RESOLVED FIXED 180343
We need to disableCaching() in ErrorInstance when we materialize properties 
https://bugs.webkit.org/show_bug.cgi?id=180343
Summary We need to disableCaching() in ErrorInstance when we materialize properties
Ryosuke Niwa
Reported 2017-12-03 22:32:54 PST
Hit this while looking up words on https://www.merriam-webster.com and keep it open in a background window (not a background tab). Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000004 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0x4: --> __TEXT 000000010016a000-000000010016c000 [ 8K] r-x/rwx SM=COW /Applications/Safari Technology Preview.app/Contents/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000104290a8e JSC::Structure::didCachePropertyReplacement(JSC::VM&, int) + 14 1 com.apple.JavaScriptCore 0x00000001048d6830 JSC::repatchPutByID(JSC::ExecState*, JSC::JSValue, JSC::Structure*, JSC::Identifier const&, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind) + 448 2 com.apple.JavaScriptCore 0x00000001040a5f4b operationPutByIdStrictOptimize + 1547 3 ??? 0x0000358a79be4a64 0 + 58868864272996 4 ??? 0x0000358a79c8737d 0 + 58868864938877 5 ??? 0x0000358a79c6266a 0 + 58868864788074 6 com.apple.JavaScriptCore 0x00000001040cdcd0 vmEntryToJavaScript + 304 7 com.apple.JavaScriptCore 0x00000001048970af JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 127 8 com.apple.JavaScriptCore 0x0000000103f5fd6a JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 522 9 com.apple.JavaScriptCore 0x00000001049ecf15 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 197 10 com.apple.WebCore 0x0000000101f91120 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1200 11 com.apple.WebCore 0x0000000101b44af8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>) + 568 12 com.apple.WebCore 0x0000000101b446dc WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 412 13 com.apple.WebCore 0x0000000101b44525 WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 101 14 com.apple.WebCore 0x000000010169d7e5 WebCore::XMLHttpRequest::callReadyStateChangeListener() + 149 15 com.apple.WebCore 0x000000010297951e WebCore::XMLHttpRequest::networkErrorTimerFired() + 14 16 com.apple.WebCore 0x00000001015f6690 WebCore::ThreadTimers::sharedTimerFiredInternal() + 176 17 com.apple.WebCore 0x00000001015f65cf WebCore::timerFired(__CFRunLoopTimer*, void*) + 31 18 com.apple.CoreFoundation 0x00007fff7a047e04 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 19 com.apple.CoreFoundation 0x00007fff7a047a93 __CFRunLoopDoTimer + 1075 20 com.apple.CoreFoundation 0x00007fff7a0475ea __CFRunLoopDoTimers + 298 21 com.apple.CoreFoundation 0x00007fff7a03efc1 __CFRunLoopRun + 2081 22 com.apple.CoreFoundation 0x00007fff7a03e544 CFRunLoopRunSpecific + 420 23 com.apple.HIToolbox 0x00007fff7959debc RunCurrentEventLoopInMode + 240 24 com.apple.HIToolbox 0x00007fff7959dcf1 ReceiveNextEventCommon + 432 25 com.apple.HIToolbox 0x00007fff7959db26 _BlockUntilNextEventMatchingListInModeWithFilter + 71 26 com.apple.AppKit 0x00007fff77b36a54 _DPSNextEvent + 1120 27 com.apple.AppKit 0x00007fff782b27ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796 28 com.apple.AppKit 0x00007fff77b2b3db -[NSApplication run] + 926 29 com.apple.AppKit 0x00007fff77af5e0e NSApplicationMain + 1237 30 libxpc.dylib 0x00007fff8fe628c7 _xpc_objc_main + 775 31 libxpc.dylib 0x00007fff8fe612e4 xpc_main + 494 32 com.apple.WebKit.WebContent 0x000000010016b695 0x10016a000 + 5781 33 libdyld.dylib 0x0000000101217235 start + 1
Attachments
patch (7.88 KB, patch)
2017-12-11 17:47 PST, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (7.90 KB, patch)
2017-12-11 17:48 PST, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (7.14 KB, patch)
2017-12-11 17:49 PST, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2017-12-03 22:38:24 PST
Hm... perhaps this happens after I've moved the tab to background.
Ryosuke Niwa
Comment 2 2017-12-03 22:42:50 PST
Yeah, it looks like I need to bring the tab to the background and after 10-20s, the tab would crash. It's not 100% reliable though. It's like ~50% probability for me.
Saam Barati
Comment 3 2017-12-04 00:32:02 PST
I’ll check this out
Radar WebKit Bug Importer
Comment 4 2017-12-04 10:52:01 PST
<rdar://problem/35833002>
Ryosuke Niwa
Comment 5 2017-12-05 15:53:20 PST
Hm... I can't reproduce this on STP44 so it might be already fixed now.
Saam Barati
Comment 6 2017-12-11 11:45:44 PST
I can't reproduce this either but I know other people have seen this recently. I'm going to look for ways to repro.
Saam Barati
Comment 7 2017-12-11 17:00:33 PST
patch forthcoming
Saam Barati
Comment 8 2017-12-11 17:47:25 PST
Created attachment 329065 [details] patch
Saam Barati
Comment 9 2017-12-11 17:48:10 PST
Created attachment 329066 [details] patch
Saam Barati
Comment 10 2017-12-11 17:49:49 PST
Created attachment 329069 [details] patch
Mark Lam
Comment 11 2017-12-11 17:54:37 PST
Comment on attachment 329069 [details] patch r=me
WebKit Commit Bot
Comment 12 2017-12-11 19:24:48 PST
Comment on attachment 329069 [details] patch Clearing flags on attachment: 329069 Committed r225768: <https://trac.webkit.org/changeset/225768>
WebKit Commit Bot
Comment 13 2017-12-11 19:24:49 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.