234211 – REGRESSION: STP 136: forums.swift.org crashes in JavaScript

Bug 234211 - REGRESSION: STP 136: forums.swift.org crashes in JavaScript

Summary: REGRESSION: STP 136: forums.swift.org crashes in JavaScript

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Safari Technology Preview
Hardware:	Mac (Intel) macOS 12

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-12-12 11:53 PST by Jon
Modified:	2022-02-11 13:19 PST (History)
CC List:	2 users (show)

See Also:

Attachments
STP136Crashes (85.17 KB, application/zip) 2021-12-12 11:53 PST, Jon	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jon 2021-12-12 11:53:24 PST

Created attachment 446938 [details]
STP136Crashes

Since STP 136 I've been seeing one off crashes on forums.swift.org. The tab will crash, reload, and then work fine. It either occurs on one of the heap helper threads or directly in JSC execution itself. I've attached all of the crashes since 136 released. Here are the typical stacks:

0   JavaScriptCore                	       0x3d0b6fbf8 JSC::JSFinalObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 1128
1   JavaScriptCore                	       0x3d145b76b JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3::operator()(JSC::MarkStackArray&) const + 251
2   JavaScriptCore                	       0x3d1458c72 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 178
3   JavaScriptCore                	       0x3d145978d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 1597
4   JavaScriptCore                	       0x3d1430f44 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18>::run() + 148
5   JavaScriptCore                	       0x3d1c8d06c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::RawPtrTraits<WTF::SharedTask<void ()> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void ()> > > const&) + 44
6   JavaScriptCore                	       0x3d1c8dc66 WTF::ParallelHelperPool::Thread::work() + 22
7   JavaScriptCore                	       0x3d1c6246a WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() + 490
8   JavaScriptCore                	       0x3d1caa88d WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 157
9   JavaScriptCore                	       0x3d0aa0e89 WTF::wtfThreadEntryPoint(void*) + 9
10  libsystem_pthread.dylib       	    0x7ff80082d514 _pthread_start + 125
11  libsystem_pthread.dylib       	    0x7ff80082902f thread_start + 15

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   JavaScriptCore                	       0x500b69034 operationGetByVal + 1028
1   ???                           	    0x53193abbb330 ???
2   ???                           	    0x53193a94afc0 ???
3   ???                           	    0x53193a94ec66 ???
4   ???                           	    0x53193a8b02db ???
5   ???                           	    0x53193ac86f94 ???
6   ???                           	    0x53193aef4118 ???
7   JavaScriptCore                	       0x500e64beb llint_entry + 117268
8   JavaScriptCore                	       0x500e64beb llint_entry + 117268
9   JavaScriptCore                	       0x500e64beb llint_entry + 117268
10  ???                           	    0x53193ad30cc9 ???
11  ???                           	    0x53193a8c21e6 ???
12  JavaScriptCore                	       0x500e64beb llint_entry + 117268
13  JavaScriptCore                	       0x500e64beb llint_entry + 117268
14  JavaScriptCore                	       0x500e64beb llint_entry + 117268
15  JavaScriptCore                	       0x500e64beb llint_entry + 117268
16  ???                           	    0x53193af93131 ???
17  ???                           	    0x53193afdb285 ???
18  ???                           	    0x53193a9b895e ???
19  ???                           	    0x53193a9e8bf8 ???
20  ???                           	    0x53193aa97ebc ???
21  ???                           	    0x53193af98b10 ???
22  ???                           	    0x53193afbf3dc ???
23  ???                           	    0x53193a824757 ???
24  JavaScriptCore                	       0x500e64c70 llint_entry + 117401
25  ???                           	    0x53193af8c9eb ???
26  ???                           	    0x53193afbe50a ???
27  JavaScriptCore                	       0x500e64c70 llint_entry + 117401
28  JavaScriptCore                	       0x500e64c70 llint_entry + 117401
29  JavaScriptCore                	       0x500e47fd6 vmEntryToJavaScript + 216
30  JavaScriptCore                	       0x501520945 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 485
31  JavaScriptCore                	       0x50177fefe JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 174
32  WebCore                       	       0x50b1f36e0 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2432
33  WebCore                       	       0x50b54050c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 428
34  WebCore                       	       0x50b53fd56 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 630
35  WebCore                       	       0x50b53fab4 WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 228
36  WebCore                       	       0x50c2e879c WebCore::XMLHttpRequest::dispatchEvent(WebCore::Event&) + 300
37  WebCore                       	       0x50c2e3d77 WebCore::XMLHttpRequestProgressEventThrottle::dispatchProgressEvent(WTF::AtomString const&) + 423
38  WebCore                       	       0x50a174e2b WebCore::XMLHttpRequest::callReadyStateChangeListener() + 411
39  WebCore                       	       0x50c2e3b51 WebCore::XMLHttpRequest::changeState(WebCore::XMLHttpRequest::State) + 225
40  WebCore                       	       0x50c2e78e7 WebCore::XMLHttpRequest::didFinishLoading(WTF::ObjectIdentifier<WebCore::ResourceLoader>) + 519
41  WebCore                       	       0x50b9f27ed WebCore::DocumentThreadableLoader::didFinishLoading(WTF::ObjectIdentifier<WebCore::ResourceLoader>) + 541
42  WebCore                       	       0x50ba7f55f WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) + 95
43  WebCore                       	       0x50ba7dd89 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 409
44  WebCore                       	       0x50ba4f3cd WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 989
45  WebKit                        	       0x502ad6d3c WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) + 204
46  WebKit                        	       0x502c5e39d WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 333
47  WebKit                        	       0x5024ea418 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 634
48  WebKit                        	       0x5024ecad1 WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_11, void>::call() + 187
49  JavaScriptCore                	       0x501c93c3f WTF::RunLoop::performWork() + 447
50  JavaScriptCore                	       0x501c9472a WTF::RunLoop::performWork(void*) + 26
51  CoreFoundation                	    0x7ff8008f484d __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
52  CoreFoundation                	    0x7ff8008f47b5 __CFRunLoopDoSource0 + 180
53  CoreFoundation                	    0x7ff8008f4534 __CFRunLoopDoSources0 + 242
54  CoreFoundation                	    0x7ff8008f2f6b __CFRunLoopRun + 893
55  CoreFoundation                	    0x7ff8008f252d CFRunLoopRunSpecific + 563
56  Foundation                    	    0x7ff80175a75e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 216
57  Foundation                    	    0x7ff8017e52c3 -[NSRunLoop(NSRunLoop) run] + 76
58  libxpc.dylib                  	    0x7ff80057b233 _xpc_objc_main + 825
59  libxpc.dylib                  	    0x7ff80057ac22 xpc_main + 99
60  WebKit                        	       0x50267d9de WebKit::XPCServiceMain(int, char const**) + 85
61  dyld                          	       0x11481c4fe start + 462

Comment 1 Alexey Proskuryakov 2021-12-13 10:27:35 PST

Nice! Multiple crash signatures are likely expected for this kind of bug.

Comment 2 Radar WebKit Bug Importer 2021-12-13 10:27:55 PST

<rdar://problem/86420006>

Comment 3 Brent Fulgham 2022-02-11 13:19:42 PST

Internal JSC team couldn't reproduce. Please file a new crash report if you continue to see this on new STP builds.