110017 2013-02-16 08:11:24 -0800 Crash @ thesuperficial.com beneath llint_slow_path_resolve 2013-02-16 14:26:52 -0800 1 1 1 Unclassified WebKit WebCore JavaScript 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 ggaren webkit-unassigned mjs sanford-webkit-bugzilla webkit-bug-importer oldest_to_newest 834717 0 ggaren 2013-02-16 08:11:24 -0800 Steps to reproduce: 1. Go to the best website on the internets (http://www.thesuperficial.com/photos/the-crap-we-missed-friday-2-15-13/the-crap-we-missed-0215-07-2) 2. Use the arrow keys on your keyboard to browse through the pictures 834718 1 ggaren 2013-02-16 08:11:34 -0800 <rdar://problem/13230420> 834719 2 ggaren 2013-02-16 08:11:54 -0800 I've been seeing this crash just running the plt, too. 834721 3 ggaren 2013-02-16 08:13:08 -0800 Bisecting shows this crash started with between r142731 and 142734. The only non-layout-test change in that range is <http://trac.webkit.org/changeset/142734>. 834725 4 ggaren 2013-02-16 08:24:52 -0800 I confirmed that manually rolling out <http://trac.webkit.org/changeset/142734> fixes both crashes. 834729 5 ggaren 2013-02-16 08:29:35 -0800 Let's roll out <http://trac.webkit.org/changeset/142734> until we can resolve why throwing an exception in that place causes crashes. Most likely, it just made a very rare crash into a very common crash. 834730 6 ggaren 2013-02-16 08:33:59 -0800 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100b324f0 llint_slow_path_resolve + 128 1 com.apple.JavaScriptCore 0x0000000100b3c1b0 llint_op_resolve + 137 2 com.apple.JavaScriptCore 0x0000000100ab12ee JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4222 3 com.apple.JavaScriptCore 0x00000001009e2bbb JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 619 4 com.apple.WebCore 0x0000000100dea33a WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 442 5 com.apple.WebCore 0x0000000100de9f69 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 6 com.apple.WebCore 0x0000000100e0a01e WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 478 7 com.apple.WebCore 0x0000000100e35e64 WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 228 8 com.apple.WebCore 0x0000000100e35d61 WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 273 9 com.apple.WebCore 0x0000000101505678 WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 24 10 com.apple.WebCore 0x0000000100e3748f WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 63 11 com.apple.WebCore 0x0000000100e373ad WebCore::CachedResource::checkNotify() + 93 12 com.apple.WebCore 0x0000000100e34b7f WebCore::SubresourceLoader::didFinishLoading(double) + 143 13 com.apple.WebKit2 0x000000010064aafe void CoreIPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(CoreIPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 60 14 com.apple.WebKit2 0x000000010054cb69 CoreIPC::Connection::dispatchMessage(WTF::PassOwnPtr<CoreIPC::MessageDecoder>) + 105 15 com.apple.WebKit2 0x000000010054df74 CoreIPC::Connection::dispatchOneMessage() + 96 16 com.apple.WebCore 0x000000010199b9d9 WebCore::RunLoop::performWork() + 153 17 com.apple.WebCore 0x000000010199c075 WebCore::RunLoop::performWork(void*) + 53 18 com.apple.CoreFoundation 0x00007fff8a868b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 19 com.apple.CoreFoundation 0x00007fff8a868455 __CFRunLoopDoSources0 + 245 20 com.apple.CoreFoundation 0x00007fff8a88b7f5 __CFRunLoopRun + 789 21 com.apple.CoreFoundation 0x00007fff8a88b0e2 CFRunLoopRunSpecific + 290 22 com.apple.HIToolbox 0x00007fff8c3ddeb4 RunCurrentEventLoopInMode + 209 23 com.apple.HIToolbox 0x00007fff8c3ddc52 ReceiveNextEventCommon + 356 24 com.apple.HIToolbox 0x00007fff8c3ddae3 BlockUntilNextEventMatchingListInMode + 62 25 com.apple.AppKit 0x00007fff85dc8563 _DPSNextEvent + 685 26 com.apple.AppKit 0x00007fff85dc7e22 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 27 com.apple.AppKit 0x00007fff85dbf1d3 -[NSApplication run] + 517 28 com.apple.WebCore 0x000000010199c65d WebCore::RunLoop::run() + 77 29 com.apple.WebKit2 0x00000001005cf0b1 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 631 30 com.apple.WebProcess 0x00000001004cde43 0x1004cd000 + 3651 31 libdyld.dylib 0x00007fff8f6b77e1 start + 1 834740 7 ggaren 2013-02-16 09:44:41 -0800 Rolled out in https://bugs.webkit.org/show_bug.cgi?id=110018. 834773 8 mjs 2013-02-16 12:44:48 -0800 Some of the sites that crashed due to this, when loaded a few times (generally manifesting in lint_slow_path_resolve): http://news.yahoo.com/three-stories-love-white-house-144030722.html http://sports.yahoo.com/blogs/olympics-fourth-place-medal/reeva-steenkamp-cover-model-law-degree-164016410--oly.html http://smg.beta.photobucket.com/user/scottle/library/fight/?fromLegacy=true 834827 9 ggaren 2013-02-16 14:26:52 -0800 *** Bug 109838 has been marked as a duplicate of this bug. ***