WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
177368
Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
https://bugs.webkit.org/show_bug.cgi?id=177368
Summary
Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
Saam Barati
Reported
2017-09-22 10:46:06 PDT
nullptr dereference. Looks like the StackFrame itself is nullptr? There is a chance this is related to my local development, but I don't think so. I saw this on a test that I can't publish to open source repo. ``` Crashed Thread: 10 WTF::AutomaticThread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0: --> __TEXT 0000000100924000-0000000100958000 [ 208K] r-x/rwx SM=COW K [/Volumes/Data/WK/b/OpenSource/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/Resources/jsc] Thread 0:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100df26b0 JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&) + 224 (CodeBlock.cpp:2533) 1 com.apple.JavaScriptCore 0x0000000100df2a60 JSC::CodeBlock::shouldOptimizeNow() + 176 (CodeBlock.cpp:2594) 2 com.apple.JavaScriptCore 0x00000001012aa4d6 operationOptimize + 838 (JITOperations.cpp:1451) 3 ??? 0x0000462f1c4061e7 0 + 77168151388647 4 ??? 0x0000462f1c40a91d 0 + 77168151406877 5 ??? 0x0000462f1c40b605 0 + 77168151410181 6 ??? 0x0000462f1c40f1f7 0 + 77168151425527 7 ??? 0x0000462f1c4ced11 0 + 77168152210705 8 com.apple.JavaScriptCore 0x00000001009bc3e4 vmEntryToJavaScript + 304 (LowLevelInterpreter64.asm:258) 9 com.apple.JavaScriptCore 0x0000000101295a4f JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 127 (JITCode.cpp:82) 10 com.apple.JavaScriptCore 0x00000001012569ce JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 16894 (Interpreter.cpp:924) 11 com.apple.JavaScriptCore 0x000000010145ea5f JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 287 (Completion.cpp:103) 12 jsc 0x000000010092796b jscmain(int, char**) + 3883 (jsc.cpp:3482) 13 jsc 0x0000000100926a2b main + 27 (jsc.cpp:3314) 14 libdyld.dylib 0x00007fff5fcc7145 start + 1 Thread 1: 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 libc++.1.dylib 0x00007fff5dd06d43 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93 3 com.apple.JavaScriptCore 0x00000001014ff425 std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 117 (__mutex_base:419) 4 com.apple.JavaScriptCore 0x00000001014ff310 std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 96 (condition_variable:224) 5 com.apple.JavaScriptCore 0x00000001014ff1a9 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 233 (condition_variable:235) 6 com.apple.JavaScriptCore 0x00000001014ff478 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40 (memory:2602) 7 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 2: 0 libsystem_kernel.dylib 0x00007fff5fe176da __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff5ff5106a _pthread_wqthread + 1035 2 libsystem_pthread.dylib 0x00007fff5ff50c4d start_wqthread + 13 Thread 3: 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 libc++.1.dylib 0x00007fff5dd06d43 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93 3 com.apple.JavaScriptCore 0x00000001014ff425 std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 117 (__mutex_base:419) 4 com.apple.JavaScriptCore 0x00000001014ff310 std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 96 (condition_variable:224) 5 com.apple.JavaScriptCore 0x00000001014ff1a9 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 233 (condition_variable:235) 6 com.apple.JavaScriptCore 0x00000001014ff478 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40 (memory:2602) 7 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 4: 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 libc++.1.dylib 0x00007fff5dd06d43 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93 3 com.apple.JavaScriptCore 0x00000001014ff425 std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 117 (__mutex_base:419) 4 com.apple.JavaScriptCore 0x00000001014ff310 std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 96 (condition_variable:224) 5 com.apple.JavaScriptCore 0x00000001014ff1a9 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 233 (condition_variable:235) 6 com.apple.JavaScriptCore 0x00000001014ff478 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40 (memory:2602) 7 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 5: 0 libsystem_kernel.dylib 0x00007fff5fe176da __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff5ff5126f _pthread_wqthread + 1552 2 libsystem_pthread.dylib 0x00007fff5ff50c4d start_wqthread + 13 Thread 6: 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 libc++.1.dylib 0x00007fff5dd06d43 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93 3 com.apple.JavaScriptCore 0x00000001014ff425 std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 117 (__mutex_base:419) 4 com.apple.JavaScriptCore 0x00000001014ff310 std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 96 (condition_variable:224) 5 com.apple.JavaScriptCore 0x00000001014ff1a9 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 233 (condition_variable:235) 6 com.apple.JavaScriptCore 0x00000001014ff478 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40 (memory:2602) 7 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 7:: JSC DEBUG Continuous GC 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 com.apple.JavaScriptCore 0x00000001014ef75a WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 122 (ThreadingPthreads.cpp:582) 3 com.apple.JavaScriptCore 0x00000001014d5588 WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 2616 (ParkingLot.cpp:604) 4 com.apple.JavaScriptCore 0x0000000100c6b4ea bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 154 (ParkingLot.h:81) 5 com.apple.JavaScriptCore 0x00000001011f988f WTF::Function<void ()>::CallableWrapper<JSC::Heap::notifyIsSafeToCollect()::$_34>::call() + 463 (TimeWithDynamicClockType.h:48) 6 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 7 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 8 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 9 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 10 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 8:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fff5fe16e7e __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff5ff52662 _pthread_cond_wait + 732 2 com.apple.JavaScriptCore 0x00000001014ef75a WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 122 (ThreadingPthreads.cpp:582) 3 com.apple.JavaScriptCore 0x00000001014d5588 WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 2616 (ParkingLot.cpp:604) 4 com.apple.JavaScriptCore 0x0000000100c6b4ea bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 154 (ParkingLot.h:81) 5 com.apple.JavaScriptCore 0x00000001014b5645 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 165 (AutomaticThread.cpp:210) 6 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 7 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 8 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 9 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 10 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 9:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fff5fe0df72 swtch_pri + 10 1 libsystem_pthread.dylib 0x00007fff5ff52307 sched_yield + 11 2 com.apple.JavaScriptCore 0x00000001014cc52f WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2>::lockSlow(WTF::Atomic<unsigned char>&) + 207 3 com.apple.JavaScriptCore 0x0000000100debc99 JSC::CodeBlock::visitWeakly(JSC::SlotVisitor&) + 121 (CodeBlock.cpp:967) 4 com.apple.JavaScriptCore 0x000000010120fd90 JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_40::operator()(JSC::MarkStackArray&) const + 368 (SlotVisitor.cpp:389) 5 com.apple.JavaScriptCore 0x0000000101209705 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 165 (SlotVisitorInlines.h:173) 6 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 7 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 8 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 9 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 10 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 11 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 12 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 13 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 14 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 15 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 10 Crashed:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x0000000100b9be11 JSC::StackFrame::visitChildren(JSC::SlotVisitor&) + 17 (WriteBarrier.h:113) 1 com.apple.JavaScriptCore 0x000000010149959b JSC::ErrorInstance::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 59 (ErrorInstance.cpp:226) 2 com.apple.JavaScriptCore 0x000000010120fd90 JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_40::operator()(JSC::MarkStackArray&) const + 368 (SlotVisitor.cpp:389) 3 com.apple.JavaScriptCore 0x0000000101209705 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 165 (SlotVisitorInlines.h:173) 4 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 5 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 6 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 7 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 8 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 9 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 10 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 11 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 12 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 13 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 11:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fff5fe0df72 swtch_pri + 10 1 libsystem_pthread.dylib 0x00007fff5ff52307 sched_yield + 11 2 com.apple.JavaScriptCore 0x00000001014cc52f WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2>::lockSlow(WTF::Atomic<unsigned char>&) + 207 3 com.apple.JavaScriptCore 0x0000000100c6b511 bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 193 (Lock.h:63) 4 com.apple.JavaScriptCore 0x0000000101209d38 JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 408 (Condition.h:103) 5 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 6 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 7 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 8 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 9 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 10 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 11 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 12 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 13 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 12:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x00000001012091f0 void JSC::SlotVisitor::appendToMarkStack<JSC::MarkedBlock>(JSC::MarkedBlock&, JSC::JSCell*) + 176 (SlotVisitor.cpp:289) 1 com.apple.JavaScriptCore 0x0000000100a94ca6 JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 1734 (SlotVisitorInlines.h:99) 2 com.apple.JavaScriptCore 0x0000000100a5c615 JSC::JSCallee::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 21 (WriteBarrier.h:89) 3 com.apple.JavaScriptCore 0x0000000100a64756 JSC::JSFunction::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 22 (WriteBarrier.h:89) 4 com.apple.JavaScriptCore 0x000000010120fd90 JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_40::operator()(JSC::MarkStackArray&) const + 368 (SlotVisitor.cpp:389) 5 com.apple.JavaScriptCore 0x0000000101209705 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 165 (SlotVisitorInlines.h:173) 6 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 7 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 8 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 9 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 10 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 11 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 12 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 13 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 14 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 15 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 13:: WTF::AutomaticThread 0 libsystem_kernel.dylib 0x00007fff5fe0df72 swtch_pri + 10 1 libsystem_pthread.dylib 0x00007fff5ff52307 sched_yield + 11 2 com.apple.JavaScriptCore 0x00000001014cc52f WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2>::lockSlow(WTF::Atomic<unsigned char>&) + 207 3 com.apple.JavaScriptCore 0x0000000100c6b511 bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 193 (Lock.h:63) 4 com.apple.JavaScriptCore 0x0000000101209d38 JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 408 (Condition.h:103) 5 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 6 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 7 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 8 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 9 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 10 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 11 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 12 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 13 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 14:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x000000010120971a JSC::SlotVisitor::drain(WTF::MonotonicTime) + 186 (Atomics.h:248) 1 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 2 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 3 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 4 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 5 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 6 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 7 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 8 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 9 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 10 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 15:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x00000001014fe524 bmalloc::Heap::allocateSmallBumpRangesByObject(std::__1::lock_guard<bmalloc::StaticMutex>&, unsigned long, bmalloc::BumpAllocator&, bmalloc::FixedVector<bmalloc::BumpRange, 3ul>&, std::__1::array<bmalloc::List<bmalloc::SmallPage>, 112ul>&) + 436 (Heap.cpp:427) 1 com.apple.JavaScriptCore 0x00000001014fab5a bmalloc::Allocator::refillAllocatorSlowCase(bmalloc::BumpAllocator&, unsigned long) + 138 (__mutex_base:113) 2 com.apple.JavaScriptCore 0x00000001014fac84 bmalloc::Allocator::allocateLogSizeClass(unsigned long) + 180 (Allocator.cpp:165) 3 com.apple.JavaScriptCore 0x00000001014c923e WTF::fastMalloc(unsigned long) + 94 (FastMalloc.cpp:258) 4 com.apple.JavaScriptCore 0x0000000101209192 void JSC::SlotVisitor::appendToMarkStack<JSC::MarkedBlock>(JSC::MarkedBlock&, JSC::JSCell*) + 82 (DoublyLinkedList.h:56) 5 com.apple.JavaScriptCore 0x0000000100decbe0 JSC::CodeBlock::stronglyVisitStrongReferences(JSC::ConcurrentJSLocker const&, JSC::SlotVisitor&) + 800 (SlotVisitorInlines.h:64) 6 com.apple.JavaScriptCore 0x0000000100dec6a3 JSC::CodeBlock::visitChildren(JSC::SlotVisitor&) + 355 (CodeBlock.cpp:1059) 7 com.apple.JavaScriptCore 0x000000010120fd90 JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_40::operator()(JSC::MarkStackArray&) const + 368 (SlotVisitor.cpp:389) 8 com.apple.JavaScriptCore 0x0000000101209705 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 165 (SlotVisitorInlines.h:173) 9 com.apple.JavaScriptCore 0x0000000101209e1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 637 10 com.apple.JavaScriptCore 0x00000001011f6581 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 577 (SlotVisitor.h:258) 11 com.apple.JavaScriptCore 0x00000001014d3e4c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:79) 12 com.apple.JavaScriptCore 0x00000001014d4964 WTF::ParallelHelperPool::Thread::work() + 52 (utility:890) 13 com.apple.JavaScriptCore 0x00000001014b56c8 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 296 (AutomaticThread.cpp:223) 14 com.apple.JavaScriptCore 0x00000001014ed5e4 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 228 (memory:2602) 15 com.apple.JavaScriptCore 0x00000001014eefc9 WTF::wtfThreadEntryPoint(void*) + 9 (ThreadingPthreads.cpp:224) 16 libsystem_pthread.dylib 0x00007fff5ff516c1 _pthread_body + 340 17 libsystem_pthread.dylib 0x00007fff5ff5156d _pthread_start + 377 18 libsystem_pthread.dylib 0x00007fff5ff50c5d thread_start + 13 Thread 10 crashed with X86 Thread State (64-bit): rax: 0x0000000103a535b0 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000001 rdi: 0x0000000000000000 rsi: 0x0000000102eb00b8 rbp: 0x0000700005b34bd0 rsp: 0x0000700005b34bb0 r8: 0x0000000102eb00b8 r9: 0xffffffff00000000 r10: 0x0000000102ea2028 r11: 0x0000000102ea2030 r12: 0x00000001033b7dc0 r13: 0x0000000000000000 r14: 0x0000000102eb00b8 r15: 0x0000000000000000 rip: 0x0000000100b9be11 rfl: 0x0000000000010206 cr2: 0x0000000000000000 Logical CPU: 7 Error Code: 0x00000004 Trap Number: 14 ```
Attachments
patch
(2.43 KB, patch)
2017-09-22 11:24 PDT
,
Saam Barati
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Saam Barati
Comment 1
2017-09-22 10:53:08 PDT
It seems like we probably want a storeStoreFence() before storing to m_stackTrace in ErrorInstance. That said, it's really unlikely this is the cause of the crash on x86 since storeStoreFence is a compiler fence, and we're storing the result of a call. I think we may want the storeStoreFence for arm though, so: m_stackTrace = getStackTrace(exec, vm, this, useCurrentFrame); should become auto tmp = getStackTrace(exec, vm, this, useCurrentFrame); storeStoreFence() m_stackTrace = WTFMove(tmp)
Saam Barati
Comment 2
2017-09-22 10:54:00 PDT
I believe we also need a WriteBarrier after storing to m_stackTrace.
Saam Barati
Comment 3
2017-09-22 10:57:59 PDT
I bet the bug is we're materializeErrorInfoIfNeeded on the main thread, while visiting the stack trace on the collector thread
Saam Barati
Comment 4
2017-09-22 11:24:42 PDT
Created
attachment 321569
[details]
patch
Keith Miller
Comment 5
2017-09-22 11:28:49 PDT
Comment on
attachment 321569
[details]
patch r=me.
WebKit Commit Bot
Comment 6
2017-09-22 12:18:36 PDT
Comment on
attachment 321569
[details]
patch Clearing flags on attachment: 321569 Committed
r222398
: <
http://trac.webkit.org/changeset/222398
>
WebKit Commit Bot
Comment 7
2017-09-22 12:18:38 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug