RESOLVED FIXED 66351
Crash in Structure::visitChildren running iAd.js regression test suite under memory pressure 
https://bugs.webkit.org/show_bug.cgi?id=66351
Summary Crash in Structure::visitChildren running iAd.js regression test suite under ...
Michael Saboff
Reported 2011-08-16 16:51:07 PDT
From <rdar://problem/9931094> Received a crash running iAds tests. The traceback is: 0 JavaScriptCore 0x34d76dee JSC::Structure::visitChildren(JSC::MarkStack&) + 450 1 JavaScriptCore 0x34d7544c JSC::MarkStack::visitChildren(JSC::JSCell*) + 584 2 JavaScriptCore 0x34d75104 JSC::MarkStack::drain() + 296 3 JavaScriptCore 0x34d74aae JSC::Heap::markRoots() + 130 4 JavaScriptCore 0x34d749d2 JSC::Heap::reset(JSC::Heap::SweepToggle) + 14 5 JavaScriptCore 0x34d37602 JSC::Heap::reportExtraMemoryCostSlowCase(unsigned long) + 34 6 WebCore 0x3784df32 WebCore::HTMLCanvasElement::createImageBuffer() const + 402 7 WebCore 0x3784dd88 WebCore::HTMLCanvasElement::drawingContext() const + 12 8 WebCore 0x3784dc40 WebCore::CanvasRenderingContext2D::CanvasRenderingContext2D(WebCore::HTMLCanvasElement*, bool, bool) + 128 9 WebCore 0x3784db04 WebCore::HTMLCanvasElement::getContext(WTF::String const&, WebCore::CanvasContextAttributes*) + 76 10 WebCore 0x3784da24 WebCore::JSHTMLCanvasElement::getContext(JSC::ExecState*) + 1264 11 WebCore 0x3784d522 WebCore::jsHTMLCanvasElementPrototypeFunctionGetContext(JSC::ExecState*) + 90 12 ??? 0x20f24278 0 + 552747640 13 JavaScriptCore 0x34d73596 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 46 14 JavaScriptCore 0x34ddb0b6 JSC::PropertySlot::functionGetter(JSC::ExecState*) const + 130 15 JavaScriptCore 0x34d38c7c JSC::JSValue::get(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot&) const + 700 16 JavaScriptCore 0x34d3cf5e JITStubThunked_op_get_by_id + 70 17 JavaScriptCore 0x34d3cf0a cti_op_get_by_id + 2 18 JavaScriptCore 0x34d73596 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 46 19 JavaScriptCore 0x34d0a702 JSC::JSObject::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 682 20 JavaScriptCore 0x34d3dfd4 JITStubThunked_op_put_by_id + 108 21 JavaScriptCore 0x34d3df5a cti_op_put_by_id + 2 22 JavaScriptCore 0x34d73596 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 46 23 WebCore 0x377ae2e8 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 580 24 WebCore 0x377ae070 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector&) + 272 25 WebCore 0x376b5c14 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 136 26 WebCore 0x376bc18a WebCore::Node::handleLocalEvents(WebCore::Event*) + 54 27 WebCore 0x376bb9da WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr) + 542 28 WebCore 0x376bb78c WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 24 29 WebCore 0x376bb760 WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::EventDispatchMediator const&) + 92 30 WebCore 0x376bb6b8 WebCore::Node::dispatchEvent(WTF::PassRefPtr) + 28 31 WebCore 0x377fdcb6 WebCore::AnimationControllerPrivate::fireEventsAndUpdateStyle() + 162 32 WebCore 0x376a4240 WebCore::ThreadTimers::sharedTimerFiredInternal() + 92 33 WebCore 0x376a41b2 __ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 58 34 CoreFoundation 0x335fca60 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 8 35 CoreFoundation 0x335fc6c6 __CFRunLoopDoTimer + 358 36 CoreFoundation 0x335fb29c __CFRunLoopRun + 1200 37 CoreFoundation 0x3357e4ee CFRunLoopRunSpecific + 294 38 CoreFoundation 0x3357e3b6 CFRunLoopRunInMode + 98 39 WebCore 0x376f6f60 __ZL12RunWebThreadPv + 396 40 libsystem_c.dylib 0x35d4b95e _pthread_start + 314 41 libsystem_c.dylib 0x35d4e600 thread_start + 0 Getting the crash at the end of ContainerNode::insertBefore before it calls dispatchSubtreeModifiedEvent to notify all children of the change. The node doesn't appear to be corrupt at the beginning of insertBefore processing. This code does have a comment that nodes can be GC out from under it. Trying to refine where the code in getting trashed…. I believe that the problem is in a JIT generated put by id that is generated in JIT::privateCompilePutByIdTransition(). I am instrumenting and branching to backup code to further debug. It looks like, on ARM only, our JITStubCall mechanism tramples r0 before invoking optimized put_by_id for new properties
Attachments
Proposed patch (4.73 KB, patch)
2011-08-16 17:22 PDT, Michael Saboff 		barraclough: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2011-08-16 17:22:28 PDT
Created attachment 104128 [details] Proposed patch
WebKit Review Bot
Comment 2 2011-08-16 17:28:31 PDT
Attachment 104128 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1 Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp:473: Should have only a single space after a punctuation in a comment. [whitespace/comments] [5] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
Gavin Barraclough
Comment 3 2011-08-16 17:46:45 PDT
Comment on attachment 104128 [details] Proposed patch Hey michael, looks great, should fix the style bot's issue.
Michael Saboff
Comment 4 2011-08-16 18:34:49 PDT
Committed r93189: <http://trac.webkit.org/changeset/93189>
Alexey Proskuryakov
Comment 5 2011-08-17 10:42:26 PDT
Can a regression test be made for this? Or are we running iAd.js as part of our regression tests already?
Note You need to log in before you can comment on or make changes to this bug.