NEW178013
Regression(r220210?) Crash at com.apple.WebCore: WebCore::JSMutationCallback::handleEvent + 419 
https://bugs.webkit.org/show_bug.cgi?id=178013
Summary Regression(r220210?) Crash at com.apple.WebCore: WebCore::JSMutationCallback:...
Chris Dumez
Reported 2017-10-06 09:42:38 PDT
Crash at com.apple.WebCore: WebCore::JSMutationCallback::handleEvent + 419: Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000000) [ 0] 0x000000010f3242d5 WebCore`WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) [inlined] JSC::JSCell::structure(JSC::VM&) const at JSCellInlines.h:115:28 0x000000010f3242c4: orq $0x98, %rcx 0x000000010f3242cb: testb $0x8, %bl 0x000000010f3242ce: cmovneq %rax, %rcx 0x000000010f3242d2: movq (%rcx), %rax -> 0x000000010f3242d5: movl (%rbx), %ecx 0x000000010f3242d7: andl $0x7fffffff, %ecx ; imm = 0x7FFFFFFF 0x000000010f3242dd: movq 0xe8(%rax), %rax 0x000000010f3242e4: movq (%rax,%rcx,8), %rax 0x000000010f3242e8: movq 0x40(%rax), %rax [ 0] 0x000000010f3242d5 WebCore`WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) [inlined] JSC::JSCell::methodTable(JSC::VM&) const at JSCellInlines.h:259 [ 0] 0x000000010f3242d5 WebCore`WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) [inlined] JSC::JSCell::methodTable() const + 36 at JSCellInlines.h:254 [ 0] 0x000000010f3242b1 WebCore`WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 65 at JSCallbackData.cpp:53 49 CallType callType = CallType::None; 50 51 if (method != CallbackType::Object) { 52 function = callback; -> 53 callType = callback->methodTable()->getCallData(callback, callData); 54 } 55 if (callType == CallType::None) { 56 if (method == CallbackType::Function) { 57 returnedException = JSC::Exception::create(exec->vm(), createTypeError(exec)); [ 1] 0x000000010f59e0d2 WebCore`WebCore::JSMutationCallback::handleEvent(WebCore::MutationObserver&, WTF::Vector<WTF::Ref<WebCore::MutationRecord>, 0ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::MutationObserver&) [inlined] WebCore::JSCallbackDataWeak::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 88 at JSCallbackData.h:115:16 [ 1] 0x000000010f59e07a WebCore`WebCore::JSMutationCallback::handleEvent(WebCore::MutationObserver&, WTF::Vector<WTF::Ref<WebCore::MutationRecord>, 0ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::MutationObserver&) + 330 at JSMutationCallback.cpp:75 [ 2] 0x000000010f876be2 WebCore`WebCore::MutationObserver::deliver() + 818 at MutationObserver.cpp:235:5 [ 3] 0x000000010f877347 WebCore`WebCore::MutationObserver::notifyMutationObservers() + 1719 at MutationObserver.cpp:283:17 [ 4] 0x000000010f8776c8 WebCore`WebCore::MutationObserverMicrotask::run() + 8 at MutationObserver.cpp:163:9 [ 5] 0x000000010f860b79 WebCore`WebCore::MicrotaskQueue::performMicrotaskCheckpoint() + 121 at Microtasks.cpp:85:27 [ 6] 0x000000010f574cc5 WebCore`WebCore::JSMainThreadExecState::didLeaveScriptContext(JSC::ExecState*) + 21 at JSMainThreadExecState.cpp:40:5
Attachments
Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-10-06 09:42:54 PDT
<rdar://problem/34062022>
Chris Dumez
Comment 2 2017-10-06 09:43:37 PDT
Looks like the MutationObserver and its MutationCallback are alive. However, the underlying callback JSObject is dead. JSCallbackDataWeak stores the callback as: JSC::Weak<JSC::JSObject> m_callback; Since it is weak, it can in theory go away. I see we have visitors code (which I do not fully understand) marking the callback. Sam, any idea?
Note You need to log in before you can comment on or make changes to this bug.