[Webkit-unassigned] [Bug 192882] New: Crash in JSC::speculationFromCell
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 19 14:24:48 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=192882
Bug ID: 192882
Summary: Crash in JSC::speculationFromCell
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
I hit this crash viewing:
https://stackoverflow.com/questions/736513/how-do-i-parse-a-url-into-hostname-and-path-in-javascript
It was seemingly random. I don't know how to reproduce it. This is using 2.23.1 (r239394).
(gdb) bt full
#0 JSC::speculationFromCell (cell=0xe960) at ../Source/JavaScriptCore/runtime/JSCellInlines.h:203
string = <optimized out>
impl = <optimized out>
#1 0x00007f71130e2f96 in JSC::ValueProfileBase<1u>::computeUpdatedPrediction (this=<optimized out>)
at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:392
value = <optimized out>
i = 0
#2 JSC::CodeBlock::<lambda(JSC::ValueProfile&)>::operator() (__closure=<optimized out>,
__closure=<optimized out>, profile=...) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2587
numSamples = <optimized out>
numberOfSamplesInProfiles = <optimized out>
locker = <optimized out>
numberOfLiveNonArgumentValueProfiles = <optimized out>
__closure = <optimized out>
__closure = <optimized out>
profile = <optimized out>
locker = <optimized out>
numberOfSamplesInProfiles = <optimized out>
numberOfLiveNonArgumentValueProfiles = <optimized out>
numSamples = <optimized out>
numberOfSamplesInProfiles = <optimized out>
locker = <optimized out>
numberOfLiveNonArgumentValueProfiles = <optimized out>
numberOfSamplesInProfiles = <optimized out>
locker = <optimized out>
numberOfLiveNonArgumentValueProfiles = <optimized out>
numSamples = <optimized out>
#3 JSC::CodeBlock::<lambda(auto:25&)>::operator()<JSC::OpGetFromScope::Metadata> (
this=<optimized out>, metadata=...) at ../Source/JavaScriptCore/bytecode/CodeBlockInlines.h:44
func = <optimized out>
func = <optimized out>
#4 JSC::MetadataTable::forEach<JSC::OpGetFromScope, JSC::CodeBlock::forEachValueProfile(const Functor&) [with Functor = JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)::<lambda(JSC::ValueProfile&)>]::<lambda(auto:25&)> > (func=..., this=<optimized out>)
at ../Source/JavaScriptCore/bytecode/MetadataTable.h:61
metadata = <optimized out>
end = 0x7f57c3022726
metadata = <optimized out>
end = <optimized out>
#5 JSC::CodeBlock::forEachValueProfile<JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)::<lambda(JSC::ValueProfile&)> > (func=..., this=0x7f709c62f300)
at ../Source/JavaScriptCore/bytecode/CodeBlockInlines.h:44
No locals.
#6 JSC::CodeBlock::updateAllPredictionsAndCountLiveness (this=this at entry=0x7f709c62f300,
numberOfLiveNonArgumentValueProfiles=@0x7ffe91191860: 17,
numberOfSamplesInProfiles=@0x7ffe91191864: 23)
at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2576
locker = {<JSC::ConcurrentJSLockerBase> = {<WTF::AbstractLocker> = {<No data fields>},
m_locker = {<WTF::AbstractLocker> = {<No data fields>},
m_lockable = 0x7f709c62f310}}, <No data fields>}
#7 0x00007f71130e3675 in JSC::CodeBlock::updateAllValueProfilePredictions (this=this at entry=0x7f709c62f300) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2604
ignoredValue1 = 17
ignoredValue2 = 23
#8 0x00007f71130e3c2d in JSC::CodeBlock::updateAllPredictions (this=this at entry=0x7f709c62f300)
at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2622
No locals.
#9 0x00007f7113648814 in JSC::operationOptimize (exec=0x7ffe91191b90, bytecodeIndex=<optimized out>)
at ../Source/JavaScriptCore/jit/JITOperations.cpp:1421
vm = <error reading variable>
tracer = <optimized out>
deferGC = {m_heap = @0x7f70fc100010}
codeBlock = 0x7f709c62f300
debugger = <optimized out>
worklist = <optimized out>
worklistState = <optimized out>
optimizedCodeBlock = <optimized out>
#10 0x00007f70b82aa24f in ?? ()
No symbol table info available.
(Plus 55 more frames of "No symbol table info available.")
(gdb) info registers
rax 0xffff000000000002 -281474976710654
rbx 0x7f57c30224be 140014910579902
rcx 0x179 377
rdx 0x0 0
rsi 0x7ffe91191860 140731332761696
rdi 0xe960 59744
rbp 0x7f57c3022726 0x7f57c3022726
rsp 0x7ffe911917d8 0x7ffe911917d8
r8 0x3f6 1014
r9 0xffffffff 4294967295
r10 0x6 6
r11 0xf895892f 4170549551
r12 0x1 1
r13 0x7f709c62f300 140121636795136
r14 0x34d 845
r15 0xffff000000000002 -281474976710654
rip 0x7f711311f144 0x7f711311f144 <JSC::speculationFromCell(JSC::JSCell*)+4>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disassemble
Dump of assembler code for function JSC::speculationFromCell(JSC::JSCell*):
0x00007f711311f140 <+0>: endbr64
=> 0x00007f711311f144 <+4>: cmpb $0x1,0x5(%rdi)
0x00007f711311f148 <+8>: je 0x7f711311f190 <JSC::speculationFromCell(JSC::JSCell*)+80>
0x00007f711311f14a <+10>: test $0x8,%dil
0x00007f711311f14e <+14>: jne 0x7f711311f180 <JSC::speculationFromCell(JSC::JSCell*)+64>
0x00007f711311f150 <+16>: mov %rdi,%rax
0x00007f711311f153 <+19>: and $0xffffffffffffc000,%rax
0x00007f711311f159 <+25>: mov 0x3ed8(%rax),%rdx
0x00007f711311f160 <+32>: mov (%rdi),%eax
0x00007f711311f162 <+34>: mov 0xe0(%rdx),%rdx
0x00007f711311f169 <+41>: and $0x7fffffff,%eax
0x00007f711311f16e <+46>: mov (%rdx,%rax,8),%rdi
0x00007f711311f172 <+50>: jmpq 0x7f7112ee1790 <_ZN3JSC24speculationFromStructureEPNS_9StructureE at plt>
0x00007f711311f177 <+55>: nopw 0x0(%rax,%rax,1)
0x00007f711311f180 <+64>: mov -0x10(%rdi),%rdx
0x00007f711311f184 <+68>: jmp 0x7f711311f160 <JSC::speculationFromCell(JSC::JSCell*)+32>
0x00007f711311f186 <+70>: nopw %cs:0x0(%rax,%rax,1)
0x00007f711311f190 <+80>: mov 0x10(%rdi),%rax
0x00007f711311f194 <+84>: test %rax,%rax
0x00007f711311f197 <+87>: je 0x7f711311f1b8 <JSC::speculationFromCell(JSC::JSCell*)+120>
0x00007f711311f199 <+89>: mov 0x10(%rax),%eax
0x00007f711311f19c <+92>: and $0x10,%eax
0x00007f711311f19f <+95>: cmp $0x1,%eax
0x00007f711311f1a2 <+98>: sbb %rax,%rax
0x00007f711311f1a5 <+101>: and $0x1000000,%eax
0x00007f711311f1aa <+106>: add $0x1000000,%rax
0x00007f711311f1b0 <+112>: retq
0x00007f711311f1b1 <+113>: nopl 0x0(%rax)
0x00007f711311f1b8 <+120>: mov $0x2000000,%eax
0x00007f711311f1bd <+125>: retq
End of assembler dump.
Similar crashes: bug #131506, bug #160027.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181219/ed0dcc6b/attachment-0001.html>
More information about the webkit-unassigned
mailing list