150513 – REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant, JSC::RegisterPreservationMode) + 1584

RESOLVED FIXED 150513

REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant, JSC::RegisterPreservationMode) + 1584

https://bugs.webkit.org/show_bug.cgi?id=150513

Summary REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.Jav...

Michael Saboff

Reported 2015-10-23 14:26:53 PDT

It appears that the website is running out of stack space while making a virtual call to a Javascript function for the first time. The call to the function properly fails due to out of stack space, but we try to add the function to a polymorphic cache and it doesn't have a CodeBlock. linkPolymorphicCall crashes without a CodeBlock. We need to make linkPolymorphicCall() properly handle a function without a CodeBlock.

Attachments
Patch (17.93 KB, patch) 2015-10-23 16:20 PDT, Michael Saboff	saam: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2015-10-23 14:27:22 PDT

rdar://problem/23097422

Michael Saboff

Comment 2 2015-10-23 16:20:47 PDT

Created attachment 263954 [details] Patch

Saam Barati

Comment 3 2015-10-23 17:37:16 PDT

Comment on attachment 263954 [details] Patch r=me

Benjamin Poulain

Comment 4 2015-10-23 17:37:41 PDT

View in context: https://bugs.webkit.org/attachment.cgi?id=263954&action=review > Source/JavaScriptCore/jit/Repatch.cpp:686 > // If we cannot handle a callee, assume that it's better for this whole thing to be a > // virtual call. It would be good to update the comment too. > Source/JavaScriptCore/runtime/VM.h:635 > + bool m_failNextNewCodeBlock; Let's use m_failNextNewCodeBlock { false } then you don't need the initializer in the constructor. > Tools/DumpRenderTree/TestRunner.cpp:1940 > + if (argumentCount < 1) > + return JSValueMakeUndefined(context); > + ??? Do we care about argument here?

Michael Saboff

Comment 5 2015-10-23 18:46:10 PDT

Committed r191530: <http://trac.webkit.org/changeset/191530>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Michael Saboff

Reported

2015-10-23 14:26 PDT

Modified

2015-10-23 18:46 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks