[Webkit-unassigned] [Bug 169061] New: [GTK] Crash in JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit(unsigned int)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 1 15:00:17 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=169061

            Bug ID: 169061
           Summary: [GTK] Crash in
                    JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit(
                    unsigned int)
    Classification: Unclassified
           Product: WebKit
           Version: Other
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: aperez at igalia.com
                CC: bugs-noreply at webkitgtk.org

The crash happens on x86_64, running WebKitGTK+ 2.14.5, and happens
quite often when accessing a Travis-CI build log page like the one
at https://travis-ci.org/aperezdc/revolt/builds/195007198

With the current Git “master” (commit a9501ea6cc9) the issue does not
seem to be reproducible in MiniBrowser. The Travis-CI build log pages
do take quite a bit of time to load, but that can be as well because
I made a debug build hoping to get a better backtrace :-\

Still haven't checked with 2.15.91

The full backtrace follows.

---

mar 01 12:43:42 momiji systemd-coredump[23537]: Process 23470 (WebKitWebProces) of user 1000 dumped core.

Stack trace of thread 23510:
#0  0x00007f9de23ce25a JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit(unsigned int) (libjavascriptcoregtk-4.0.so.18)
#1  0x00007f9de23cbff3 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CallMode, unsigned int, JSC::DFG::Node*, int, int, JSC::CallLinkStatus) (libjavascriptcoregtk-4.0.so.18)
#2  0x00007f9de23cc2c7 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CallMode, unsigned int, int, int, int) (libjavascriptcoregtk-4.0.so.18)
#3  0x00007f9de23cc3a8 JSC::DFG::ByteCodeParser::handleCall(JSC::Instruction*, JSC::DFG::NodeType, JSC::CallMode) (libjavascriptcoregtk-4.0.so.18)
#4  0x00007f9de23c50b6 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) (libjavascriptcoregtk-4.0.so.18)
#5  0x00007f9de23c7f71 JSC::DFG::ByteCodeParser::parseCodeBlock() (libjavascriptcoregtk-4.0.so.18)
#6  0x00007f9de23ca032 JSC::DFG::ByteCodeParser::handleInlining(JSC::DFG::Node*, int, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, int, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind, unsigned long) (libjavascriptcoregtk-4.0.so.18)
#7  0x00007f9de23cbe85 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind, unsigned int, JSC::DFG::Node*, int, int, JSC::CallLinkStatus, unsigned long) (libjavascriptcoregtk-4.0.so.18)
#8  0x00007f9de23cd4c7 JSC::DFG::ByteCodeParser::handlePutById(JSC::DFG::Node*, unsigned int, JSC::DFG::Node*, JSC::PutByIdStatus const&, bool) (libjavascriptcoregtk-4.0.so.18)
#9  0x00007f9de23c5bb6 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) (libjavascriptcoregtk-4.0.so.18)
#10 0x00007f9de23c7f71 JSC::DFG::ByteCodeParser::parseCodeBlock() (libjavascriptcoregtk-4.0.so.18)
#11 0x00007f9de23c8509 JSC::DFG::ByteCodeParser::parse() (libjavascriptcoregtk-4.0.so.18)
#12 0x00007f9de23c87ba JSC::DFG::parse(JSC::DFG::Graph&) (libjavascriptcoregtk-4.0.so.18)
#13 0x00007f9de24f2959 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) (libjavascriptcoregtk-4.0.so.18)
#14 0x00007f9de24f32a7 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) (libjavascriptcoregtk-4.0.so.18)
#15 0x00007f9de25a0187 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) (libjavascriptcoregtk-4.0.so.18)
#16 0x00007f9de2b17145 n/a (libjavascriptcoregtk-4.0.so.18)
#17 0x00007f9de2b49eba n/a (libjavascriptcoregtk-4.0.so.18)
#18 0x00007f9de1599454 start_thread (libpthread.so.0)
#19 0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23516:
#0  0x00007f9de159f10f pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
#1  0x00007f9ddbfc74cc __gthread_cond_wait (libstdc++.so.6)
#2  0x00007f9de2b13ebd WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >) (libjavascriptcoregtk-4.0.so.18)
#3  0x00007f9de2b129a5 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) (libjavascriptcoregtk-4.0.so.18)
#4  0x00007f9de2b12a69 WTF::ParallelHelperPool::helperThreadBody() (libjavascriptcoregtk-4.0.so.18)
#5  0x00007f9de2b17145 n/a (libjavascriptcoregtk-4.0.so.18)
#6  0x00007f9de2b49eba n/a (libjavascriptcoregtk-4.0.so.18)
#7  0x00007f9de1599454 start_thread (libpthread.so.0)
#8  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23517:
#0  0x00007f9de159f10f pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
#1  0x00007f9ddbfc74cc __gthread_cond_wait (libstdc++.so.6)
#2  0x00007f9de2b13ebd WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >) (libjavascriptcoregtk-4.0.so.18)
#3  0x00007f9de2b129a5 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) (libjavascriptcoregtk-4.0.so.18)
#4  0x00007f9de2b12a69 WTF::ParallelHelperPool::helperThreadBody() (libjavascriptcoregtk-4.0.so.18)
#5  0x00007f9de2b17145 n/a (libjavascriptcoregtk-4.0.so.18)
#6  0x00007f9de2b49eba n/a (libjavascriptcoregtk-4.0.so.18)
#7  0x00007f9de1599454 start_thread (libpthread.so.0)
#8  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23519:
#0  0x00007f9de50ed48d poll (libc.so.6)
#1  0x00007f9de2f8a7a6 n/a (libglib-2.0.so.0)
#2  0x00007f9de2f8ab32 g_main_loop_run (libglib-2.0.so.0)
#3  0x00007f9de2b4cd60 WTF::RunLoop::run() (libjavascriptcoregtk-4.0.so.18)
#4  0x00007f9de2b4b99e n/a (libjavascriptcoregtk-4.0.so.18)
#5  0x00007f9de2b17145 n/a (libjavascriptcoregtk-4.0.so.18)
#6  0x00007f9de2b49eba n/a (libjavascriptcoregtk-4.0.so.18)
#7  0x00007f9de1599454 start_thread (libpthread.so.0)
#8  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23489:
#0  0x00007f9de50ed48d poll (libc.so.6)
#1  0x00007f9de2f8a7a6 n/a (libglib-2.0.so.0)
#2  0x00007f9de2f8a8bc g_main_context_iteration (libglib-2.0.so.0)
#3  0x00007f9dc81084bd n/a (libdconfsettings.so)
#4  0x00007f9de2fb2175 n/a (libglib-2.0.so.0)
#5  0x00007f9de1599454 start_thread (libpthread.so.0)
#6  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23474:
#0  0x00007f9de50ed48d poll (libc.so.6)
#1  0x00007f9de2f8a7a6 n/a (libglib-2.0.so.0)
#2  0x00007f9de2f8a8bc g_main_context_iteration (libglib-2.0.so.0)
#3  0x00007f9de2f8a901 n/a (libglib-2.0.so.0)
#4  0x00007f9de2fb2175 n/a (libglib-2.0.so.0)
#5  0x00007f9de1599454 start_thread (libpthread.so.0)
#6  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23473:
#0  0x00007f9de50c5ffd __nanosleep (libc.so.6)
#1  0x00007f9de2b521f4 bmalloc::Heap::scavenge(std::unique_lock<bmalloc::StaticMutex>&, std::chrono::duration<long, std::ratio<1l, 1000l> >) (libjavascriptcoregtk-4.0.so.18)
#2  0x00007f9de2b5234f bmalloc::Heap::concurrentScavenge() (libjavascriptcoregtk-4.0.so.18)
#3  0x00007f9de2b5362e bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() (libjavascriptcoregtk-4.0.so.18)
#4  0x00007f9de2b53809 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadEntryPoint(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*) (libjavascriptcoregtk-4.0.so.18)
#5  0x00007f9ddbfcd58f execute_native_thread_routine (libstdc++.so.6)
#6  0x00007f9de1599454 start_thread (libpthread.so.0)
#7  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23476:
#0  0x00007f9de50ed48d poll (libc.so.6)
#1  0x00007f9de2f8a7a6 n/a (libglib-2.0.so.0)
#2  0x00007f9de2f8ab32 g_main_loop_run (libglib-2.0.so.0)
#3  0x00007f9de2b4cd60 WTF::RunLoop::run() (libjavascriptcoregtk-4.0.so.18)
#4  0x00007f9de2b4b99e n/a (libjavascriptcoregtk-4.0.so.18)
#5  0x00007f9de2b17145 n/a (libjavascriptcoregtk-4.0.so.18)
#6  0x00007f9de2b49eba n/a (libjavascriptcoregtk-4.0.so.18)
#7  0x00007f9de1599454 start_thread (libpthread.so.0)
#8  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23521:
#0  0x00007f9de159f10f pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)
#1  0x00007f9ddbfc74cc __gthread_cond_wait (libstdc++.so.6)
#2  0x00007f9de2b13ebd WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >) (libjavascriptcoregtk-4.0.so.18)
#3  0x00007f9de259ff63 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) (libjavascriptcoregtk-4.0.so.18)
#4  0x00007f9de2b17145 n/a (libjavascriptcoregtk-4.0.so.18)
#5  0x00007f9de2b49eba n/a (libjavascriptcoregtk-4.0.so.18)
#6  0x00007f9de1599454 start_thread (libpthread.so.0)
#7  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23475:
#0  0x00007f9de50ed48d poll (libc.so.6)
#1  0x00007f9de2f8a7a6 n/a (libglib-2.0.so.0)
#2  0x00007f9de2f8ab32 g_main_loop_run (libglib-2.0.so.0)
#3  0x00007f9de3570446 n/a (libgio-2.0.so.0)
#4  0x00007f9de2fb2175 n/a (libglib-2.0.so.0)
#5  0x00007f9de1599454 start_thread (libpthread.so.0)
#6  0x00007f9de50f67df __clone (libc.so.6)

Stack trace of thread 23470:
#0  0x00007f9d844945d6 n/a (n/a)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170301/c1ec1b73/attachment-0001.html>

More information about the webkit-unassigned mailing list