[Webkit-unassigned] [Bug 200860] New: Crash in JSC::SymbolTable::~SymbolTable

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Aug 17 13:29:58 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=200860

            Bug ID: 200860
           Summary: Crash in JSC::SymbolTable::~SymbolTable
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org

Another random crash:

#0  0x00007f0c296ebf6e in WTF::VectorBuffer<JSC::SymbolTableEntry*, 0ul>::~VectorBuffer()
    (this=0x80000, __in_chrg=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1147
#1  0x00007f0c296ebf6e in WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul>::~Vector()
    (this=0x80000, __in_chrg=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:678
#2  0x00007f0c296ebf6e in std::default_delete<WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul> >::operator()(WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul>*) const
    (this=0x7ef7125b3b00, __ptr=0x80000) at /usr/include/c++/9.1.0/bits/unique_ptr.h:81
#3  0x00007f0c296ebf6e in std::unique_ptr<WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul>, std::default_delete<WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul> > >::~unique_ptr()
    (this=0x7ef7125b3b00, __in_chrg=<optimized out>) at /usr/include/c++/9.1.0/bits/unique_ptr.h:289
#4  0x00007f0c296ebf6e in JSC::SymbolTable::~SymbolTable() (this=0x7ef7125b3ac0, __in_chrg=<optimized out>)
    at ../Source/JavaScriptCore/runtime/SymbolTable.cpp:88
#5  0x00007f0c291a5a43 in JSC::DefaultDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const
    (cell=0x7ef7125b3ac0, vm=..., this=<optimized out>) at ../Source/JavaScriptCore/heap/HeapCellType.cpp:46
#6  0x00007f0c291a5a43 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::DefaultDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::DefaultDestroyFunc const&)::{lambda(void*)#1}::operator()(void*) const
    (this=<optimized out>, cell=0x7ef7125b3ac0) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:260
#7  0x00007f0c291a5a43 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::DefaultDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::DefaultDestroyFunc const&)::{lambda(unsigned long)#3}::operator()(unsigned long) const (i=940, this=<synthetic pointer>) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:319
#8  0x00007f0c291a5a43 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::DefaultDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::DefaultDestroyFunc const&)
    (this=0x7ef7402bcb28, freeList=<optimized out>, emptyMode=emptyMode at entry=JSC::MarkedBlock::Handle::NotEmpty, sweepMode=sweepMode at entry=JSC::MarkedBlock::Handle::SweepOnly, destructionMode=destructionMode at entry=JSC::MarkedBlock::Handle::BlockHasDestructors, scribbleMode=scribbleMode at entry=JSC::MarkedBlock::Handle::DontScribble, newlyAllocatedMode=JSC::MarkedBlock::Handle::DoesNotHaveNewlyAllocated, marksMode=JSC::MarkedBlock::Handle::MarksNotStale, destroyFunc=...) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:341
#9  0x00007f0c291a6867 in JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::DefaultDestroyFunc>(JSC::FreeList*, JSC::DefaultDestroyFunc const&)::{lambda()#1}::operator()() const (this=<synthetic pointer>)
    at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:483
#10 0x00007f0c291a6867 in JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::DefaultDestroyFunc>(JSC::FreeList*, JSC::DefaultDestroyFunc const&) (this=<optimized out>, freeList=<optimized out>, destroyFunc=...)
    at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:435
#11 0x00007f0c2919f1d8 in JSC::HeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*)
    (this=<optimized out>, block=..., freeList=<optimized out>) at ../Source/JavaScriptCore/heap/HeapCellType.cpp:61
#12 0x00007f0c291afbd6 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*)
    (this=this at entry=0x7ef7402bcb28, freeList=freeList at entry=0x0)
    at ../Source/JavaScriptCore/heap/MarkedBlock.cpp:426
#13 0x00007f0c2919e3be in JSC::IncrementalSweeper::sweepNextBlock(JSC::VM&) (this=this at entry=0x7f0c1eef7288, vm=...)
    at ../Source/JavaScriptCore/heap/IncrementalSweeper.cpp:89
--Type <RET> for more, q to quit, c to continue without paging--c
#14 0x00007f0c2919e431 in JSC::IncrementalSweeper::doSweep(JSC::VM&, WTF::MonotonicTime) (this=0x7f0c1eef7288, vm=..., sweepBeginTime=...) at ../Source/JavaScriptCore/heap/IncrementalSweeper.cpp:59
#15 0x00007f0c295ed088 in JSC::JSRunLoopTimer::timerDidFire() (this=0x7f0c1eef7288) at ../Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:307
#16 0x00007f0c295ef10c in JSC::JSRunLoopTimer::Manager::timerDidFire() (this=0x7f0c1eef91a0) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43
#17 0x00007f0c298e9018 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7f0c1eef62c0) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:171
#18 0x00007f0c298e9018 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:177
#19 0x00007f0c29f3848e in g_main_dispatch (context=0x5647de97dad0) at ../glib/gmain.c:3179
#20 0x00007f0c29f3848e in g_main_context_dispatch (context=context at entry=0x5647de97dad0) at ../glib/gmain.c:3844
#21 0x00007f0c29f38840 in g_main_context_iterate (context=0x5647de97dad0, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../glib/gmain.c:3917
#22 0x00007f0c29f38b33 in g_main_loop_run (loop=0x5647dea7a7b0) at ../glib/gmain.c:4111
#23 0x00007f0c298e9480 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:96
#24 0x00007f0c2bc9903a in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=3, argv=<optimized out>) at ../Source/WebKit/Shared/unix/AuxiliaryProcessMain.h:47
#25 0x00007f0c2ae04173 in __libc_start_main (main=0x5647de5267e0 <main(int, char**)>, argc=3, argv=0x7ffc0ca84c68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc0ca84c58) at ../csu/libc-start.c:308
#26 0x00005647de52686e in _start () at ../sysdeps/x86_64/start.S:120

Here's what I can get with member variables before gdb crashes:

(gdb) bt full
#0  0x00007f0c296ebf6e in WTF::VectorBuffer<JSC::SymbolTableEntry*, 0ul>::~VectorBuffer()
    (this=0x80000, __in_chrg=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1147
        __ptr = @0x7ef7125b3b00: 0x0
#1  0x00007f0c296ebf6e in WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul>::~Vector()
    (this=0x80000, __in_chrg=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:678
        __ptr = @0x7ef7125b3b00: 0x0
#2  0x00007f0c296ebf6e in std::default_delete<WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul> >::operator()(WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul>*) const
    (this=0x7ef7125b3b00, __ptr=0x80000) at /usr/include/c++/9.1.0/bits/unique_ptr.h:81
        __ptr = @0x7ef7125b3b00: 0x0
#3  0x00007f0c296ebf6e in std::unique_ptr<WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul>, std::default_delete<WTF::Vector<JSC::SymbolTableEntry*, 0ul, WTF::CrashOnOverflow, 16ul> > >::~unique_ptr()
    (this=0x7ef7125b3b00, __in_chrg=<optimized out>) at /usr/include/c++/9.1.0/bits/unique_ptr.h:289
        __ptr = @0x7ef7125b3b00: 0x0
#4  0x00007f0c296ebf6e in JSC::SymbolTable::~SymbolTable() (this=0x7ef7125b3ac0, __in_chrg=<optimized out>)
    at ../Source/JavaScriptCore/runtime/SymbolTable.cpp:88
#5  0x00007f0c291a5a43 in JSC::DefaultDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const
    (cell=0x7ef7125b3ac0, vm=..., this=<optimized out>) at ../Source/JavaScriptCore/heap/HeapCellType.cpp:46
        structure = <optimized out>
        classInfo = <optimized out>
        destroy = <optimized out>
        jsCell = 0x7ef7125b3ac0
        cell = 0x7ef7125b3ac0
        i = 940
        superSamplerScope = {m_doSample = false}
        block = 
          @0x7ef7125b0000: {static atomSize = 16, static blockSize = 16384, static blockMask = 18446744073709535232, static atomsPerBlock = 1024, static atomAlignmentMask = 15, static endAtom = 1005, static payloadSize = 16080, static footerSize = 304, static offsetOfFooter = 16080}
        footer = 
                @0x7ef7125b3ed0: {m_handle = @0x7ef7402bcb28, m_vm = 0x7ef7bc600000, m_subspace = 0x7ef7bc60a548, m_lock = {static isHeldBit = 1, static hasParkedBit = 2, static mask = 3, static shift = 2, static countUnit = 4, m_word = {value = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 12}, static is_always_lock_free = true}}}, m_biasedMarkCount = -41, m_markCountBias = -180, m_markingVersion = 3, m_newlyAllocatedVersion = 3, m_marks = {static wordSize = 32, static words = 32, static one = 1, bits = {_M_elems = {1107297313, 276824064, 2216757314, 17301520, 138547204, 1108378625, 8659208, 69208128, 554189312, 138547332, 33793, 0, 2216757248, 554188816, 138543236, 1073775617, 277094408, 2162754, 553648128, 134221952, 1108378657, 277094664, 2216757314, 554189328, 135172, 33825, 277094664, 2216755200, 554189328, 4194436, 33554433, 8}}}, m_newlyAllocated = {static wordSize = 32, static words = 32, static one = 1, bits = {_M_elems = {1107297313, 276824064, 2216757314, 17301520, 138547204, 1108378625, 8659208, 69208128, 554189312, 138547332, 33793, 0, 2216757248, 554188816, 138543236, 1073775617, 277094408, 2162754, 553648128, 134221952, 1108378657, 277094664, 2216757314, 554189328, 135172, 33825, 277094664, 2216755200, 554189328, 4194436, 33554433, 8}}}}
        cellSize = <optimized out>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190817/9f0ab389/attachment-0001.html>

More information about the webkit-unassigned mailing list