Bug 150434 - REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at ….apple.JavaScriptCore: JSC::ExecState::bytecodeOffset + 174
Summary: REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at ….apple.Java...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-10-21 21:19 PDT by Michael Saboff
Modified: 2015-10-22 09:13 PDT (History)
0 users

See Also:

Attachments
Patch (5.91 KB, patch)
2015-10-21 21:35 PDT, Michael Saboff 		mark.lam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2015-10-21 21:19:00 PDT 
Although this was found after r191360, this is really a tail call issue uncovered by enabling tail calls (again) in r191360.

The issue here is that we are in a bound function that is tail calling a bound function where a exception is thrown or unhandled.  The bound functions are called via a native wrapper which is called via the native call thunk.  The exception processing in the native call thunk assumes that there is a direct JS caller.  With tail calls enabled that is no longer true.
Comment 1 Michael Saboff 2015-10-21 21:24:10 PDT 
rdar://problem/23207182
Comment 2 Michael Saboff 2015-10-21 21:35:56 PDT 
Created attachment 263790 [details]
Patch
Comment 3 Mark Lam 2015-10-21 22:47:22 PDT 
Comment on attachment 263790 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=263790&action=review

You are now setting up these thunks to call operationVMHandleException() with a CallFrame that has a null codeBlock.  operationVMHandleException() calls genericUnwind(), and genericUnwind() starts with:

    if (Options::breakOnThrow()) {
        dataLog("In call frame ", RawPointer(callFrame), " for code block ", *callFrame->codeBlock(), "\n");
        CRASH();
    }

Can you also please fix the above code in genericUnwind() to not deref that codeBlock pointer if it's null?  I looked thru the rest of genericUnwind() and I think it is resilient against a null codeBlock pointer except the above logging line, but I think you should double check if you haven't already.

r=me with the issues fixed.

> Source/JavaScriptCore/ChangeLog:3
> +        REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at â¦.apple.JavaScriptCore: JSC::ExecState::bytecodeOffset + 174

Please fix the special character before ".apple.JavaScriptCore:".

> LayoutTests/ChangeLog:3
> +        REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at â¦.apple.JavaScriptCore: JSC::ExecState::bytecodeOffset + 174

Please fix the non-ascii character before ".apple.JavaScriptCore:".

> LayoutTests/js/script-tests/regress-150434.js:47
> +testPassed("Properly handled an exception from a tail called native function that called by a native function");

did you mean "that *was* called by *another* native function"?
Comment 4 Michael Saboff 2015-10-22 09:13:22 PDT 
Committed r191455: <http://trac.webkit.org/changeset/191455>