RESOLVED FIXED Bug 156487
[GTK][Stable] REGRESSION(r197520) Crash in JSC::Register::codeBlock on http://detexify.kirelabs.org/symbols.html and http://gexpertise.fr/activites/metiers/stockage with GCC 
https://bugs.webkit.org/show_bug.cgi?id=156487
Summary [GTK][Stable] REGRESSION(r197520) Crash in JSC::Register::codeBlock on http:/...
Michael Catanzaro
Reported 2016-04-11 19:32:30 PDT
WebKitGTK+ 2.12.0 crashes 100% when visiting http://detexify.kirelabs.org/symbols.html Program terminated with signal SIGSEGV, Segmentation fault. #0 JSC::Register::codeBlock (this=0xffff000000000012) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/Register.h:157 157 return u.codeBlock; #0 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0xffff000000000012) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/Register.h:157 index = <optimized out> codeOrigin = {static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0} #1 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0xffff000000000002) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/CallFrame.h:70 index = <optimized out> codeOrigin = {static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0} #2 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0x7ffeab036c60, callFrame=0xffff000000000002) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/StackVisitor.cpp:100 index = <optimized out> codeOrigin = {static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0} #3 0x00007f08195028f6 in JSC::CodeBlock::noticeIncomingCall(JSC::ExecState*) (this=this@entry=0x7f07694c7840, callerFrame=callerFrame@entry=0x7ffeab0376f0) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/StackVisitor.h:128 functor = {m_startCallFrame = <optimized out>, m_codeBlock = <optimized out>, m_depthToCheck = 1, m_foundStartCallFrame = true, m_didRecurse = false} #4 0x00007f0819502a61 in JSC::CodeBlock::linkIncomingPolymorphicCall(JSC::ExecState*, JSC::PolymorphicCallNode*) (this=this@entry=0x7f07694c7840, callerFrame=callerFrame@entry=0x7ffeab0376f0, incoming=0x7f0760db5500) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/bytecode/CodeBlock.cpp:3169 #5 0x00007f081988e904 in JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine(JSC::MacroAssemblerCodeRef const&, JSC::VM&, JSC::JSCell const*, JSC::ExecState*, JSC::CallLinkInfo&, WTF::Vector<JSC::PolymorphicCallCase, 0ul, WTF::CrashOnOverflow, 16ul> const&, std::unique_ptr<unsigned int [], std::default_delete<unsigned int []> >) (this=0x7f076116d3c0, codeRef=..., vm=..., owner=0x7f0769495a80, callerFrame=0x7ffeab0376f0, info=..., cases=..., fastCounts=std::unique_ptr<unsigned int> containing 0x7ffeab036f00) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:82 callCase = {m_variant = {m_callee = <optimized out>}, m_codeBlock = 0x7f07694c7840} __for_range = @0x7ffeab036f10: {<WTF::VectorBuffer<JSC::PolymorphicCallCase, 0ul>> = {<WTF::VectorBufferBase<JSC::PolymorphicCallCase>> = {m_buffer = 0x7f079c9fa200, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>} __for_begin = 0x7f079c9fa210 #6 0x00007f081989674c in JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant) (exec=exec@entry=0x7ffeab037610, callLinkInfo=..., newVariant=...) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/Repatch.cpp:883 list = {<WTF::VectorBuffer<JSC::CallVariant, 1ul>> = {<WTF::VectorBufferBase<JSC::CallVariant>> = {m_buffer = 0x7f076b3c3200, m_capacity = 16, m_size = 2}, m_inlineBuffer = {{__data = "\240\341jk\a\177\000", __align = {<No data fields>}}}}, <No data fields>} isClosureCall = <optimized out> callCases = {<WTF::VectorBuffer<JSC::PolymorphicCallCase, 0ul>> = {<WTF::VectorBufferBase<JSC::PolymorphicCallCase>> = {m_buffer = 0x7f079c9fa200, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>} maxPolymorphicCallVariantListSize = <optimized out> stubJit = {<JSC::AssemblyHelpers> = {<JSC::MacroAssembler> = {<JSC::MacroAssemblerX86_64> = {<JSC::MacroAssemblerX86Common> = {<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>> = {m_assembler = {m_formatter = {static maxInstructionSize = 16, static noBase = JSC::X86Registers::ebp, static hasSib = JSC::X86Registers::esp, static noIndex = JSC::X86Registers::esp, static noBase2 = JSC::X86Registers::r13, static hasSib2 = JSC::X86Registers::r12, m_buffer = {static initialCapacity = 128, m_storage = {m_buffer = 0x7f076b3c3280 "H\276`.=\v\030V", m_capacity = 128}, m_index = 106}}, m_indexOfLastWatchpoint = -2147483648, m_indexOfTailOfLastWatchpoint = -2147483648}, m_randomSource = {m_seed = 2351248783, m_low = 2644614111, m_high = 6674715607368803631}, m_tempRegistersValidBits = 0, m_allowScratchRegister = true, m_linkTasks = {<WTF::VectorBuffer<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> >, 0ul>> = {<WTF::VectorBufferBase<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> > >> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}}, static s_scratchRegister = JSC::X86Registers::r11, static DoubleConditionBitInvert = 16, static DoubleConditionBitSpecial = 32, static DoubleConditionBits = 48, static stackPointerRegister = JSC::X86Registers::esp, static framePointerRegister = JSC::X86Registers::ebp, static s_sse4_1CheckState = JSC::MacroAssemblerX86Common::CPUIDCheckState::Set, static s_lzcntCheckState = JSC::MacroAssemblerX86Common::CPUIDCheckState::Set}, static ScalePtr = JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::TimesEight}, static twoToThe32 = 4294967296, static BlindingModulus = 64}, m_vm = 0x7f0807604b80, m_codeBlock = 0x7f0769495a80, m_baselineCodeBlock = 0x7f0769495a80, m_decodedCodeMaps = {m_impl = {static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}}, <No data fields>} slowPath = {m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 2ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7ffeab037030, m_capacity = 2, m_size = 0}, m_inlineBuffer = {{__data = "\350\215\024i", __align = {<No data fields>}}, {__data = "\a\177\000", __align = {<No data fields>}}}}, <No data fields>}} frameShuffler = std::unique_ptr<JSC::CallFrameShuffler> containing 0x0 comparisonValueGPR = <optimized out> caseValues = {<WTF::VectorBuffer<long, 0ul>> = {<WTF::VectorBufferBase<long>> = {m_buffer = 0x7f076bdf98b0, m_capacity = 2, m_size = 2}, <No data fields>}, <No data fields>} calls = <optimized out> fastCounts = std::unique_ptr<unsigned int> containing 0x0 fastCountsBaseGPR = <optimized out> binarySwitch = {m_value = JSC::X86Registers::eax, m_cases = {<WTF::VectorBuffer<JSC::BinarySwitch::Case, 0ul>> = {<WTF::VectorBufferBase<JSC::BinarySwitch::Case>> = {m_buffer = 0x7f079c9fae00, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>}, m_weakRandom = {m_seed = 1646, m_low = 1646, m_high = 13807754112}, m_branches = {<WTF::VectorBuffer<JSC::BinarySwitch::BranchCode, 0ul>> = {<WTF::VectorBufferBase<JSC::BinarySwitch::BranchCode>> = {m_buffer = 0x7f076b3c3c00, m_capacity = 16, m_size = 5}, <No data fields>}, <No data fields>}, m_index = 5, m_caseIndex = 0, m_jumpStack = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 0ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7f076a163dc0, m_capacity = 16, m_size = 0}, <No data fields>}, <No data fields>}, m_fallThrough = {m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 2ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7ffeab0370c8, m_capacity = 2, m_size = 0}, m_inlineBuffer = {{__data = "B\000\000", __align = {<No data fields>}}, {__data = "\000\000\000", __align = {<No data fields>}}}}, <No data fields>}}, m_type = JSC::BinarySwitch::IntPtr} done = {m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 2ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7ffeab037050, m_capacity = 2, m_size = 2}, m_inlineBuffer = {{__data = "/\000\000", __align = {<No data fields>}}, {__data = "O\000\000", __align = {<No data fields>}}}}, <No data fields>}} slow = <optimized out> patchBuffer = {m_executableMemory = {m_ptr = 0x7f076a935900}, m_size = 106, m_didAllocate = true, m_code = 0x7f07afeac000, m_vm = 0x7f0807604b80, m_alreadyDisassembled = false, m_linkTasks = {<WTF::VectorBuffer<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> >, 0ul>> = {<WTF::VectorBufferBase<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> > >> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}} stubRoutine = <optimized out> #7 0x00007f08198786ed in JSC::operationLinkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo*) (execCallee=0x7ffeab037610, callLinkInfo=0x7f078f3b7600) at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/JITOperations.cpp:887 calleeAsFunctionCell = 0x7f076bc99c00 result = <optimized out> #8 0x00007f07afd8a544 in () #9 0x00007ffeab0376f0 in () #10 0x00007f07afe1b59f in () #11 0x00007ffeab0376f0 in () #12 0x00007f076bc99c00 in () #13 0x00007f0700000004 in () #14 0x000000000000000a in () #15 0x00007f076b21d440 in () #16 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #17 0x00007f0769a9d2b0 in () #18 0x00007f0769e5ae90 in () #19 0x0000000000000007 in () #20 0x00007f076bc99c00 in () #21 0x000000000000000a in () #22 0x00007f076022ab80 in () #23 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #24 0x000000000000000a in () #25 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #26 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #27 0x000000000000000a in () #28 0x00007f0769a9d290 in () #29 0x00007f0769a9d2b0 in () #30 0x00007f076022ab80 in () #31 0x00007f0769e5ae90 in () #32 0x00007f080766b100 in () #33 0x00007f080766b100 in () #34 0x00007f076b40f408 in () #35 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #36 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert: #37 0x00007ffeab037780 in () #38 0x00007f08198ba177 in llint_entry () at /lib64/libjavascriptcoregtk-4.0.so.18
Attachments
Add attachment proposed patch, testcase, etc.
Jérémy Lal
Comment 1 2016-04-17 02:34:00 PDT
Hello, I noticed it doesn't crash the first time it is loaded with inspector opened. It crashes here too http://gexpertise.fr/activites/metiers/stockage and the stack trace is similar: Program received signal SIGSEGV, Segmentation fault. JSC::StackVisitor::readFrame (this=0x7ffdf68ef990, callFrame=0xffff000000000002) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/StackVisitor.cpp:100 100 /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/StackVisitor.cpp: Aucun fichier ou dossier de ce type. (gdb) bt #0 JSC::StackVisitor::readFrame (this=0x7ffdf68ef990, callFrame=0xffff000000000002) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/StackVisitor.cpp:100 #1 0x00007f0d72f5a0c6 in JSC::StackVisitor::visit<JSC::RecursionCheckFunctor> (functor=<synthetic pointer>, startFrame=<optimized out>) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/StackVisitor.h:128 #2 JSC::ExecState::iterate<JSC::RecursionCheckFunctor> (functor=<synthetic pointer>, this=<optimized out>) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/interpreter/CallFrame.h:252 #3 JSC::CodeBlock::noticeIncomingCall (this=this@entry=0x7f0d02505200, callerFrame=0x7ffdf68efc00) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/bytecode/CodeBlock.cpp:3472 #4 0x00007f0d72f5a1f1 in JSC::CodeBlock::linkIncomingCall (this=this@entry=0x7f0d02505200, callerFrame=<optimized out>, incoming=incoming@entry=0x7f0d0217a100) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/bytecode/CodeBlock.cpp:3173 #5 0x00007f0d732e680e in JSC::linkFor (exec=exec@entry=0x7ffdf68efb40, callLinkInfo=..., calleeCodeBlock=calleeCodeBlock@entry=0x7f0d02505200, callee=callee@entry=0x7f0d02443d00, codePtr=..., codePtr@entry=...) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/jit/Repatch.cpp:571 #6 0x00007f0d732cd998 in JSC::operationLinkCall (execCallee=0x7ffdf68efb40, callLinkInfo=0x7f0d0217a100) at /build/webkit2gtk-ea7lQt/webkit2gtk-2.12.1/Source/JavaScriptCore/jit/JITOperations.cpp:819
Jérémy Lal
Comment 2 2016-04-17 12:01:37 PDT
Somewhat expectedly, the crash does not happen when building with EXTRA_CMAKE_ARGUMENTS += -DENABLE_JIT=OFF CPPFLAGS += -DENABLE_ASSEMBLER=0
Michael Catanzaro
Comment 3 2016-04-28 05:53:19 PDT
*** Bug 157126 has been marked as a duplicate of this bug. ***
Carlos Alberto Lopez Perez
Comment 4 2016-04-28 07:43:41 PDT
I have bisected this. This regression was introduced in the 2.12 branch by r197760: r197760 <http://trac.webkit.org/r197760>: Merge r197520 - DFG should be able to compile StringReplace https://bugs.webkit.org/show_bug.cgi?id=154979
Carlos Alberto Lopez Perez
Comment 5 2016-04-28 07:54:03 PDT
And this only crashes when building with GCC. With Clang don't crashes. On the very same revision (r197760): - A clean build with GCC-4.9: Crash when loading any of this two pages. - A clean build with clang-3.6: OK, there is no crash, both pages load fine.
Carlos Alberto Lopez Perez
Comment 6 2016-04-28 08:22:49 PDT
I have just build r197520 and also crashes, so is not something specific of the 2.12.x branch. It can be reproduced on trunk@r197520. Current master don't crashes. I will try to bisect which revision "fixed" it on trunk
Carlos Alberto Lopez Perez
Comment 7 2016-04-28 10:27:45 PDT
(In reply to comment #6) > I have just build r197520 and also crashes, so is not something specific of > the 2.12.x branch. It can be reproduced on trunk@r197520. > > Current master don't crashes. I will try to bisect which revision "fixed" it > on trunk Bisect done. This is the revision that fixed it on trunk: r199076 <http://trac.webkit.org/r199076> -- JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames ​https://bugs.webkit.org/show_bug.cgi?id=155598 Is quite a large changeset, not sure if we could backport this to the 2.12.x branch
Carlos Alberto Lopez Perez
Comment 8 2016-04-29 04:15:51 PDT
Building with Debug mode and GCC don't makes the crash go away. So it don't looks like this is caused by an optimization level that we can manually disable for the files affected when building with GCC. My suggestion is to revert r197520 in the 2.12.x branch.
Carlos Garcia Campos
Comment 9 2016-05-13 02:53:33 PDT
(In reply to comment #8) > Building with Debug mode and GCC don't makes the crash go away. So it don't > looks like this is caused by an optimization level that we can manually > disable for the files affected when building with GCC. > > My suggestion is to revert r197520 in the 2.12.x branch. Thanks for all the bisects. r197520 was reverted in r200825
Note You need to log in before you can comment on or make changes to this bug.