[Webkit-unassigned] [Bug 171266] New: [Win] Crashes in JSC::JITCode::execute while using WebInspector

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 25 02:52:47 PDT 2017


https://bugs.webkit.org/show_bug.cgi?id=171266

            Bug ID: 171266
           Summary: [Win] Crashes in JSC::JITCode::execute while using
                    WebInspector
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Hironori.Fujii at sony.com

[Win] Crashes in JSC::JITCode::execute while using WebInspector

WinCairo port, Release build, trunk at 215722

While I'm using WebInspector of MiniBrowser, I often see the JSC crash.
I don't see the same crash in Debug build.

Callstack:

> JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 82	C++
> JavaScriptCore.dll!JSC::Interpreter::executeCall(JSC::ExecState * callFrame, JSC::JSObject * function, JSC::CallType callType, const JSC::CallData & callData, JSC::JSValue thisValue, const JSC::ArgList & args) Line 954	C++
> JavaScriptCore.dll!JSC::call(JSC::ExecState * exec, JSC::JSValue functionObject, JSC::CallType callType, const JSC::CallData & callData, JSC::JSValue thisValue, const JSC::ArgList & args) Line 39	C++
> JavaScriptCore.dll!JSC::callGetter(JSC::ExecState * exec, JSC::JSValue base, JSC::JSValue getterSetter) Line 87	C++
> JavaScriptCore.dll!JSC::PropertySlot::functionGetter(JSC::ExecState * exec) Line 33	C++
> JavaScriptCore.dll!JSC::operationGetByIdOptimize::__l2::<lambda>(bool found, JSC::PropertySlot & slot) Line 264	C++
> JavaScriptCore.dll!operationGetByIdOptimize(JSC::ExecState * exec, JSC::StructureStubInfo * stubInfo, __int64 base, WTF::UniquedStringImpl * uid) Line 261	C++
> [External Code]	

Disassembly:

> --- c:\webkit\ga\source\javascriptcore\jit\jitcode.cpp -------------------------
> 
> JSValue JITCode::execute(VM* vm, ProtoCallFrame* protoCallFrame)
> {
> 00007FFF08523E50  push        rbx  
> 00007FFF08523E52  push        rsi  
> 00007FFF08523E53  push        rdi  
> 00007FFF08523E54  sub         rsp,30h  
> 00007FFF08523E58  mov         rbx,r9  
> 00007FFF08523E5B  mov         rdi,r8  
> 00007FFF08523E5E  mov         r9,rcx  
> 00007FFF08523E61  mov         rsi,rdx  
>     auto scope = DECLARE_THROW_SCOPE(*vm);
>     void* entryAddress;
>     JSFunction* function = jsDynamicCast<JSFunction*>(*vm, protoCallFrame->callee());
> 00007FFF08523E64  mov         rax,qword ptr [rbx+8]  
> 00007FFF08523E68  mov         ecx,dword ptr [rax]  
> 00007FFF08523E6A  mov         rax,qword ptr [r8+0C8h]  
> 00007FFF08523E71  btr         ecx,1Fh  
> 00007FFF08523E75  mov         rax,qword ptr [rax+rcx*8]  
> 00007FFF08523E79  mov         rax,qword ptr [rax+40h]  
> 00007FFF08523E7D  test        rax,rax  
> 00007FFF08523E80  je          JSC::JITCode::execute+4Eh (07FFF08523E9Eh)  
> 00007FFF08523E82  lea         rcx,[JSC::JSFunction::s_info (07FFF08910340h)]  
> 00007FFF08523E89  nop         dword ptr [rax]  
> 00007FFF08523E90  cmp         rax,rcx  
> 00007FFF08523E93  je          JSC::JITCode::execute+86h (07FFF08523ED6h)  
> 00007FFF08523E95  mov         rax,qword ptr [rax+8]  
> 00007FFF08523E99  test        rax,rax  
> 00007FFF08523E9C  jne         JSC::JITCode::execute+40h (07FFF08523E90h)  
>         ASSERT(!protoCallFrame->needArityCheck());
>         entryAddress = executableAddress();
> 00007FFF08523E9E  mov         rax,qword ptr [r9]  
> 00007FFF08523EA1  xor         edx,edx  
> 00007FFF08523EA3  mov         rcx,r9  
> 00007FFF08523EA6  call        qword ptr [rax+10h]  
>     JSValue result = JSValue::decode(vmEntryToJavaScript(entryAddress, vm, protoCallFrame));
> 00007FFF08523EA9  mov         r8,rbx  
> 00007FFF08523EAC  mov         rdx,rdi  
> 00007FFF08523EAF  mov         rcx,rax  
> 00007FFF08523EB2  call        vmEntryToJavaScript (07FFF08853CC0h)  
>     return scope.exception() ? jsNull() : result;
> 00007FFF08523EB7  cmp         qword ptr [rdi+81A8h],0  
> 00007FFF08523EBF  mov         ecx,2  
> 00007FFF08523EC4  cmovne      rax,rcx  
> 00007FFF08523EC8  mov         qword ptr [rsi],rax  
> 00007FFF08523ECB  mov         rax,rsi  
> }
> 00007FFF08523ECE  add         rsp,30h  
> 00007FFF08523ED2  pop         rdi  
> 00007FFF08523ED3  pop         rsi  
> 00007FFF08523ED4  pop         rbx  
> 00007FFF08523ED5  ret  
> 
>     if (!function || !protoCallFrame->needArityCheck()) {
> 00007FFF08523ED6  cmp         byte ptr [rbx+24h],0  
> 00007FFF08523EDA  je          JSC::JITCode::execute+4Eh (07FFF08523E9Eh)  
>     } else
>         entryAddress = addressForCall(MustCheckArity).executableAddress();
> 00007FFF08523EDC  mov         rax,qword ptr [r9]  
> 00007FFF08523EDF  lea         rdx,[rsp+20h]  
> 00007FFF08523EE4  mov         r8d,1  
> 00007FFF08523EEA  mov         rcx,r9  
> 00007FFF08523EED  call        qword ptr [rax+8]  
> 00007FFF08523EF0  mov         rax,qword ptr [rax]  
> 00007FFF08523EF3  jmp         JSC::JITCode::execute+59h (07FFF08523EA9h)  
> --- No source file -------------------------------------------------------------


Registers:

> RAX = 0000000000000002 RBX = 0000003A6D6FAF68 RCX = 0000000000000002 RDX = 0000021C04823720
> RSI = 0000000700000001 RDI = 0000021C83EF42E0 R8  = 0000003A6D6FBA80 R9  = 40252A53C8000000
> R10 = 0000003A6D6FAE40 R11 = 0000000000000000 R12 = 0000003A6D6FB080 R13 = 0000000000000001
> R14 = 0000021C04823720 R15 = 0000000000000002 RIP = 00007FFF08523EC8 RSP = 0000003A6D6FAEA0
> RBP = 0000003A6D6FAF99 EFL = 00010200

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170425/93e211ea/attachment-0001.html>


More information about the webkit-unassigned mailing list