120015 2013-08-19 10:33:52 -0700 DFG 32Bit: Crash loading "Classic" site @ translate.google.com 2013-08-21 16:36:15 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED translate.google.com InRadar P2 Normal --- 1 msaboff msaboff ggaren webkit-bug-importer oldest_to_newest 918683 0 msaboff 2013-08-19 10:33:52 -0700 For 32 bit builds, loading the "Classic" page at translate.google.com crashes in 32 bit builds. On iOS, the stack trace looks something like: 0 JavaScriptCore 0x3085bf60 operationGetByValCell + 148 (WriteBarrier.h:103) 1 ??? 0x25982d8c 0 + 630730124 2 JavaScriptCore 0x307e5ef4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52 (CallData.cpp:40) 3 JavaScriptCore 0x308b35f2 JSC::functionProtoFuncCall(JSC::ExecState*) + 186 (FunctionPrototype.cpp:168) 4 ??? 0x258971be 0 + 629764542 5 JavaScriptCore 0x307e5ef4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52 (CallData.cpp:40) 6 JavaScriptCore 0x308b35f2 JSC::functionProtoFuncCall(JSC::ExecState*) + 186 (FunctionPrototype.cpp:168) 7 ??? 0x258971be 0 + 629764542 8 JavaScriptCore 0x307e5ef4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52 (CallData.cpp:40) 9 JavaScriptCore 0x308b35f2 JSC::functionProtoFuncCall(JSC::ExecState*) + 186 (FunctionPrototype.cpp:168) 10 ??? 0x258971be 0 + 629764542 11 JavaScriptCore 0x307e5ef4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52 (CallData.cpp:40) 12 JavaScriptCore 0x308b35f2 JSC::functionProtoFuncCall(JSC::ExecState*) + 186 (FunctionPrototype.cpp:168) 13 ??? 0x258971be 0 + 629764542 14 JavaScriptCore 0x307e5ef4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52 (CallData.cpp:40) 15 JavaScriptCore 0x308b34c8 JSC::functionProtoFuncApply(JSC::ExecState*) + 704 (FunctionPrototype.cpp:154) 16 ??? 0x2589713e 0 + 629764414 17 JavaScriptCore 0x308ba4a6 JSC::eval(JSC::ExecState*) + 926 (Interpreter.cpp:198) 18 JavaScriptCore 0x309286ac llint_slow_path_call_eval + 224 (LLIntSlowPaths.cpp:1493) 19 JavaScriptCore 0x3092d990 llint_op_call_eval + 12 20 JavaScriptCore 0x307e5ef4 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 52 (CallData.cpp:40) 21 WebCore 0x37b8f57e WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 142 (JSMainThreadExecState.h:64) 22 WebCore 0x3775b656 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 310 (ScheduledAction.cpp:111) 23 WebCore 0x3775b49c WebCore::ScheduledAction::execute(WebCore::Document*) + 108 (ScheduledAction.cpp:132) 24 WebCore 0x3775b298 WebCore::DOMTimer::fired() + 372 (DOMTimer.cpp:182) 25 WebCore 0x37717f4c WebCore::ThreadTimers::sharedTimerFiredInternal() + 132 (ThreadTimers.cpp:143) 26 WebCore 0x37717e9e WebCore::timerFired(__CFRunLoopTimer*, void*) + 22 (SharedTimerIOS.mm:62) 27 CoreFoundation 0x2f7fa734 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 12 (CFRunLoop.c:1604) 28 CoreFoundation 0x2f7fa34a __CFRunLoopDoTimer + 778 (CFRunLoop.c:2090) <rdar://problem/14644548> 918689 1 msaboff 2013-08-19 10:48:09 -0700 The javascript that triggers the problem is: function (){return this.Ad||(this.Ad=so+(this.mb.a++)[Xb](36))} and it's byte code is: [ 0] enter [ 1] convert_this r-7 [ 4] get_by_id r0, r-7, Ad(@id0) [ 13] jtrue r0, 86(->99) [ 16] mov r1, r-7 [ 19] resolve r2, so(@id1), 284206064 [ 24] get_by_id r3, r-7, mb(@id2) [ 33] get_by_id r4, r3, a(@id3) [ 42] to_number r5, r4 [ 45] pre_inc r4 [ 47] put_by_id r3, a(@id3), r4 [ 56] resolve r6, Xb(@id4), 284206076 [ 61] get_by_val r6, r5, r6 Original [ 67] mov r8, r5 [ 70] mov r7, Int32: 36(@k0) [ 73] call r6, 2, 15 status(Not Set) [ 79] call_put_result r6 [ 82] add r2, r2, r6 [ 87] put_by_id r1, Ad(@id0), r2 [ 96] mov r0, r2 [ 99] ret r0 The IR for (this.mb.a++)[Xb], specifically the get_by_val for …[Xb] assumes that the object being index is a Cell, but the processing of (this.mb.a++) is predicting int. Here are the two nodes in question: 34: < 4:8> GetByOffset(KnownCell:@31<Final>, JS|UseAsOther, id3{a}, 1, bc#33) predicting Int 45: <!1:9> GetByVal(Check:Cell:@34<Int32>, @43<String>, JS|MustGen|MightClobber|UseAsOther|CanExit, GenericNonArrayInBoundsAsIs, bc#61) predicting Function SpeculativeJIT::fillSpeculateCell() in DFGSpeculativeJIT32_64.cpp doesn't check for values spilled as DataFormatInteger like the 64 bit version. 918821 2 209129 msaboff 2013-08-19 15:09:23 -0700 Created attachment 209129 Patch Also cleaned up prior change log that inadvertently included the info from this change. 918822 3 209129 oliver 2013-08-19 15:11:45 -0700 Comment on attachment 209129 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=209129&action=review > Source/JavaScriptCore/ChangeLog:-13 > - * dfg/DFGSpeculativeJIT32_64.cpp: > - (JSC::DFG::SpeculativeJIT::fillSpeculateCell): ? 918825 4 msaboff 2013-08-19 15:23:30 -0700 (In reply to comment #3) > (From update of attachment 209129 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=209129&action=review > > > Source/JavaScriptCore/ChangeLog:-13 > > - * dfg/DFGSpeculativeJIT32_64.cpp: > > - (JSC::DFG::SpeculativeJIT::fillSpeculateCell): > > ? Like I said in the comment for the attachment. I inadvertently added the changed files to a prior change log. Hazards of handling an interrupting problem in the same checkout. 918830 5 msaboff 2013-08-19 15:37:48 -0700 Committed r154303: <http://trac.webkit.org/changeset/154303> 919679 6 webkit-bug-importer 2013-08-21 16:36:15 -0700 <rdar://problem/14802240> 209129 2013-08-19 15:09:23 -0700 2013-08-19 15:11:45 -0700 Patch 120015.patch text/plain 1886 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTU0Mjk4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE0IEBA CisyMDEzLTA4LTE5ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMjAwMTUgREZHIDMy Qml0OiBDcmFzaCBsb2FkaW5nICJDbGFzc2ljIiBzaXRlIEAgdHJhbnNsYXRlLmdvb2dsZS5jb20K KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGRmZy9E RkdTcGVjdWxhdGl2ZUpJVDMyXzY0LmNwcDoKKyAgICAgICAgKEpTQzo6REZHOjpTcGVjdWxhdGl2 ZUpJVDo6ZmlsbFNwZWN1bGF0ZUNlbGwpOiBBZGRlZCBjaGVja3MgZm9yIHNwaWxsRm9ybWF0IGJl aW5nCisgICAgICAgIERhdGFGb3JtYXRJbnRlZ2VyIG9yIERhdGFGb3JtYXREb3VibGUgc2ltaWxh ciB0byB3aGF0IGlzIGluIHRoZSA2NCBiaXQgY29kZSBhbmQgaW4KKyAgICAgICAgYWxsIHZlcnNp b25zIG9mIGZpbGxTcGVjdWxhdGVCb29sZWFuKCkuCisKIDIwMTMtMDgtMTkgIE1pY2hhZWwgU2Fi b2ZmICA8bXNhYm9mZkBhcHBsZS5jb20+CiAKICAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTEyMDAyMCBDaGFuZ2UgU2V0IDE1NDIwNyBjYXVzZXMgd3Jvbmcg cmVnaXN0ZXIgdG8gYmUgdXNlZCBmb3IgMzIgYml0IHRlc3RzCkBAIC05LDggKzIwLDYgQEAKIAog ICAgICAgICAqIGFzc2VtYmxlci9NYWNyb0Fzc2VtYmxlclg4NkNvbW1vbi5oOgogICAgICAgICAo SlNDOjpNYWNyb0Fzc2VtYmxlclg4NkNvbW1vbjo6YnJhbmNoVGVzdDMyKToKLSAgICAgICAgKiBk ZmcvREZHU3BlY3VsYXRpdmVKSVQzMl82NC5jcHA6Ci0gICAgICAgIChKU0M6OkRGRzo6U3BlY3Vs YXRpdmVKSVQ6OmZpbGxTcGVjdWxhdGVDZWxsKToKIAogMjAxMy0wOC0xNiAgT2xpdmVyIEh1bnQg IDxvbGl2ZXJAYXBwbGUuY29tPgogCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RG R1NwZWN1bGF0aXZlSklUMzJfNjQuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS9kZmcvREZHU3BlY3VsYXRpdmVKSVQzMl82NC5jcHAJKHJldmlzaW9uIDE1NDI5NykKKysr IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHU3BlY3VsYXRpdmVKSVQzMl82NC5jcHAJKHdv cmtpbmcgY29weSkKQEAgLTExMDcsNiArMTEwNywxMCBAQCBHUFJSZWcgU3BlY3VsYXRpdmVKSVQ6 OmZpbGxTcGVjdWxhdGVDZWxsCiAKICAgICBzd2l0Y2ggKGluZm8ucmVnaXN0ZXJGb3JtYXQoKSkg ewogICAgIGNhc2UgRGF0YUZvcm1hdE5vbmU6IHsKKyAgICAgICAgaWYgKGluZm8uc3BpbGxGb3Jt YXQoKSA9PSBEYXRhRm9ybWF0SW50ZWdlciB8fCBpbmZvLnNwaWxsRm9ybWF0KCkgPT0gRGF0YUZv cm1hdERvdWJsZSkgeworICAgICAgICAgICAgdGVybWluYXRlU3BlY3VsYXRpdmVFeGVjdXRpb24o VW5jb3VudGFibGUsIEpTVmFsdWVSZWdzKCksIDApOworICAgICAgICAgICAgcmV0dXJuIGFsbG9j YXRlKCk7CisgICAgICAgIH0KIAogICAgICAgICBpZiAoZWRnZS0+aGFzQ29uc3RhbnQoKSkgewog ICAgICAgICAgICAgSlNWYWx1ZSBqc1ZhbHVlID0gdmFsdWVPZkpTQ29uc3RhbnQoZWRnZS5ub2Rl KCkpOwo=