<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Crash under ShadowChicken::update / ExecState::scope when debugging nytimes"
href="https://bugs.webkit.org/show_bug.cgi?id=169226">169226</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Crash under ShadowChicken::update / ExecState::scope when debugging nytimes
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>joepeck@webkit.org
</td>
</tr>
<tr>
<th>CC</th>
<td>joepeck@webkit.org, msaboff@apple.com, sbarati@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Summary:
Crash under ShadowChicken::update / ExecState::scope when debugging nytimes. I'm at r213392.
Steps to reproduce:
1. Inspect <a href="http://nytimes.com">http://nytimes.com</a>
2. Reload, wait a while
=> Crash
(lldb) c
Process 29581 resuming
Process 29581 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x3503a3c00098)
frame #0: 0x0000000107c7de8c JavaScriptCore`JSC::MarkedBlock::vm(this=0x00003503a3c00000) const at MarkedBlock.h:411
408
409 inline VM* MarkedBlock::vm() const
410 {
-> 411 return m_vm;
412 }
413
414 inline WeakSet& MarkedBlock::Handle::weakSet()
# Seems related to running out of stack (there are well over 1000 frames in a loop)
(lldb) btjs
* thread #1: tid = 0xa219a4, 0x0000000107c7de8c, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=2, addre?$3#?
frame #0: 0x0000000107c7de8c JavaScriptCore`JSC::MarkedBlock::vm(this=0x00003503a3c00000) const at MarkedBlock.h:411
frame #1: 0x0000000107c7ddf1 JavaScriptCore`JSC::HeapCell::vm(this=0x00003503a3c01660) const at HeapCellInlines.h:67
frame #2: 0x00000001081eb60b JavaScriptCore`JSC::JSScope* JSC::jsCast<JSC::JSScope*, JSC::JSCell>(from=0x00003503a3c01660) at JSCell.h:273
frame #3: 0x00000001081e47ed JavaScriptCore`JSC::Register::scope(this=0x00007fff5d026790) const at JSScope.h:144
frame #4: 0x000000010822d0fe JavaScriptCore`JSC::ExecState::scope(this=0x00007fff5d0267b0, scopeRegisterOffset=-4) const at CallFrame.h:98
frame #5: 0x0000000108dec0b3 JavaScriptCore`JSC::ShadowChicken::update(this=0x00007fff5d0263d8, visitor=0x00007fff5d026290)::$_1::operator()(JSC::StackVisitor&) const at ShadowChicken.cpp:302
frame #6: 0x0000000108deaaf8 JavaScriptCore`void JSC::StackVisitor::visit<JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*)::$_1>(startFrame=0x00007fff5d0267b0, functor=0x00007fff5d0263d8)::$_1 const&) at StackVisitor.h:137
frame #7: 0x0000000108dea44f JavaScriptCore`JSC::ShadowChicken::update(this=0x000000011b3c9180, vm=0x0000000120800000, exec=0x00007fff5d0267b0) at ShadowChicken.cpp:275
frame #8: 0x0000000108de9d20 JavaScriptCore`JSC::ShadowChicken::log(this=0x000000011b3c9180, vm=0x0000000120800000, exec=0x00007fff5d0267b0, packet=0x00007fff5d0265e0) at ShadowChicken.cpp:83
frame #9: 0x0000000108979eed JavaScriptCore`JSC::genericUnwind(vm=0x0000000120800000, callFrame=0x00007fff5d0267b0, unwindStart=UnwindFromCurrentFrame) at JITExceptions.cpp:60
frame #10: 0x000000010897a22f JavaScriptCore`JSC::genericUnwind(vm=0x0000000120800000, callFrame=0x00007fff5d0267b0) at JITExceptions.cpp:96
frame #11: 0x0000000108b91a02 JavaScriptCore`::llint_slow_path_handle_exception(exec=0x00007fff5d0267b0, pc=0x00007f8b03804950) at LLIntSlowPaths.cpp:1518
frame #12: 0x0000000108b9b5db h#B1gxSr [LLInt](Cell[JSLexicalEnvironment ID: 28826]: 0x1234ddb20, "<a href="https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined">https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined</a>")
frame #13: 0x0000000108b9df8f w#D8YyHm [LLInt](Cell[Object ID: 4683]: 0x13b5764a0, "<a href="https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined">https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined</a>")
frame #14: 0x0000000108b9df8f de#BHPGKi [LLInt](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bf640, "<a href="https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined">https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined</a>")
frame #15: 0x00003503a4535bdb $#Bwzogy [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bf640)
frame #16: 0x00003503a498a6fc #C0Iknr [Baseline](Undefined, Cell[Object ID: 4683]: 0x13b5764a0, Cell[Object ID: 5944]: 0x13b9e9020, Cell[Object ID: 36843]: 0x13f9637c0, Cell[Object ID: 4698]: 0x1392d7aa0, Cell[Object ID: 5949]: 0x
frame #17: 0x00003503a3e97bff i#Awig6o [DFG](Undefined, Cell[Array ID: 24604]: 0x137020610, Cell[Function ID: 24686]: 0x139528460)
frame #18: 0x00003503a3e97bff i#Awig6o [DFG](Cell[JSDOMWindowShell ID: 8373]: 0x120bd40a0, Cell[Array ID: 24604]: 0x12cd7b740)
frame #19: 0x00003503a3c3b158 ge#CicR9j [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bf160, "customutil")
frame #20: 0x00003503a3e99ffc $#Bwzogy [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bf160)
frame #21: 0x00003503a498a6fc #C0Iknr [Baseline](Undefined, Cell[Object ID: 4683]: 0x13b5764a0, Cell[Object ID: 5944]: 0x13b9e9020, Cell[Object ID: 36843]: 0x13f9637c0, Cell[Object ID: 4698]: 0x1392d7aa0, Cell[Object ID: 5949]: 0x
frame #22: 0x00003503a3e97bff i#Awig6o [DFG](Undefined, Cell[Array ID: 24604]: 0x137020610, Cell[Function ID: 24686]: 0x139528460)
frame #23: 0x00003503a3e97bff i#Awig6o [DFG](Cell[JSDOMWindowShell ID: 8373]: 0x120bd40a0, Cell[Array ID: 24604]: 0x12cd7b790)
frame #24: 0x00003503a3c3b158 ge#CicR9j [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bec80, "customutil")
frame #25: 0x00003503a3e99ffc $#Bwzogy [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bec80)
frame #26: 0x00003503a498a6fc #C0Iknr [Baseline](Undefined, Cell[Object ID: 4683]: 0x13b5764a0, Cell[Object ID: 5944]: 0x13b9e9020, Cell[Object ID: 36843]: 0x13f9637c0, Cell[Object ID: 4698]: 0x1392d7aa0, Cell[Object ID: 5949]: 0x
frame #27: 0x00003503a3e97bff i#Awig6o [DFG](Undefined, Cell[Array ID: 24604]: 0x137020610, Cell[Function ID: 24686]: 0x139528460)
frame #28: 0x00003503a3e97bff i#Awig6o [DFG](Cell[JSDOMWindowShell ID: 8373]: 0x120bd40a0, Cell[Array ID: 24604]: 0x12cd7b800)
frame #29: 0x00003503a3c3b158 ge#CicR9j [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6be7a0, "customutil")
...
# Looks like it is important to have Web Inspector open for Debugging opcodes, which looks up the scope differently
(lldb) f 5
frame #5: 0x0000000108dec0b3 JavaScriptCore`JSC::ShadowChicken::update(this=0x00007fff5d0263d8, visitor=0x00007fff5d026290)::$_1::operator()(JSC::StackVisitor&) const at ShadowChicken.cpp:302
299 JSScope* scope = nullptr;
300 CodeBlock* codeBlock = callFrame->codeBlock();
301 if (codeBlock && codeBlock->wasCompiledWithDebuggingOpcodes() && codeBlock->scopeRegister().isValid()) {
-> 302 scope = callFrame->scope(codeBlock->scopeRegister().offset());
303 RELEASE_ASSERT(scope->inherits(vm, JSScope::info()));
304 } else if (foundFrame) {
305 scope = m_log[indexInLog].scope;</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>