155404 – http://kangax.github.io/compat-table/esnext/ crashes reliably

Bug 155404 - http://kangax.github.io/compat-table/esnext/ crashes reliably

Summary: http://kangax.github.io/compat-table/esnext/ crashes reliably

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified OS X 10.11

Importance:	P2 Critical
Assignee:	Mark Lam

URL:
Keywords:	InRadar, NeedsReduction

Depends on:
Blocks:

Reported:	2016-03-12 19:33 PST by Oliver Hunt
Modified:	2020-04-15 09:23 PDT (History)
CC List:	8 users (show)

See Also:	184629

Attachments
proposed patch. (4.82 KB, patch) 2016-03-12 23:23 PST, Mark Lam	ysuzuki: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver Hunt 2016-03-12 19:33:09 PST

Null deref, this is no a dev machine so I can't investigate further.

Happens in the nightly from r198070.

Process:               com.apple.WebKit.WebContent.Development [6631]
Path:                  /Volumes/VOLUME/WebKit.app/Contents/Frameworks/10-11/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development
Identifier:            com.apple.WebKit.WebContent.Development
Version:               602+ (602.1.23+)
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           SafariForWebKitDevelopment [6578]
User ID:               501

Date/Time:             2016-03-12 19:31:28.355 -0800
OS Version:            Mac OS X 10.11.3 (15D21)
Report Version:        11
Anonymous UUID:        1C46B275-63E4-0BB5-438C-B3E37CB8069F


Time Awake Since Boot: 720000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000005
Exception Note:        EXC_CORPSE_NOTIFY

VM Regions Near 0x5:
--> 
    __TEXT                 0000000100163000-0000000100165000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/WebKit.app/Contents/Frameworks/10-11/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
Bundle controller class:
BrowserBundleController
 
Process Model:
Multiple Web Processes
 

Global Trace Buffer (reverse chronological seconds):
0.679758     CFNetwork                 	0x00007fff99d2bd29 Explicitly setting CF cookie storage singleton
0.679995     CFNetwork                 	0x00007fff99d62621 Explicitly setting cookie storage singleton

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010119053e JSC::JSObject::hasPropertyGeneric(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot::InternalMethodType) const + 2238
1   com.apple.JavaScriptCore      	0x00000001012a896f JSC::toPropertyDescriptor(JSC::ExecState*, JSC::JSValue, JSC::PropertyDescriptor&) + 1471
2   com.apple.JavaScriptCore      	0x00000001012a5aa0 JSC::objectConstructorDefineProperty(JSC::ExecState*) + 560
3   ???                           	0x000050826fa01028 0 + 88521148731432
4   com.apple.JavaScriptCore      	0x0000000101268a33 llint_entry + 23457
5   com.apple.JavaScriptCore      	0x0000000101262caf vmEntryToJavaScript + 299
6   com.apple.JavaScriptCore      	0x00000001010da9ae JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
7   com.apple.JavaScriptCore      	0x000000010103a99f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447
8   com.apple.JavaScriptCore      	0x0000000100c5846e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62
9   com.apple.JavaScriptCore      	0x0000000100dd3d8d JSC::ProxyObject::performDefineOwnProperty(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor const&, bool) + 1485
10  com.apple.JavaScriptCore      	0x00000001012ae70e JSC::objectProtoFuncDefineGetter(JSC::ExecState*) + 958
11  ???                           	0x000050826fa01028 0 + 88521148731432
12  com.apple.JavaScriptCore      	0x0000000101268a33 llint_entry + 23457
13  com.apple.JavaScriptCore      	0x0000000101268a33 llint_entry + 23457
14  com.apple.JavaScriptCore      	0x0000000101268a33 llint_entry + 23457
15  com.apple.JavaScriptCore      	0x0000000101262caf vmEntryToJavaScript + 299
16  com.apple.JavaScriptCore      	0x00000001010da9ae JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
17  com.apple.JavaScriptCore      	0x000000010103a6bb JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 16619
18  com.apple.JavaScriptCore      	0x0000000100cb3651 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 593
19  com.apple.WebCore             	0x0000000102615d65 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 309
20  com.apple.WebCore             	0x0000000102615fb0 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) + 48
21  com.apple.WebCore             	0x000000010261c072 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 562
22  com.apple.WebCore             	0x000000010261aae5 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1061
23  com.apple.WebCore             	0x0000000101db48f8 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 344
24  com.apple.WebCore             	0x0000000101db4750 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48
25  com.apple.WebCore             	0x0000000101d4d44c WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 316
26  com.apple.WebCore             	0x0000000101d4d7fb WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 667
27  com.apple.WebCore             	0x0000000101d4d093 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115
28  com.apple.WebCore             	0x0000000101d4e48e WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 350
29  com.apple.WebCore             	0x0000000101d4e682 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 82
30  com.apple.WebCore             	0x00000001018ee3a9 WebCore::CachedResource::checkNotify() + 153
31  com.apple.WebCore             	0x000000010276bdd1 WebCore::SubresourceLoader::didFinishLoading(double) + 1153
32  com.apple.WebKit              	0x000000010038b660 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 460
33  com.apple.WebKit              	0x0000000100197ba1 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127
34  com.apple.WebKit              	0x000000010019a50a IPC::Connection::dispatchOneMessage() + 126
35  com.apple.JavaScriptCore      	0x0000000101538a82 WTF::RunLoop::performWork() + 898
36  com.apple.JavaScriptCore      	0x0000000101538c62 WTF::RunLoop::performWork(void*) + 34
37  com.apple.CoreFoundation      	0x00007fff8eb6f5c1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
38  com.apple.CoreFoundation      	0x00007fff8eb6141c __CFRunLoopDoSources0 + 556
39  com.apple.CoreFoundation      	0x00007fff8eb6093f __CFRunLoopRun + 927
40  com.apple.CoreFoundation      	0x00007fff8eb60338 CFRunLoopRunSpecific + 296
41  com.apple.HIToolbox           	0x00007fff95f72935 RunCurrentEventLoopInMode + 235
42  com.apple.HIToolbox           	0x00007fff95f7276f ReceiveNextEventCommon + 432
43  com.apple.HIToolbox           	0x00007fff95f725af _BlockUntilNextEventMatchingListInModeWithFilter + 71
44  com.apple.AppKit              	0x00007fff8bcfd0ee _DPSNextEvent + 1067
45  com.apple.AppKit              	0x00007fff8c0c9943 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
46  com.apple.AppKit              	0x00007fff8bcf2fc8 -[NSApplication run] + 682
47  com.apple.AppKit              	0x00007fff8bc75520 NSApplicationMain + 1176
48  libxpc.dylib                  	0x00007fff9b84ff6c _xpc_objc_main + 793
49  libxpc.dylib                  	0x00007fff9b8516bb xpc_main + 494
50  com.apple.WebKit.WebContent.Development	0x00000001001647df main + 422
51  libdyld.dylib                 	0x00007fff96a3f5ad start + 1

Thread 1:
0   libsystem_kernel.dylib        	0x00007fffa01136de __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6a729 _pthread_wqthread + 1283
2   libsystem_pthread.dylib       	0x00007fff8cb68365 start_wqthread + 13

Thread 2:: Dispatch queue: com.apple.libdispatch-manager
0   libsystem_kernel.dylib        	0x00007fffa0113ff6 kevent_qos + 10
1   libdispatch.dylib             	0x00007fff8fcb5099 _dispatch_mgr_invoke + 216
2   libdispatch.dylib             	0x00007fff8fcb4d01 _dispatch_mgr_thread + 52

Thread 3:
0   libsystem_kernel.dylib        	0x00007fffa01136de __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6a729 _pthread_wqthread + 1283
2   libsystem_pthread.dylib       	0x00007fff8cb68365 start_wqthread + 13

Thread 4:
0   libsystem_kernel.dylib        	0x00007fffa01136de __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6a729 _pthread_wqthread + 1283
2   libsystem_pthread.dylib       	0x00007fff8cb68365 start_wqthread + 13

Thread 5:
0   libsystem_kernel.dylib        	0x00007fffa01136de __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6a729 _pthread_wqthread + 1283
2   libsystem_pthread.dylib       	0x00007fff8cb68365 start_wqthread + 13

Thread 6:

Thread 7:: com.apple.NSEventThread
0   libsystem_kernel.dylib        	0x00007fffa010d386 mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x00007fffa010c7c7 mach_msg + 55
2   com.apple.CoreFoundation      	0x00007fff8eb61624 __CFRunLoopServiceMachPort + 212
3   com.apple.CoreFoundation      	0x00007fff8eb60aec __CFRunLoopRun + 1356
4   com.apple.CoreFoundation      	0x00007fff8eb60338 CFRunLoopRunSpecific + 296
5   com.apple.AppKit              	0x00007fff8bdbc065 _NSEventThread + 149
6   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
7   libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
8   libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 8:: com.apple.NSURLConnectionLoader
0   libsystem_kernel.dylib        	0x00007fffa010d386 mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x00007fffa010c7c7 mach_msg + 55
2   com.apple.CoreFoundation      	0x00007fff8eb61624 __CFRunLoopServiceMachPort + 212
3   com.apple.CoreFoundation      	0x00007fff8eb60aec __CFRunLoopRun + 1356
4   com.apple.CoreFoundation      	0x00007fff8eb60338 CFRunLoopRunSpecific + 296
5   com.apple.CFNetwork           	0x00007fff99b656e9 +[NSURLConnection(Loader) _resourceLoadLoop:] + 412
6   com.apple.Foundation          	0x00007fff958d4c6f __NSThread__start__ + 1351
7   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
8   libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
9   libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 9:
0   libsystem_kernel.dylib        	0x00007fffa0113206 __semwait_signal + 10
1   libsystem_c.dylib             	0x00007fff8ce16d17 nanosleep + 199
2   libc++.1.dylib                	0x00007fff9a817020 std::__1::this_thread::sleep_for(std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > const&) + 75
3   com.apple.JavaScriptCore      	0x00000001015578cb bmalloc::Heap::scavenge(std::__1::unique_lock<bmalloc::StaticMutex>&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >) + 155
4   com.apple.JavaScriptCore      	0x0000000101557804 bmalloc::Heap::concurrentScavenge() + 68
5   com.apple.JavaScriptCore      	0x000000010155940a bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 90
6   com.apple.JavaScriptCore      	0x000000010155962d void* std::__1::__thread_proxy<std::__1::tuple<void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 93
7   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
8   libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
9   libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 10:: WebCore: Scrolling
0   libsystem_kernel.dylib        	0x00007fffa010d386 mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x00007fffa010c7c7 mach_msg + 55
2   com.apple.CoreFoundation      	0x00007fff8eb61624 __CFRunLoopServiceMachPort + 212
3   com.apple.CoreFoundation      	0x00007fff8eb60aec __CFRunLoopRun + 1356
4   com.apple.CoreFoundation      	0x00007fff8eb60338 CFRunLoopRunSpecific + 296
5   com.apple.CoreFoundation      	0x00007fff8ec231f1 CFRunLoopRun + 97
6   com.apple.WebCore             	0x0000000102638d5d WebCore::ScrollingThread::initializeRunLoop() + 253
7   com.apple.JavaScriptCore      	0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178
8   com.apple.JavaScriptCore      	0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15
9   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
10  libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
11  libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 11:: WTF Parallel Helper Thread
0   libsystem_kernel.dylib        	0x00007fffa0112eb2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6b150 _pthread_cond_wait + 767
2   libc++.1.dylib                	0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47
3   com.apple.JavaScriptCore      	0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494
4   com.apple.JavaScriptCore      	0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154
5   com.apple.JavaScriptCore      	0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291
6   com.apple.JavaScriptCore      	0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83
7   com.apple.JavaScriptCore      	0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178
8   com.apple.JavaScriptCore      	0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15
9   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
10  libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
11  libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 12:: WTF Parallel Helper Thread
0   libsystem_kernel.dylib        	0x00007fffa0112eb2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6b150 _pthread_cond_wait + 767
2   libc++.1.dylib                	0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47
3   com.apple.JavaScriptCore      	0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494
4   com.apple.JavaScriptCore      	0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154
5   com.apple.JavaScriptCore      	0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291
6   com.apple.JavaScriptCore      	0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83
7   com.apple.JavaScriptCore      	0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178
8   com.apple.JavaScriptCore      	0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15
9   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
10  libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
11  libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 13:: WTF Parallel Helper Thread
0   libsystem_kernel.dylib        	0x00007fffa0112eb2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6b150 _pthread_cond_wait + 767
2   libc++.1.dylib                	0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47
3   com.apple.JavaScriptCore      	0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494
4   com.apple.JavaScriptCore      	0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154
5   com.apple.JavaScriptCore      	0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291
6   com.apple.JavaScriptCore      	0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83
7   com.apple.JavaScriptCore      	0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178
8   com.apple.JavaScriptCore      	0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15
9   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
10  libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
11  libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 14:: WTF Parallel Helper Thread
0   libsystem_kernel.dylib        	0x00007fffa0112eb2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6b150 _pthread_cond_wait + 767
2   libc++.1.dylib                	0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47
3   com.apple.JavaScriptCore      	0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494
4   com.apple.JavaScriptCore      	0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154
5   com.apple.JavaScriptCore      	0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291
6   com.apple.JavaScriptCore      	0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83
7   com.apple.JavaScriptCore      	0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178
8   com.apple.JavaScriptCore      	0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15
9   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
10  libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
11  libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 15:: WTF Parallel Helper Thread
0   libsystem_kernel.dylib        	0x00007fffa0112eb2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6b150 _pthread_cond_wait + 767
2   libc++.1.dylib                	0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47
3   com.apple.JavaScriptCore      	0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494
4   com.apple.JavaScriptCore      	0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154
5   com.apple.JavaScriptCore      	0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291
6   com.apple.JavaScriptCore      	0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83
7   com.apple.JavaScriptCore      	0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178
8   com.apple.JavaScriptCore      	0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15
9   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
10  libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
11  libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 16:: WTF Parallel Helper Thread
0   libsystem_kernel.dylib        	0x00007fffa0112eb2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fff8cb6b150 _pthread_cond_wait + 767
2   libc++.1.dylib                	0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47
3   com.apple.JavaScriptCore      	0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494
4   com.apple.JavaScriptCore      	0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154
5   com.apple.JavaScriptCore      	0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291
6   com.apple.JavaScriptCore      	0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83
7   com.apple.JavaScriptCore      	0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178
8   com.apple.JavaScriptCore      	0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15
9   libsystem_pthread.dylib       	0x00007fff8cb6ac13 _pthread_body + 131
10  libsystem_pthread.dylib       	0x00007fff8cb6ab90 _pthread_start + 168
11  libsystem_pthread.dylib       	0x00007fff8cb68375 thread_start + 13

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000107a5ad58  rbx: 0x0000000000000001  rcx: 0x0000000023a41e65  rdx: 0x0000000000000000
  rdi: 0x0000000000000010  rsi: 0x00000001083b6ea0  rbp: 0x00007fff5fa99800  rsp: 0x00007fff5fa99770
   r8: 0x00000001083b6ee0   r9: 0x0000000000000000  r10: 0x000000000000000f  r11: 0xffff000000000002
  r12: 0x0000000107a5ad40  r13: 0x0000000108231080  r14: 0x0000000000000000  r15: 0x0000000107bb2120
  rip: 0x000000010119053e  rfl: 0x0000000000010246  cr2: 0x0000000000000005
  
Logical CPU:     6
Error Code:      0x00000004
Trap Number:     14

Comment 1 Radar WebKit Bug Importer 2016-03-12 22:05:11 PST

<rdar://problem/25131391>

Comment 2 Mark Lam 2016-03-12 22:10:50 PST

Here's a more descriptive crash trace using a debug build:

ASSERTION FAILED: descriptor.setter()
/Volumes/Data/ws4/OpenSource/Source/JavaScriptCore/runtime/ObjectConstructor.h(108) : JSC::JSObject *JSC::constructObjectFromPropertyDescriptor(JSC::ExecState *, const JSC::PropertyDescriptor &)
1   0x1056cae00 WTFCrash
2   0x104cd9bc3 JSC::constructObjectFromPropertyDescriptor(JSC::ExecState*, JSC::PropertyDescriptor const&)
3   0x104cd6f57 JSC::ProxyObject::performDefineOwnProperty(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor const&, bool)
4   0x104cd2216 JSC::ProxyObject::defineOwnProperty(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor const&, bool)
5   0x105372381 JSC::objectProtoFuncDefineGetter(JSC::ExecState*)
6   0x4723a0201028
7   0x1052f7fc5 llint_entry

The issue is that constructObjectFromPropertyDescriptor() is expecting that when the descriptor is an accessor, that both the getter and setter are defined.  In this case, the getter is, but the setter is not.  The crash comes from using the null setter in the descriptor.

Comment 3 Mark Lam 2016-03-12 23:23:08 PST

Created attachment 273874 [details]
proposed patch.

Currently running tests.

Comment 4 Yusuke Suzuki 2016-03-13 04:22:06 PDT

Comment on attachment 273874 [details]
proposed patch.

r=me

Comment 5 Mark Lam 2016-03-13 08:47:58 PDT

Thanks for the review.  Landed in r198080: <http://trac.webkit.org/r198080>.