WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED CONFIGURATION CHANGED
170377
Got a crash on AreWeFastYet.com on Safari Technology Preview 26
https://bugs.webkit.org/show_bug.cgi?id=170377
Summary
Got a crash on AreWeFastYet.com on Safari Technology Preview 26
Saam Barati
Reported
2017-03-31 18:37:34 PDT
The crash happened while I was mucking with the ranges on various graphs. Stacktrace: -------------------------------------------------- Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000008 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0x8: --> __TEXT 0000000109126000-0000000109128000 [ 8K] r-x/rwx SM=COW /Applications/Safari Technology Preview.app/Contents/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010bc92334 JSC::JSCell::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 4 1 com.apple.JavaScriptCore 0x000000010c4806c9 JSC::JSValue::toStringSlowCase(JSC::ExecState*, bool) const + 729 2 com.apple.JavaScriptCore 0x000000010bd052c6 operationGetByVal + 2934 3 ??? 0x00002f993b1b6de4 0 + 52335168155108 4 com.apple.JavaScriptCore 0x000000010c57f87b llint_entry + 26701 5 com.apple.JavaScriptCore 0x000000010c57f809 llint_entry + 26587 6 ??? 0x00002f993b06b370 0 + 52335166796656 7 com.apple.JavaScriptCore 0x000000010c57f87b llint_entry + 26701 8 ??? 0x00002f993b014310 0 + 52335166440208 9 ??? 0x00002f993b0fd1a7 0 + 52335167394215 10 ??? 0x00002f993b18cbdc 0 + 52335167982556 11 com.apple.JavaScriptCore 0x000000010c57f87b llint_entry + 26701 12 ??? 0x00002f993b1aba5c 0 + 52335168109148 13 com.apple.JavaScriptCore 0x000000010c578e4b vmEntryToJavaScript + 299 14 com.apple.JavaScriptCore 0x000000010c432abf JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 127 15 com.apple.JavaScriptCore 0x000000010bc4f936 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 470 16 com.apple.JavaScriptCore 0x000000010c065cd5 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 197 17 com.apple.WebCore 0x0000000109d00b48 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1192 18 com.apple.WebCore 0x000000010a177a34 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) + 436 19 com.apple.WebCore 0x000000010a17769c WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 412 20 com.apple.WebCore 0x000000010a1774e5 WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 101 21 com.apple.WebCore 0x0000000109cffa05 WebCore::XMLHttpRequest::callReadyStateChangeListener() + 149 22 com.apple.WebCore 0x000000010aec8442 WebCore::XMLHttpRequest::didFinishLoading(unsigned long) + 562 23 com.apple.WebCore 0x0000000109cc53ad WebCore::CachedResource::checkNotify() + 157 24 com.apple.WebCore 0x0000000109f2553c WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 204 25 com.apple.WebCore 0x000000010ac90e9a WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 1162 26 com.apple.WebKit 0x00000001093dd103 WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) + 205 27 com.apple.WebKit 0x00000001093ddd55 void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 146 28 com.apple.WebKit 0x00000001091d1b75 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 119 29 com.apple.WebKit 0x00000001091d47ff IPC::Connection::dispatchOneMessage() + 175 30 com.apple.JavaScriptCore 0x000000010c882769 WTF::RunLoop::performWork() + 169 31 com.apple.JavaScriptCore 0x000000010c883882 WTF::RunLoop::performWork(void*) + 34 32 com.apple.CoreFoundation 0x00007fffc4e6a3b1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 33 com.apple.CoreFoundation 0x00007fffc4e4b63c __CFRunLoopDoSources0 + 556 34 com.apple.CoreFoundation 0x00007fffc4e4ab26 __CFRunLoopRun + 934 35 com.apple.CoreFoundation 0x00007fffc4e4a524 CFRunLoopRunSpecific + 420 36 com.apple.HIToolbox 0x00007fffc43aaebc RunCurrentEventLoopInMode + 240 37 com.apple.HIToolbox 0x00007fffc43aacf1 ReceiveNextEventCommon + 432 38 com.apple.HIToolbox 0x00007fffc43aab26 _BlockUntilNextEventMatchingListInModeWithFilter + 71 39 com.apple.AppKit 0x00007fffc2945e24 _DPSNextEvent + 1120 40 com.apple.AppKit 0x00007fffc30c185e -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796 41 com.apple.AppKit 0x00007fffc293a7ab -[NSApplication run] + 926 42 com.apple.AppKit 0x00007fffc29051de NSApplicationMain + 1237 43 libxpc.dylib 0x00007fffdac628c7 _xpc_objc_main + 775 44 libxpc.dylib 0x00007fffdac612e4 xpc_main + 494 45 com.apple.WebKit.WebContent 0x00000001091276bb 0x109126000 + 5819 46 libdyld.dylib 0x00007fffdaa09235 start + 1 Thread 1: 0 libsystem_kernel.dylib 0x00007fffdab3844e __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fffdac225fe _pthread_wqthread + 1023 2 libsystem_pthread.dylib 0x00007fffdac221ed start_wqthread + 13 Thread 2: 0 libsystem_kernel.dylib 0x00007fffdab3844e __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fffdac22791 _pthread_wqthread + 1426 2 libsystem_pthread.dylib 0x00007fffdac221ed start_wqthread + 13 Thread 3: 0 libsystem_kernel.dylib 0x00007fffdab3844e __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fffdac22791 _pthread_wqthread + 1426 2 libsystem_pthread.dylib 0x00007fffdac221ed start_wqthread + 13 Thread 4: 0 libsystem_kernel.dylib 0x00007fffdab3844e __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fffdac225fe _pthread_wqthread + 1023 2 libsystem_pthread.dylib 0x00007fffdac221ed start_wqthread + 13 Thread 5:: com.apple.NSEventThread 0 libsystem_kernel.dylib 0x00007fffdab3034a mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fffdab2f797 mach_msg + 55 2 com.apple.CoreFoundation 0x00007fffc4e4b854 __CFRunLoopServiceMachPort + 212 3 com.apple.CoreFoundation 0x00007fffc4e4acd1 __CFRunLoopRun + 1361 4 com.apple.CoreFoundation 0x00007fffc4e4a524 CFRunLoopRunSpecific + 420 5 com.apple.AppKit 0x00007fffc2a932d2 _NSEventThread + 205 6 libsystem_pthread.dylib 0x00007fffdac22aab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffdac229f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffdac221fd thread_start + 13 Thread 6: 0 libsystem_kernel.dylib 0x00007fffdab37f46 __semwait_signal + 10 1 libsystem_c.dylib 0x00007fffdaabeb72 nanosleep + 199 2 libc++.1.dylib 0x00007fffd95e765b std::__1::this_thread::sleep_for(std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > const&) + 80 3 com.apple.JavaScriptCore 0x000000010c8991df void std::__1::this_thread::sleep_for<long long, std::__1::ratio<1l, 1000l> >(std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> > const&) + 63 4 com.apple.JavaScriptCore 0x000000010c8980c1 bmalloc::waitUntilFalse(std::__1::unique_lock<bmalloc::StaticMutex>&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, bool&) + 113 5 com.apple.JavaScriptCore 0x000000010c897f10 bmalloc::Heap::scavenge(std::__1::unique_lock<bmalloc::StaticMutex>&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >) + 48 6 com.apple.JavaScriptCore 0x000000010c897da6 bmalloc::Heap::concurrentScavenge() + 102 7 com.apple.JavaScriptCore 0x000000010c899431 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 97 8 com.apple.JavaScriptCore 0x000000010c89933d bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadEntryPoint(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*) + 29 9 com.apple.JavaScriptCore 0x000000010c8995ed void* std::__1::__thread_proxy<std::__1::tuple<void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 93 10 libsystem_pthread.dylib 0x00007fffdac22aab _pthread_body + 180 11 libsystem_pthread.dylib 0x00007fffdac229f7 _pthread_start + 286 12 libsystem_pthread.dylib 0x00007fffdac221fd thread_start + 13 Thread 7:: com.apple.NSURLConnectionLoader 0 libsystem_kernel.dylib 0x00007fffdab3034a mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fffdab2f797 mach_msg + 55 2 com.apple.CoreFoundation 0x00007fffc4e4b854 __CFRunLoopServiceMachPort + 212 3 com.apple.CoreFoundation 0x00007fffc4e4acd1 __CFRunLoopRun + 1361 4 com.apple.CoreFoundation 0x00007fffc4e4a524 CFRunLoopRunSpecific + 420 5 com.apple.CFNetwork 0x00007fffc3f87604 +[NSURLConnection(Loader) _resourceLoadLoop:] + 313 6 com.apple.Foundation 0x00007fffc688aa1d __NSThread__start__ + 1243 7 libsystem_pthread.dylib 0x00007fffdac22aab _pthread_body + 180 8 libsystem_pthread.dylib 0x00007fffdac229f7 _pthread_start + 286 9 libsystem_pthread.dylib 0x00007fffdac221fd thread_start + 13 Thread 8:: WebCore: Scrolling 0 libsystem_kernel.dylib 0x00007fffdab3034a mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fffdab2f797 mach_msg + 55 2 com.apple.CoreFoundation 0x00007fffc4e4b854 __CFRunLoopServiceMachPort + 212 3 com.apple.CoreFoundation 0x00007fffc4e4acd1 __CFRunLoopRun + 1361 4 com.apple.CoreFoundation 0x00007fffc4e4a524 CFRunLoopRunSpecific + 420 5 com.apple.CoreFoundation 0x00007fffc4e89d01 CFRunLoopRun + 97 6 com.apple.WebCore 0x0000000109c8e49d WebCore::ScrollingThread::initializeRunLoop() + 253 7 com.apple.JavaScriptCore 0x000000010bc18e02 WTF::threadEntryPoint(void*) + 178 8 com.apple.JavaScriptCore 0x000000010bc18d2f WTF::wtfThreadEntryPoint(void*) + 15 9 libsystem_pthread.dylib 0x00007fffdac22aab _pthread_body + 180 10 libsystem_pthread.dylib 0x00007fffdac229f7 _pthread_start + 286 11 libsystem_pthread.dylib 0x00007fffdac221fd thread_start + 13 Thread 9:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fffdab37bf2 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffdac2396a _pthread_cond_wait + 712 2 com.apple.JavaScriptCore 0x000000010bc21117 WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 119 3 com.apple.JavaScriptCore 0x000000010c880002 WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 2706 4 com.apple.JavaScriptCore 0x000000010c2c52d6 bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 150 5 com.apple.JavaScriptCore 0x000000010c8703e7 std::__1::__function::__func<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, std::__1::allocator<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>, void ()>::operator()() + 199 6 com.apple.JavaScriptCore 0x000000010bc18e02 WTF::threadEntryPoint(void*) + 178 7 com.apple.JavaScriptCore 0x000000010bc18d2f WTF::wtfThreadEntryPoint(void*) + 15 8 libsystem_pthread.dylib 0x00007fffdac22aab _pthread_body + 180 9 libsystem_pthread.dylib 0x00007fffdac229f7 _pthread_start + 286 10 libsystem_pthread.dylib 0x00007fffdac221fd thread_start + 13 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x000000010c48066f rbx: 0xffff000000000002 rcx: 0x000000010c480874 rdx: 0x0000000000000002 rdi: 0x0000000000000003 rsi: 0x00007fff56ad7560 rbp: 0x00007fff56ad72e0 rsp: 0x00007fff56ad72e0 r8: 0x0000000000000001 r9: 0xffff000000000002 r10: 0x0000000110fef0e0 r11: 0x000000010bd04750 r12: 0x0000000000000001 r13: 0x00007fff56ad7560 r14: 0x0000000115400000 r15: 0x0000000115400000 rip: 0x000000010bc92334 rfl: 0x0000000000010202 cr2: 0x0000000000000008
Attachments
DFG IR dump
(289.67 KB, text/plain)
2017-03-31 18:58 PDT
,
Saam Barati
no flags
Details
DFG IR Dump with graph after parsing
(570.91 KB, text/plain)
2017-03-31 19:03 PDT
,
Saam Barati
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Saam Barati
Comment 1
2017-03-31 18:38:31 PDT
I'm able to reproduce this pretty frequently just by dragging to select a range, then double clicking to deselect it, and repeat.
Radar WebKit Bug Importer
Comment 2
2017-03-31 18:39:03 PDT
<
rdar://problem/31384837
>
Saam Barati
Comment 3
2017-03-31 18:39:39 PDT
I can repro this on demand. It always crashes on SIGSEGV 0x8
Saam Barati
Comment 4
2017-03-31 18:53:31 PDT
It doesn't crash with useDFGJIT=0. It does crash with: useConcurrentJIT=0 useFTLJIT=0
Saam Barati
Comment 5
2017-03-31 18:58:50 PDT
Created
attachment 306039
[details]
DFG IR dump We crash in this function, at 0x3cff797445be
Saam Barati
Comment 6
2017-03-31 19:03:31 PDT
Created
attachment 306040
[details]
DFG IR Dump with graph after parsing
Saam Barati
Comment 7
2017-03-31 19:13:42 PDT
Weird, it looks like the base of the getbyval is a NewObject in the root block. I wonder if that's what we're crashing on
Saam Barati
Comment 8
2017-03-31 19:14:29 PDT
(In reply to Saam Barati from
comment #7
)
> Weird, it looks like the base of the getbyval is a NewObject in the root > block. I wonder if that's what we're crashing on
I'm now looking through to what we do to this object.
Saam Barati
Comment 9
2017-03-31 19:17:13 PDT
The JS function: function mergeJSON(blobs) { var lines = { }; var timelist = []; // We're guaranteed the blobs are in sorted order, which makes this simpler. for (var i = 0; i < blobs.length; i++) { var blob = blobs[i]; // Should we handle version changes better? if (blob.version != AWFYMaster.version) { window.location.reload(); return; } for (var j = 0; j < blob.graph.lines.length; j++) { var blobline = blob.graph.lines[j]; var line = lines[blobline.modeid]; if (!line) { var points = []; var info = []; // We have to pre-fill the array with slots for each blob // we may have missed. for (var k = 0; k < timelist.length; k++) { points.push(null); info.push(null); } line = { points: points, info: info }; lines[blobline.modeid] = line; } var points = line.points; var info = line.info; for (var k = 0; k < blobline.data.length; k++) { var point = blobline.data[k]; var score = point && point[0] ? point[0] : null; points.push([timelist.length + k, score]); info.push(point); } } for (var j = 0; j < blob.graph.timelist.length; j++) timelist.push(blob.graph.timelist[j]); // If we missed updating any line, pre-fill it with null points. for (var modeid in lines) { var line = lines[modeid]; if (line.points.length == timelist.length) continue; for (var j = line.points.length; j < timelist.length; j++) { line.points.push(null); line.info.push(null); } } } var actual = []; var info = []; for (var modename in lines) { if (!(modename in AWFYMaster.modes)) continue; var line = { data: lines[modename].points, color: AWFYMaster.modes[modename].color }; actual.push(line); info.push({ 'modeid': parseInt(modename), 'data': lines[modename].info }); } var graph = { lines: actual, aggregate: false, timelist: timelist, info: info }; return graph; }
Saam Barati
Comment 10
2017-05-18 16:55:38 PDT
I can't reproduce this anymore.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug