Win] Null pointer crash. 
https://bugs.webkit.org/show_bug.cgi?id=149957
Summary [Win] Null pointer crash.
peavo
Reported 2015-10-09 09:08:17 PDT
I just got a null pointer crash in JSC::speculationFromCell(). The JSCell object looks more or less ok, but the m_structureID member is 0, causing the null pointer crash. JavaScriptCore.dll!JSC::speculationFromCell(JSC::JSCell * cell) Line 363 + 0x20 bytes C++ JavaScriptCore.dll!JSC::speculationFromValue(JSC::JSValue value) Line 391 + 0x8 bytes C++ JavaScriptCore.dll!JSC::ValueProfileBase<1>::computeUpdatedPrediction(const JSC::ConcurrentJITLocker & __formal) Line 145 + 0x7 bytes C++ JavaScriptCore.dll!JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int & numberOfLiveNonArgumentValueProfiles, unsigned int & numberOfSamplesInProfiles) Line 3770 C++ JavaScriptCore.dll!JSC::CodeBlock::updateAllPredictions() Line 3815 C++ JavaScriptCore.dll!operationOptimize(JSC::ExecState * exec, int bytecodeIndex) Line 1142 C++
Attachments
Patch (1.29 KB, patch)
2015-10-09 09:11 PDT, peavo 		ggaren: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
peavo
Comment 1 2015-10-09 09:11:21 PDT
Created attachment 262776 [details] Patch
peavo
Comment 2 2015-10-09 09:13:22 PDT
(In reply to comment #1) > Created attachment 262776 [details] > Patch I'm not sure this is the correct way to deal with this crash :)
Geoffrey Garen
Comment 3 2015-10-09 09:16:06 PDT
Comment on attachment 262776 [details] Patch While this might fix the crash, I think it's the wrong fix. A cell with a null structureID has been garbage collected. You're lucky if you find the null structureID -- that happens soon after sweeping. If you're unlucky, you'll just get garbage memory, or a crash. We need to investigate how cell got garbage collected in the first place.
peavo
Comment 4 2015-10-09 09:20:44 PDT
(In reply to comment #3) > Comment on attachment 262776 [details] > Patch > > While this might fix the crash, I think it's the wrong fix. > > A cell with a null structureID has been garbage collected. You're lucky if > you find the null structureID -- that happens soon after sweeping. If you're > unlucky, you'll just get garbage memory, or a crash. > > We need to investigate how cell got garbage collected in the first place. Ok, sounds good :) This is the state of the JSCell object when the crash occured: m_structureID 0x00000000 JSC::Structure* m_indexingType 0 unsigned char m_type StringType JSC::JSType m_flags 224 unsigned char m_cellState NewWhite JSC::CellState
Dan Zimmerman
Comment 5 2017-01-16 13:01:10 PST
I've found a similar crash on iOS 10.2's version of JavascriptCore. I have the following backtrace: #0 0x0000000104d6d2ef in JSC::speculationFromCell(JSC::JSCell*) () #1 0x00000001047d2ec3 in JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) () #2 0x00000001047cebc7 in JSC::CodeBlock::stronglyVisitStrongReferences(JSC::SlotVisitor&) () #3 0x00000001047ce969 in JSC::CodeBlock::visitChildren(JSC::SlotVisitor&) () #4 0x0000000104d699ac in JSC::SlotVisitor::drain() () #5 0x0000000104a0869c in JSC::Heap::markRoots(double, void*, void*, int (&) [37]) () #6 0x0000000104a0b065 in JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [37]) () #7 0x0000000104a0ada1 in JSC::Heap::collect(JSC::HeapOperation) () #8 0x0000000104c3c957 in JSC::MarkedAllocator::allocateSlowCase(unsigned long) () #9 0x0000000104b72ee0 in JSObjectMake () and the state of the JSCell is: m_structureID: 0 m_indexingType: 0 m_type: UnspecifiedType (0) m_flags: 0 m_cellState: AnthraciteOrBlack (0) Is there anyway I can help to find the source of the issue? I have a setup where the bug is pretty reproducible.
Note You need to log in before you can comment on or make changes to this bug.