[Webkit-unassigned] [Bug 227767] New: ffitcored crashes at JavaScriptCore: JSC::Heap::releaseAccessSlow

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 7 13:22:58 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=227767

            Bug ID: 227767
           Summary: ffitcored crashes at JavaScriptCore:
                    JSC::Heap::releaseAccessSlow
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

We are getting crash reports from fitcored like:

 JavaScriptCore: WTFCrashWithInfo(int, char const*, char const*, int)
 JavaScriptCore: JSC::Heap::releaseAccessSlow() <==
 JavaScriptCore: JSC::JITWorklist::waitUntilAllPlansForVMAreReady(JSC::VM&)
 JavaScriptCore: JSC::JITWorklist::cancelAllPlansForVM(JSC::VM&)
 JavaScriptCore: JSC::VM::~VM()
 JavaScriptCore: JSC::JSLock::willReleaseLock()
 JavaScriptCore: JSC::JSLock::unlock()
 JavaScriptCore: JSC::JSRunLoopTimer::timerDidFire()
 JavaScriptCore: JSC::JSRunLoopTimer::Manager::timerDidFire()
 JavaScriptCore: WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::__invoke(__CFRunLoopTimer*, void*)
 CoreFoundation: __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
 CoreFoundation: __CFRunLoopDoTimer
 CoreFoundation: __CFRunLoopDoTimers
 CoreFoundation: __CFRunLoopRun
 CoreFoundation: CFRunLoopRunSpecific
 Foundation: -[NSRunLoop(NSRunLoop) runMode:beforeDate:]
 Foundation: -[NSRunLoop(NSRunLoop) run]
 SeymourServices: static DaemonProtocol.main()
 fitcored: main
 dyld: 

Although I am unable to reproduce the crash, the theory is that the heap access lock is being dropped in JSLock::willReleaseLock() so when we try unlocking it again in JITWorklist::waitUntilAllPlansForVMAreReady() via ReleaseHeapAccessScope, we fault.  This path can happen when the main thread becomes the sole reference to the VM during processing a request like the timer in this stack trace.  I suspect it is a race with other threads that are done using the VM.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210707/529b7453/attachment.htm>

More information about the webkit-unassigned mailing list