RESOLVED FIXED 272862
[YARR JIT] Intermittent crash when calling through areCanonicallyEquivalentThunk 
https://bugs.webkit.org/show_bug.cgi?id=272862
Summary [YARR JIT] Intermittent crash when calling through areCanonicallyEquivalentThunk
Michael Saboff
Reported 2024-04-17 16:19:43 PDT
Internal testing reports that there are intermittent crashes from Yarr JIT code. Here is one such crash: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 0x1105ba9f0. [Yarr JIT generated code] 1 com.apple.JavaScriptCore 0x1b04d63b8 JSC::RegExpGlobalData::performMatch(JSC::JSGlobalObject*, JSC::RegExp*, JSC::JSString*, WTF::String const&, int, int**) + 24 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/RegExpGlobalDataInlines.h:56) [inlined] 2 com.apple.JavaScriptCore 0x1b04d63b8 JSC::replaceUsingRegExpSearch(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, JSC::JSValue, JSC::CallData const&, WTF::String&, JSC::JSValue) + 172 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/StringPrototype.cpp:575) [inlined] 3 com.apple.JavaScriptCore 0x1b04d63b8 JSC::replaceUsingRegExpSearch(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, JSC::JSValue, JSC::JSValue) + 1824 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/StringPrototype.cpp:819) [inlined] 4 com.apple.JavaScriptCore 0x1b04d63b8 JSC::replace(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue, JSC::JSValue) + 1892 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/StringPrototype.cpp:883) [inlined] 5 com.apple.JavaScriptCore 0x1b04d63b8 operationStringProtoFuncReplaceGeneric + 1964 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/StringPrototype.cpp:947) Disassembly of the crash is of the form: ... 0x1105ba9e4: b 0x114074c34 0x1105ba9e8: movz w10, #0x0 0x1105ba9ec: bl 0x113f53aa0 ; call areCanonicallyEquivalentThunk 0x116074aa0: cbz w6, 0x116074ad0 !! crash returning here 0x1105ba9f4: add w1, w1, #1 0x1105ba9f8: add w8, w8, #1 0x1105ba9fc: ldur w17, [x3, #12] ... The crash appears to be due to a PAC signing failure. It is suspected that there is a race condition with the areCanonicallyEquivalentThunk code. This bug tracks moving the generation of the thunk to JSC VM startup time to eliminate that race.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2024-04-17 16:19:57 PDT
<rdar://126253524>
Michael Saboff
Comment 2 2024-04-17 16:24:52 PDT
Pull request: https://github.com/WebKit/WebKit/pull/27418
EWS
Comment 3 2024-04-18 20:49:51 PDT
Committed 277722@main (bd4bbbbc4c51): <https://commits.webkit.org/277722@main> Reviewed commits have been landed. Closing PR #27418 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.