From <rdar://problem/9931094> Received a crash running iAds tests. The traceback is: 0 JavaScriptCore 0x34d76dee JSC::Structure::visitChildren(JSC::MarkStack&) + 450 1 JavaScriptCore 0x34d7544c JSC::MarkStack::visitChildren(JSC::JSCell*) + 584 2 JavaScriptCore 0x34d75104 JSC::MarkStack::drain() + 296 3 JavaScriptCore 0x34d74aae JSC::Heap::markRoots() + 130 4 JavaScriptCore 0x34d749d2 JSC::Heap::reset(JSC::Heap::SweepToggle) + 14 5 JavaScriptCore 0x34d37602 JSC::Heap::reportExtraMemoryCostSlowCase(unsigned long) + 34 6 WebCore 0x3784df32 WebCore::HTMLCanvasElement::createImageBuffer() const + 402 7 WebCore 0x3784dd88 WebCore::HTMLCanvasElement::drawingContext() const + 12 8 WebCore 0x3784dc40 WebCore::CanvasRenderingContext2D::CanvasRenderingContext2D(WebCore::HTMLCanvasElement*, bool, bool) + 128 9 WebCore 0x3784db04 WebCore::HTMLCanvasElement::getContext(WTF::String const&, WebCore::CanvasContextAttributes*) + 76 10 WebCore 0x3784da24 WebCore::JSHTMLCanvasElement::getContext(JSC::ExecState*) + 1264 11 WebCore 0x3784d522 WebCore::jsHTMLCanvasElementPrototypeFunctionGetContext(JSC::ExecState*) + 90 12 ??? 0x20f24278 0 + 552747640 13 JavaScriptCore 0x34d73596 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 46 14 JavaScriptCore 0x34ddb0b6 JSC::PropertySlot::functionGetter(JSC::ExecState*) const + 130 15 JavaScriptCore 0x34d38c7c JSC::JSValue::get(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) const + 700 16 JavaScriptCore 0x34d3cf5e JITStubThunked_op_get_by_id + 70 17 JavaScriptCore 0x34d3cf0a cti_op_get_by_id + 2 18 JavaScriptCore 0x34d73596 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 46 19 JavaScriptCore 0x34d0a702 JSC::JSObject::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 682 20 JavaScriptCore 0x34d3dfd4 JITStubThunked_op_put_by_id + 108 21 JavaScriptCore 0x34d3df5a cti_op_put_by_id + 2 22 JavaScriptCore 0x34d73596 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 46 23 WebCore 0x377ae2e8 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 580 24 WebCore 0x377ae070 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector&) + 272 25 WebCore 0x376b5c14 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 136 26 WebCore 0x376bc18a WebCore::Node::handleLocalEvents(WebCore::Event*) + 54 27 WebCore 0x376bb9da WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr) + 542 28 WebCore 0x376bb78c WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 24 29 WebCore 0x376bb760 WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::EventDispatchMediator const&) + 92 30 WebCore 0x376bb6b8 WebCore::Node::dispatchEvent(WTF::PassRefPtr) + 28 31 WebCore 0x377fdcb6 WebCore::AnimationControllerPrivate::fireEventsAndUpdateStyle() + 162 32 WebCore 0x376a4240 WebCore::ThreadTimers::sharedTimerFiredInternal() + 92 33 WebCore 0x376a41b2 __ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 58 34 CoreFoundation 0x335fca60 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 8 35 CoreFoundation 0x335fc6c6 __CFRunLoopDoTimer + 358 36 CoreFoundation 0x335fb29c __CFRunLoopRun + 1200 37 CoreFoundation 0x3357e4ee CFRunLoopRunSpecific + 294 38 CoreFoundation 0x3357e3b6 CFRunLoopRunInMode + 98 39 WebCore 0x376f6f60 __ZL12RunWebThreadPv + 396 40 libsystem_c.dylib 0x35d4b95e _pthread_start + 314 41 libsystem_c.dylib 0x35d4e600 thread_start + 0 Getting the crash at the end of ContainerNode::insertBefore before it calls dispatchSubtreeModifiedEvent to notify all children of the change. The node doesn't appear to be corrupt at the beginning of insertBefore processing. This code does have a comment that nodes can be GC out from under it. Trying to refine where the code in getting trashed…. I believe that the problem is in a JIT generated put by id that is generated in JIT::privateCompilePutByIdTransition(). I am instrumenting and branching to backup code to further debug. It looks like, on ARM only, our JITStubCall mechanism tramples r0 before invoking optimized put_by_id for new properties
Created attachment 104128 [details] Proposed patch
Attachment 104128 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1 Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp:473: Should have only a single space after a punctuation in a comment. [whitespace/comments] [5] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 104128 [details] Proposed patch Hey michael, looks great, should fix the style bot's issue.
Committed r93189: <http://trac.webkit.org/changeset/93189>
Can a regression test be made for this? Or are we running iAd.js as part of our regression tests already?