Bug 56470 - Crash in JSC::MarkStack::drain Under Stress
Summary: Crash in JSC::MarkStack::drain Under Stress
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All OS X 10.5
: P1 Normal
Assignee: Oliver Hunt
URL:
Keywords: InRadar, LayoutTestFailure, MakingBotsRed
: 56641 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-03-16 10:01 PDT by Michael Saboff
Modified: 2011-03-18 10:47 PDT (History)
2 users (show)

See Also:


Attachments
Patch (5.27 KB, patch)
2011-03-17 16:34 PDT, Oliver Hunt
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2011-03-16 10:01:38 PDT
When running Safari self test, I encounter a crash in JSC::MarkStack::drain.  The crash trace below MarkStack::drain() varies.  Here is one such crash on build 81173:

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x000000010fc93fde JSC::MarkStack::drain() + 184
1   com.apple.JavaScriptCore      	0x000000010fc76a27 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) + 199
2   com.apple.WebCore             	0x000000011047ba9b WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 427
3   com.apple.WebCore             	0x000000011047b88c WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 44
4   com.apple.WebCore             	0x0000000110e3bb0a WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 108
5   com.apple.WebCore             	0x0000000110a1af0a WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 476
6   com.apple.WebCore             	0x0000000110a1b1fa WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 46
7   com.apple.WebCore             	0x0000000110a1b36a WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition<WTF::OneBasedNumber> const&) + 98
8   com.apple.WebCore             	0x00000001109eeccf WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 87
9   com.apple.WebCore             	0x00000001109eedcc WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 88
10  com.apple.WebCore             	0x00000001109eeff2 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 398
11  com.apple.WebCore             	0x00000001109ef480 WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 142
12  com.apple.WebCore             	0x000000011087a59d WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool) + 377
13  com.apple.WebCore             	0x000000011088e287 WebCore::DocumentLoader::commitData(char const*, int) + 87
14  com.apple.WebKit              	0x000000010fe682f2 -[WebHTMLRepresentation receivedData:withDataSource:] + 98
15  com.apple.WebKit              	0x000000010fe681f0 -[WebDataSource(WebInternal) _receivedData:] + 80
16  com.apple.WebKit              	0x000000010fe6817b WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 105
17  com.apple.WebCore             	0x0000000110434c86 WebCore::DocumentLoader::commitLoad(char const*, int) + 166
18  com.apple.WebCore             	0x00000001104346e5 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 57
19  com.apple.WebCore             	0x00000001104344f3 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 617
20  com.apple.WebCore             	0x000000011043425f WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 175
21  com.apple.Foundation          	0x00007fff82d21c4e ___NSURLConnectionDidReceiveData_block_invoke_1 + 144
22  com.apple.Foundation          	0x00007fff82c42ef2 _NSURLConnectionDidReceiveData + 86
23  com.apple.CFNetwork           	0x00007fff85628362 URLConnectionClient::_clientDidReceiveData(__CFArray const*, URLConnectionClient::ClientConnectionEventQueue*) + 426
24  com.apple.CFNetwork           	0x00007fff8562763a URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 818
25  com.apple.CFNetwork           	0x00007fff85627849 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 1345
26  com.apple.CFNetwork           	0x00007fff855627af URLConnectionClient::processEvents() + 185
27  com.apple.CFNetwork           	0x00007fff85562662 MultiplexerSource::perform() + 212
28  com.apple.CoreFoundation      	0x00007fff8829300c __CFRunLoopDoSources0 + 444
29  com.apple.CoreFoundation      	0x00007fff88292919 __CFRunLoopRun + 905
30  com.apple.CoreFoundation      	0x00007fff88292356 CFRunLoopRunSpecific + 230
31  com.apple.Foundation          	0x00007fff82ce0cdc -[NSRunLoop(NSRunLoop) limitDateForMode:] + 191
32  com.apple.Safari.framework    	0x000000010f4080f7 -[AppController application:runTest:duration:] + 685
33  com.apple.AppKit              	0x00007fff88e69c72 -[NSApplication(NSAppleEventHandling) _handleSelfTestEvent:] + 389
34  com.apple.AppKit              	0x00007fff88e69cb0 -[NSApplication(NSAppleEventHandling) _handleTestEvent:withReplyEvent:] + 60
35  com.apple.CoreFoundation      	0x00007fff8836c701 -[NSObject performSelector:withObject:withObject:] + 65
36  com.apple.Foundation          	0x00007fff82c53cec __-[NSAppleEventManager setEventHandler:andSelector:forEventClass:andEventID:]_block_invoke_1 + 101
37  com.apple.Foundation          	0x00007fff82bf6f0a -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] + 283
38  com.apple.Foundation          	0x00007fff82bf6d98 _NSAppleEventManagerGenericHandler + 105
39  com.apple.AE                  	0x00007fff86c2689a aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) + 200
40  com.apple.AE                  	0x00007fff86c26778 _ZL25dispatchEventAndSendReplyPK6AEDescPS_ + 38
41  com.apple.AE                  	0x00007fff86c2666c aeProcessAppleEvent + 250
42  com.apple.HIToolbox           	0x00007fff897b8a01 AEProcessAppleEvent + 102
43  com.apple.AppKit              	0x00007fff88c1321d _DPSNextEvent + 1247
44  com.apple.AppKit              	0x00007fff88c128d6 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135
45  com.apple.Safari.framework    	0x000000010f44cca6 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 171
46  com.apple.AppKit              	0x00007fff88bd753e -[NSApplication run] + 456
47  com.apple.AppKit              	0x00007fff88bd033d NSApplicationMain + 860
48  com.apple.Safari.framework    	0x000000010f60ee85 SafariMain + 197
49  RealSafari                    	0x000000010f3edf24 0x10f3ed000 + 3876
Comment 1 Adam Roben (:aroben) 2011-03-17 09:57:08 PDT
The SnowLeopard WebKit2 bot just hit a crash in MarkStack::drain; maybe it's the same issue?

http://build.webkit.org/results/SnowLeopard%20Intel%20Release%20(WebKit2%20Tests)/r81355%20(9789)/svg/zoom/page/zoom-getBoundingClientRect-crash-log.txt
Comment 3 Michael Saboff 2011-03-17 10:09:42 PDT
I would characterize the two bot crashes as the same defect.  I found various variations of the crash and these two look consistent with other crashes I saw.
Comment 4 Sam Weinig 2011-03-17 10:41:49 PDT
<rdar://problem/9149155>
Comment 5 Oliver Hunt 2011-03-17 16:34:03 PDT
Created attachment 86110 [details]
Patch
Comment 7 Geoffrey Garen 2011-03-17 16:53:36 PDT
Comment on attachment 86110 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=86110&action=review

r=me

> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:301
> +        if (symbolTable->size() != expectedSize)
> +            CRASH();

Should be ASSERT.
Comment 8 Oliver Hunt 2011-03-17 16:58:22 PDT
Committed r81411: <http://trac.webkit.org/changeset/81411>
Comment 9 Oliver Hunt 2011-03-18 10:47:26 PDT
*** Bug 56641 has been marked as a duplicate of this bug. ***