90209 – Webkit crashes in DFG on Google Docs when creating a new document

Bug 90209 - Webkit crashes in DFG on Google Docs when creating a new document

Summary: Webkit crashes in DFG on Google Docs when creating a new document

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.6

Importance:	P1 Critical
Assignee:	Filip Pizlo

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-06-28 14:33 PDT by Elliott Sprehn
Modified:	2021-09-03 18:50 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
the patch (9.67 KB, patch) 2012-06-29 20:39 PDT, Filip Pizlo	barraclough: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Elliott Sprehn 2012-06-28 14:33:23 PDT

Process:         WebProcess [18394]
Path:            /Applications/WebKit.app/Contents/Frameworks/10.6/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess
Identifier:      com.apple.WebProcess
Version:         537+ (537.1+)
Code Type:       X86-64 (Native)
Parent Process:  Safari [18389]

Date/Time:       2012-06-28 14:31:45.456 -0700
OS Version:      Mac OS X 10.6.8 (10K549)
Report Version:  6

Interval Since Last Report:          110230 sec
Crashes Since Last Report:           7
Per-App Interval Since Last Report:  191672 sec
Per-App Crashes Since Last Report:   7
Anonymous UUID:                      ACBC7F66-38E8-4DED-AF6F-3F742A121163

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000003922d26fe4
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010123d5f5 JSC::DFG::CFGSimplificationPhase::mergeBlocks(unsigned int, unsigned int, unsigned int) + 1365
1   com.apple.JavaScriptCore      	0x000000010123c9e5 JSC::DFG::CFGSimplificationPhase::run() + 389
2   com.apple.JavaScriptCore      	0x000000010123c850 JSC::DFG::performCFGSimplification(JSC::DFG::Graph&) + 32
3   com.apple.JavaScriptCore      	0x000000010105fb75 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*) + 853
4   com.apple.JavaScriptCore      	0x000000010105f81a JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&) + 26
5   com.apple.JavaScriptCore      	0x00000001010c5e94 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::SharedSymbolTable*&, JSC::JITCode::JITType, JSC::JITCompilationEffort) + 308
6   com.apple.JavaScriptCore      	0x00000001010c4916 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType) + 294
7   com.apple.JavaScriptCore      	0x00000001011126b2 cti_optimize + 258
8   ???                           	0x000037947cfa2edf 0 + 61110891458271
9   com.apple.JavaScriptCore      	0x00000001010d0826 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::ScopeChainNode*, int) + 1190
10  com.apple.JavaScriptCore      	0x000000010113842f JSC::globalFuncEval(JSC::ExecState*) + 1231
11  ???                           	0x000037947ca01265 0 + 61110885552741
12  com.apple.JavaScriptCore      	0x00000001010d3701 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 913
13  com.apple.JavaScriptCore      	0x0000000101028d44 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52
14  com.apple.JavaScriptCore      	0x0000000101122600 JSC::boundFunctionCall(JSC::ExecState*) + 400
15  ???                           	0x000037947ca01265 0 + 61110885552741
16  com.apple.JavaScriptCore      	0x00000001010d3701 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 913
17  com.apple.JavaScriptCore      	0x0000000101028d44 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52
18  com.apple.JavaScriptCore      	0x0000000101122600 JSC::boundFunctionCall(JSC::ExecState*) + 400
19  ???                           	0x000037947ca01265 0 + 61110885552741
20  com.apple.JavaScriptCore      	0x00000001010d3701 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 913
21  com.apple.JavaScriptCore      	0x0000000101028d44 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52
22  com.apple.JavaScriptCore      	0x0000000101122600 JSC::boundFunctionCall(JSC::ExecState*) + 400
23  com.apple.JavaScriptCore      	0x00000001010d3821 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1201
24  com.apple.JavaScriptCore      	0x0000000101028d44 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52
25  com.apple.WebCore             	0x0000000101988ad5 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 901
26  com.apple.WebCore             	0x0000000101690397 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 215
27  com.apple.WebCore             	0x000000010169022d WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 141
28  com.apple.WebCore             	0x0000000101fd1526 WebCore::XMLHttpRequestProgressEventThrottle::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 342
29  com.apple.WebCore             	0x0000000101fd1598 WebCore::XMLHttpRequestProgressEventThrottle::dispatchReadyStateChangeEvent(WTF::PassRefPtr<WebCore::Event>, WebCore::ProgressEventAction) + 56
30  com.apple.WebCore             	0x0000000101fcc7d2 WebCore::XMLHttpRequest::callReadyStateChangeListener() + 354
31  com.apple.WebCore             	0x0000000101fd0306 WebCore::XMLHttpRequest::didFinishLoading(unsigned long, double) + 358
32  com.apple.WebCore             	0x0000000101552547 WebCore::DocumentThreadableLoader::notifyFinished(WebCore::CachedResource*) + 423
33  com.apple.WebCore             	0x000000010142788d WebCore::CachedResource::checkNotify() + 93
34  com.apple.WebCore             	0x00000001014267e0 WebCore::CachedRawResource::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 448
35  com.apple.WebCore             	0x0000000101e545df WebCore::SubresourceLoader::didFinishLoading(double) + 143
36  com.apple.Foundation          	0x00007fff83d3786c _NSURLConnectionDidFinishLoading + 113
37  com.apple.CFNetwork           	0x00007fff8117a0ea URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 174
38  com.apple.CFNetwork           	0x00007fff811e022c URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 254
39  com.apple.CFNetwork           	0x00007fff811e0498 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874
40  com.apple.CFNetwork           	0x00007fff811666d7 URLConnectionClient::processEvents() + 121
41  com.apple.CFNetwork           	0x00007fff811664b2 MultiplexerSource::perform() + 160
42  com.apple.CoreFoundation      	0x00007fff86c6327d __CFRunLoopDoSources0 + 1021
43  com.apple.CoreFoundation      	0x00007fff86c615c9 __CFRunLoopRun + 873
44  com.apple.CoreFoundation      	0x00007fff86c60d8f CFRunLoopRunSpecific + 575
45  com.apple.HIToolbox           	0x00007fff81b7e7ee RunCurrentEventLoopInMode + 333
46  com.apple.HIToolbox           	0x00007fff81b7e5f3 ReceiveNextEventCommon + 310
47  com.apple.HIToolbox           	0x00007fff81b7e4ac BlockUntilNextEventMatchingListInMode + 59
48  com.apple.AppKit              	0x00007fff89c86eb2 _DPSNextEvent + 708
49  com.apple.AppKit              	0x00007fff89c86801 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
50  com.apple.AppKit              	0x00007fff89c4c68f -[NSApplication run] + 395
51  com.apple.WebCore             	0x0000000101d8fd23 WebCore::RunLoop::run() + 67
52  com.apple.WebKit2             	0x00000001002e1d4a WebKit::WebProcessMain(WebKit::CommandLine const&) + 700
53  com.apple.WebKit2             	0x000000010029779b WebKitMain + 285
54  com.apple.WebProcess          	0x0000000100000e5e main + 214
55  com.apple.WebProcess          	0x0000000100000d80 start + 52

Comment 1 Filip Pizlo 2012-06-29 20:07:33 PDT

Nice catch, and thanks for the bug report.

It appears that the control flow graph simplification phase (DFGCFGSimplificationPhase) was forgetting to check if a variable was captured when doing variable relinking.

It was seeing IR like:

a: GetLocal(stuff, r15*)
b: Phantom(@a)

Ordinarily, if merging two basic blocks with the second block having IR like the above, it should find the last access to local r15 and relink the Phantom to that access.

But this is not true for captured variables, where the same basic block may have had a store to r15, and the previous block(s) had no mention of r15.  This was true in this case, so its attempt to find an access to r15 in the previous block failed.

Simple fix on the way.  I will try to write a reduced test case as well.

Comment 2 Filip Pizlo 2012-06-29 20:39:47 PDT

Created attachment 150300 [details]
the patch

Comment 3 Filip Pizlo 2012-06-30 12:29:09 PDT

Landed in http://trac.webkit.org/changeset/121629