RESOLVED FIXED56470
Crash in JSC::MarkStack::drain Under Stress 
https://bugs.webkit.org/show_bug.cgi?id=56470
Summary Crash in JSC::MarkStack::drain Under Stress
Michael Saboff
Reported 2011-03-16 10:01:38 PDT
When running Safari self test, I encounter a crash in JSC::MarkStack::drain. The crash trace below MarkStack::drain() varies. Here is one such crash on build 81173: Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x000000010fc93fde JSC::MarkStack::drain() + 184 1 com.apple.JavaScriptCore 0x000000010fc76a27 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) + 199 2 com.apple.WebCore 0x000000011047ba9b WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 427 3 com.apple.WebCore 0x000000011047b88c WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 44 4 com.apple.WebCore 0x0000000110e3bb0a WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 108 5 com.apple.WebCore 0x0000000110a1af0a WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 476 6 com.apple.WebCore 0x0000000110a1b1fa WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 46 7 com.apple.WebCore 0x0000000110a1b36a WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition<WTF::OneBasedNumber> const&) + 98 8 com.apple.WebCore 0x00000001109eeccf WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 87 9 com.apple.WebCore 0x00000001109eedcc WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 88 10 com.apple.WebCore 0x00000001109eeff2 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 398 11 com.apple.WebCore 0x00000001109ef480 WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 142 12 com.apple.WebCore 0x000000011087a59d WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool) + 377 13 com.apple.WebCore 0x000000011088e287 WebCore::DocumentLoader::commitData(char const*, int) + 87 14 com.apple.WebKit 0x000000010fe682f2 -[WebHTMLRepresentation receivedData:withDataSource:] + 98 15 com.apple.WebKit 0x000000010fe681f0 -[WebDataSource(WebInternal) _receivedData:] + 80 16 com.apple.WebKit 0x000000010fe6817b WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 105 17 com.apple.WebCore 0x0000000110434c86 WebCore::DocumentLoader::commitLoad(char const*, int) + 166 18 com.apple.WebCore 0x00000001104346e5 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 57 19 com.apple.WebCore 0x00000001104344f3 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 617 20 com.apple.WebCore 0x000000011043425f WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 175 21 com.apple.Foundation 0x00007fff82d21c4e ___NSURLConnectionDidReceiveData_block_invoke_1 + 144 22 com.apple.Foundation 0x00007fff82c42ef2 _NSURLConnectionDidReceiveData + 86 23 com.apple.CFNetwork 0x00007fff85628362 URLConnectionClient::_clientDidReceiveData(__CFArray const*, URLConnectionClient::ClientConnectionEventQueue*) + 426 24 com.apple.CFNetwork 0x00007fff8562763a URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 818 25 com.apple.CFNetwork 0x00007fff85627849 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 1345 26 com.apple.CFNetwork 0x00007fff855627af URLConnectionClient::processEvents() + 185 27 com.apple.CFNetwork 0x00007fff85562662 MultiplexerSource::perform() + 212 28 com.apple.CoreFoundation 0x00007fff8829300c __CFRunLoopDoSources0 + 444 29 com.apple.CoreFoundation 0x00007fff88292919 __CFRunLoopRun + 905 30 com.apple.CoreFoundation 0x00007fff88292356 CFRunLoopRunSpecific + 230 31 com.apple.Foundation 0x00007fff82ce0cdc -[NSRunLoop(NSRunLoop) limitDateForMode:] + 191 32 com.apple.Safari.framework 0x000000010f4080f7 -[AppController application:runTest:duration:] + 685 33 com.apple.AppKit 0x00007fff88e69c72 -[NSApplication(NSAppleEventHandling) _handleSelfTestEvent:] + 389 34 com.apple.AppKit 0x00007fff88e69cb0 -[NSApplication(NSAppleEventHandling) _handleTestEvent:withReplyEvent:] + 60 35 com.apple.CoreFoundation 0x00007fff8836c701 -[NSObject performSelector:withObject:withObject:] + 65 36 com.apple.Foundation 0x00007fff82c53cec __-[NSAppleEventManager setEventHandler:andSelector:forEventClass:andEventID:]_block_invoke_1 + 101 37 com.apple.Foundation 0x00007fff82bf6f0a -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] + 283 38 com.apple.Foundation 0x00007fff82bf6d98 _NSAppleEventManagerGenericHandler + 105 39 com.apple.AE 0x00007fff86c2689a aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) + 200 40 com.apple.AE 0x00007fff86c26778 _ZL25dispatchEventAndSendReplyPK6AEDescPS_ + 38 41 com.apple.AE 0x00007fff86c2666c aeProcessAppleEvent + 250 42 com.apple.HIToolbox 0x00007fff897b8a01 AEProcessAppleEvent + 102 43 com.apple.AppKit 0x00007fff88c1321d _DPSNextEvent + 1247 44 com.apple.AppKit 0x00007fff88c128d6 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135 45 com.apple.Safari.framework 0x000000010f44cca6 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 171 46 com.apple.AppKit 0x00007fff88bd753e -[NSApplication run] + 456 47 com.apple.AppKit 0x00007fff88bd033d NSApplicationMain + 860 48 com.apple.Safari.framework 0x000000010f60ee85 SafariMain + 197 49 RealSafari 0x000000010f3edf24 0x10f3ed000 + 3876
Attachments
Patch (5.27 KB, patch)
2011-03-17 16:34 PDT, Oliver Hunt 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2011-03-17 09:57:08 PDT
The SnowLeopard WebKit2 bot just hit a crash in MarkStack::drain; maybe it's the same issue? http://build.webkit.org/results/SnowLeopard%20Intel%20Release%20(WebKit2%20Tests)/r81355%20(9789)/svg/zoom/page/zoom-getBoundingClientRect-crash-log.txt
Michael Saboff
Comment 3 2011-03-17 10:09:42 PDT
I would characterize the two bot crashes as the same defect. I found various variations of the crash and these two look consistent with other crashes I saw.
Sam Weinig
Comment 4 2011-03-17 10:41:49 PDT
<rdar://problem/9149155>
Oliver Hunt
Comment 5 2011-03-17 16:34:03 PDT
Created attachment 86110 [details] Patch
Geoffrey Garen
Comment 7 2011-03-17 16:53:36 PDT
Comment on attachment 86110 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=86110&action=review r=me > Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:301 > + if (symbolTable->size() != expectedSize) > + CRASH(); Should be ASSERT.
Oliver Hunt
Comment 8 2011-03-17 16:58:22 PDT
Committed r81411: <http://trac.webkit.org/changeset/81411>
Oliver Hunt
Comment 9 2011-03-18 10:47:26 PDT
*** Bug 56641 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.