<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">After looking further I found the location in the script and the bytecode that's causing the issue. The issue lies on line 9 column 30 over here: <a href="https://ghostbin.com/paste/nok6m" class="">https://ghostbin.com/paste/nok6m</a> - so the invocation of object.superview (you can see the generated bytecode over here: <a href="https://ghostbin.com/paste/prdmy" class="">https://ghostbin.com/paste/prdmy</a> and specifically the call is at instruction 124). However what's concerning is if I invoke object.superview beforehand and then reference it in the if statement the crash no longer occurs - by this I mean if I change the code to the following: <a href="https://ghostbin.com/paste/zmngw" class="">https://ghostbin.com/paste/zmngw</a> (and the associated bytecode is over here: <a href="https://ghostbin.com/paste/w6a2r" class="">https://ghostbin.com/paste/w6a2r</a> - again the call is at instruction 124 and the majority of the bytecode appears the same except for the locations are different).</div><div class=""><br class=""></div><div class="">Is it the desired behavior that the lifetime of an object that's used for value profiling is different if it's bound to a local variable as opposed to used as a temporary value?</div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On Jan 17, 2017, at 2:16 PM, Geoffrey Garen <<a href="mailto:ggaren@apple.com" class="">ggaren@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">…You could also try JSC_useZombieMode=1 along with JSC_useImmortalObjects=1.<div class=""><br class=""></div><div class="">Geoff</div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jan 17, 2017, at 12:15 PM, Geoffrey Garen <<a href="mailto:ggaren@apple.com" class="">ggaren@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">You can look at the Apple iOS builders (<a href="https://build.webkit.org/console?category=iOS" class="">https://build.webkit.org/console?category=iOS</a>) to see what they do.<div class=""><br class=""></div><div class="">Geoff</div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jan 17, 2017, at 12:14 PM, Dan Zimmerman <<a href="mailto:daniel.zimmerman@me.com" class="">daniel.zimmerman@me.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Thanks for the tips. Do you have any tips on compiling for iOS (this is an iOS app that I've been working with)? The main issues I've ran into are that the JSCLLIntOffsetExtractor won't get the proper offsets for arm/arm64 and then when trying to just compile for simulator I got linking issues.<div class=""><br class=""></div><div class="">(Sorry Geoff for duplicating the email to you - forgot to CC the email list at first).</div><div class=""><br class=""></div><div class="">Dan</div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jan 17, 2017, at 2:11 PM, Geoffrey Garen <<a href="mailto:ggaren@apple.com" class="">ggaren@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">One debugging technique I like is to modify the GC to run all destructors eagerly and scribble all objects with zeros. That can make the bug easier to reproduce.<div class=""><br class=""></div><div class="">Your hypothesis is that you’ve called JSValueProtect on all objects that need it. Could also be valuable to add logging to JSValueProtect and JSValueUnprotect to verify that hypothesis.<br class=""><div class=""><br class=""></div><div class="">Geoff</div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jan 17, 2017, at 11:52 AM, Dan Zimmerman <<a href="mailto:daniel.zimmerman@me.com" class="">daniel.zimmerman@me.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=us-ascii" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Are there any tools to debug when objects are destructed? Since this happens within a CodeBlock it must be either a captured variable or a previous argument right? All functions that I store on the heap I'm sure to JSValueProtect, so I'm unsure how to go about looking into the lifetime of those captured objects.</div><div class=""><br class=""></div><div class="">Dan</div><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jan 17, 2017, at 1:45 PM, Geoffrey Garen <<a href="mailto:ggaren@apple.com" class="">ggaren@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=us-ascii" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The GC often nulls out the first word of an object after running its destructor.<div class=""><br class=""></div><div class="">The most likely cause of your bug is an object lifetime issue.</div><div class=""><br class=""></div><div class="">Geoff</div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jan 16, 2017, at 7:04 PM, Dan Zimmerman <<a href="mailto:daniel.zimmerman@me.com" class="">daniel.zimmerman@me.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=us-ascii" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hey,<div class=""><br class=""></div><div class="">I apologize in advanced if this mailing list is inappropriate for this content.</div><div class=""><br class=""></div><div class="">I've ran into the bug that appears to be the root issue for both <a href="https://bugs.webkit.org/show_bug.cgi?id=160027" class="">https://bugs.webkit.org/show_bug.cgi?id=160027</a> and <a href="https://bugs.webkit.org/show_bug.cgi?id=149957" class="">https://bugs.webkit.org/show_bug.cgi?id=149957</a>. I'd like to try and figure out if I'm misusing the C API/if there's anything I can do to prevent the crash (as it seems like there are plenty of clients of JSC that don't run into this issue, it makes me believe either I'm doing something wrong or there's something that I can change). Unfortunately the codebase is under an NDA so I cannot share snippets here. It appears that the JSCell that are referenced in certain code blocks are being nulled out, as the JSCell at crash looks like this:</div><div class=""><div class=""><br class=""></div><div class="">m_structureID: 0</div><div class="">m_indexingType: 0</div><div class="">m_type: UnspecifiedType (0)</div><div class="">m_flags: 0</div><div class="">m_cellState: AnthraciteOrBlack (0)</div></div><div class=""><br class=""></div><div class="">If I set the environment variable JSC_useZombieMode=1 then the crash doesn't occur (and no unexpected behavior occurs - the application actually works as desired). It feels wrong to ship anything with useZombieMode enabled so I was wondering if there's any guidance to figuring out the source of the issue.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class=""><br class=""></div><div class="">Dan</div></div>_______________________________________________<br class="">jsc-dev mailing list<br class=""><a href="mailto:jsc-dev@lists.webkit.org" class="">jsc-dev@lists.webkit.org</a><br class=""><a href="https://lists.webkit.org/mailman/listinfo/jsc-dev" class="">https://lists.webkit.org/mailman/listinfo/jsc-dev</a><br class=""></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></blockquote></div><br class=""></div></div></div></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></body></html>