[Webkit-unassigned] [Bug 178013] New: Regression(r220210?) Crash at com.apple.WebCore: WebCore::JSMutationCallback::handleEvent + 419

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 6 09:42:38 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=178013

            Bug ID: 178013
           Summary: Regression(r220210?) Crash at com.apple.WebCore:
                    WebCore::JSMutationCallback::handleEvent + 419
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Bindings
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cdumez at apple.com
                CC: cdumez at apple.com, sam at webkit.org

Crash at com.apple.WebCore: WebCore::JSMutationCallback::handleEvent + 419:
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000000)
[  0] 0x000000010f3242d5 WebCore`WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) [inlined] JSC::JSCell::structure(JSC::VM&) const at JSCellInlines.h:115:28

     0x000000010f3242c4:      orq $0x98, %rcx
     0x000000010f3242cb:    testb $0x8, %bl
     0x000000010f3242ce:  cmovneq %rax, %rcx
     0x000000010f3242d2:     movq (%rcx), %rax
 ->  0x000000010f3242d5:     movl (%rbx), %ecx
     0x000000010f3242d7:     andl $0x7fffffff, %ecx    ; imm = 0x7FFFFFFF 
     0x000000010f3242dd:     movq 0xe8(%rax), %rax
     0x000000010f3242e4:     movq (%rax,%rcx,8), %rax
     0x000000010f3242e8:     movq 0x40(%rax), %rax

[  0] 0x000000010f3242d5 WebCore`WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) [inlined] JSC::JSCell::methodTable(JSC::VM&) const at JSCellInlines.h:259
[  0] 0x000000010f3242d5 WebCore`WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) [inlined] JSC::JSCell::methodTable() const + 36 at JSCellInlines.h:254
[  0] 0x000000010f3242b1 WebCore`WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 65 at JSCallbackData.cpp:53
       49           CallType callType = CallType::None;
       50       
       51           if (method != CallbackType::Object) {
       52               function = callback;
    -> 53               callType = callback->methodTable()->getCallData(callback, callData);
       54           }
       55           if (callType == CallType::None) {
       56               if (method == CallbackType::Function) {
       57                   returnedException = JSC::Exception::create(exec->vm(), createTypeError(exec));

[  1] 0x000000010f59e0d2 WebCore`WebCore::JSMutationCallback::handleEvent(WebCore::MutationObserver&, WTF::Vector<WTF::Ref<WebCore::MutationRecord>, 0ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::MutationObserver&) [inlined] WebCore::JSCallbackDataWeak::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 88 at JSCallbackData.h:115:16
[  1] 0x000000010f59e07a WebCore`WebCore::JSMutationCallback::handleEvent(WebCore::MutationObserver&, WTF::Vector<WTF::Ref<WebCore::MutationRecord>, 0ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::MutationObserver&) + 330 at JSMutationCallback.cpp:75
[  2] 0x000000010f876be2 WebCore`WebCore::MutationObserver::deliver() + 818 at MutationObserver.cpp:235:5
[  3] 0x000000010f877347 WebCore`WebCore::MutationObserver::notifyMutationObservers() + 1719 at MutationObserver.cpp:283:17
[  4] 0x000000010f8776c8 WebCore`WebCore::MutationObserverMicrotask::run() + 8 at MutationObserver.cpp:163:9
[  5] 0x000000010f860b79 WebCore`WebCore::MicrotaskQueue::performMicrotaskCheckpoint() + 121 at Microtasks.cpp:85:27
[  6] 0x000000010f574cc5 WebCore`WebCore::JSMainThreadExecState::didLeaveScriptContext(JSC::ExecState*) + 21 at JSMainThreadExecState.cpp:40:5

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171006/af67e606/attachment.html>

More information about the webkit-unassigned mailing list