[Webkit-unassigned] [Bug 272862] New: [YARR JIT] Intermittent crash when calling through areCanonicallyEquivalentThunk

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 17 16:19:43 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=272862

            Bug ID: 272862
           Summary: [YARR JIT] Intermittent crash when calling through
                    areCanonicallyEquivalentThunk
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

Internal testing reports that there are intermittent crashes from Yarr JIT code.  Here is one such crash:

Thread 0 Crashed::   Dispatch queue: com.apple.main-thread
0                                              0x1105ba9f0.       [Yarr JIT generated code]
1   com.apple.JavaScriptCore                   0x1b04d63b8        JSC::RegExpGlobalData::performMatch(JSC::JSGlobalObject*, JSC::RegExp*, JSC::JSString*, WTF::String const&, int, int**) + 24 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/RegExpGlobalDataInlines.h:56) [inlined]
2   com.apple.JavaScriptCore                   0x1b04d63b8        JSC::replaceUsingRegExpSearch(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, JSC::JSValue, JSC::CallData const&, WTF::String&, JSC::JSValue) + 172 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/StringPrototype.cpp:575) [inlined]
3   com.apple.JavaScriptCore                   0x1b04d63b8        JSC::replaceUsingRegExpSearch(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, JSC::JSValue, JSC::JSValue) + 1824 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/StringPrototype.cpp:819) [inlined]
4   com.apple.JavaScriptCore                   0x1b04d63b8        JSC::replace(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue, JSC::JSValue) + 1892 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/StringPrototype.cpp:883) [inlined]
5   com.apple.JavaScriptCore                   0x1b04d63b8        operationStringProtoFuncReplaceGeneric + 1964 (/AppleInternal/Library/BuildRoots/1703afaf-f674-11ee-901e-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/StringPrototype.cpp:947)

Disassembly of the crash is of the form:
    ...
    0x1105ba9e4:    b        0x114074c34
    0x1105ba9e8:    movz     w10, #0x0
    0x1105ba9ec:    bl       0x113f53aa0        ; call areCanonicallyEquivalentThunk
    0x116074aa0:    cbz      w6, 0x116074ad0    !! crash returning here
    0x1105ba9f4:    add      w1, w1, #1
    0x1105ba9f8:    add      w8, w8, #1
    0x1105ba9fc:    ldur     w17, [x3, #12]
    ...
The crash appears to be due to a PAC signing failure.  It is suspected that there is a race condition with the areCanonicallyEquivalentThunk code.

This bug tracks moving the generation of the thunk to JSC VM startup time to eliminate that race.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240417/19134346/attachment.htm>

More information about the webkit-unassigned mailing list