WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
149973
Crash when dumping bytecode while profiling
https://bugs.webkit.org/show_bug.cgi?id=149973
Summary
Crash when dumping bytecode while profiling
Mark Hahnenberg
Reported
2015-10-09 16:04:31 PDT
Backtrace: Thread 21 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x0000000114f7cc01 JSC::AccessCase::dump(WTF::PrintStream&) const + 17 1 com.apple.JavaScriptCore 0x0000000114f82e3d JSC::PolymorphicAccess::dump(WTF::PrintStream&) const + 109 2 com.apple.JavaScriptCore 0x0000000114a0e5b9 JSC::CodeBlock::printGetByIdCacheStatus(WTF::PrintStream&, JSC::ExecState*, int, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> > const&) + 809 3 com.apple.JavaScriptCore 0x0000000114a106a2 JSC::CodeBlock::dumpBytecode(WTF::PrintStream&, JSC::ExecState*, JSC::Instruction const*, JSC::Instruction const*&, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> > const&, WTF::HashMap<JSC::CodeOrigin, JSC::CallLinkInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::CallLinkInfo*> > const&) + 1362 4 com.apple.JavaScriptCore 0x0000000114a18eb1 JSC::CodeBlock::dumpBytecode(WTF::PrintStream&, unsigned int, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> > const&, WTF::HashMap<JSC::CodeOrigin, JSC::CallLinkInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::CallLinkInfo*> > const&) + 81 5 com.apple.JavaScriptCore 0x0000000114f9cd5c JSC::Profiler::BytecodeSequence::BytecodeSequence(JSC::CodeBlock*) + 700 6 com.apple.JavaScriptCore 0x0000000114fa31d5 JSC::Profiler::ProfiledBytecodes::ProfiledBytecodes(JSC::Profiler::Bytecodes*, JSC::CodeBlock*) + 21 7 com.apple.JavaScriptCore 0x0000000114f9da8f JSC::Profiler::Compilation::addProfiledBytecodes(JSC::Profiler::Database&, JSC::CodeBlock*) + 95 8 com.apple.JavaScriptCore 0x0000000114a95af2 JSC::DFG::ByteCodeParser::parseCodeBlock() + 98 9 com.apple.JavaScriptCore 0x0000000114a81aad bool JSC::DFG::ByteCodeParser::attemptToInlineCall<JSC::DFG::ByteCodeParser::handleInlining(JSC::DFG::Node*, int, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, int, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind, unsigned int)::$_0>(JSC::DFG::Node*, int, JSC::CallVariant, int, int, unsigned int, JSC::InlineCallFrame::Kind, JSC::DFG::ByteCodeParser::CallerLinkability, unsigned int, unsigned int&, JSC::DFG::ByteCodeParser::handleInlining(JSC::DFG::Node*, int, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, int, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind, unsigned int)::$_0 const&) + 2701 10 com.apple.JavaScriptCore 0x0000000114a7d0f1 JSC::DFG::ByteCodeParser::handleInlining(JSC::DFG::Node*, int, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, int, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind, unsigned int) + 945 11 com.apple.JavaScriptCore 0x0000000114a7cbd8 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind, unsigned int, JSC::DFG::Node*, int, int, JSC::CallLinkStatus, unsigned int) + 312 12 com.apple.JavaScriptCore 0x0000000114a7ca50 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CallMode, unsigned int, JSC::DFG::Node*, int, int, JSC::CallLinkStatus) + 432 13 com.apple.JavaScriptCore 0x0000000114a7c825 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CallMode, unsigned int, int, int, int) + 277 14 com.apple.JavaScriptCore 0x0000000114a89c62 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 8450 15 com.apple.JavaScriptCore 0x0000000114a95f8b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1275 16 com.apple.JavaScriptCore 0x0000000114a96306 JSC::DFG::ByteCodeParser::parse() + 262 17 com.apple.JavaScriptCore 0x0000000114a96589 JSC::DFG::parse(JSC::DFG::Graph&) + 425 18 com.apple.JavaScriptCore 0x0000000114b912d0 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 256 19 com.apple.JavaScriptCore 0x0000000114b90e91 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 577 20 com.apple.JavaScriptCore 0x0000000114c3e876 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 758 21 com.apple.JavaScriptCore 0x000000011507d8d2 WTF::threadEntryPoint(void*) + 178 22 com.apple.JavaScriptCore 0x000000011507dcff WTF::wtfThreadEntryPoint(void*) + 15 23 libsystem_pthread.dylib 0x00007fff9780905a _pthread_body + 131 24 libsystem_pthread.dylib 0x00007fff97808fd7 _pthread_start + 176 25 libsystem_pthread.dylib 0x00007fff978063ed thread_start + 13 My guess is that the dumping code isn't taking the CodeBlock's concurrent JIT lock despite the fact that it's looking at inline-cache related things while dumping. The BytecodeSequence constructor takes the lock in its first loop but fails to do so in the second loop.
Attachments
Add attachment
proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1
2015-10-09 16:06:17 PDT
To repro: Build svn revision 190816 JSC_enableProfiler=true JSC_PROFILER_PATH="/Users/mhahnenberg/Desktop" Tools/Scripts/run-safari --release Load facebook.com
Mark Hahnenberg
Comment 2
2015-10-09 16:20:18 PDT
Hmm, I tried adding a lock in the place I suggested but it caused a deadlock with another dumping related thing deeper in the stack. So it seems like we need something more fine-grained.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug