128228 2014-02-04 19:08:20 -0800 DFG::operationTypeOf() needs to set the VM::topCallFrame 2014-02-04 20:57:27 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mark.lam mark.lam commit-queue fpizlo ggaren mhahnenberg msaboff oliver oldest_to_newest 976615 0 mark.lam 2014-02-04 19:08:20 -0800 For the following crash stack trace tells me so: (gdb) bt #0 JSC::Register::jsValue (this=0xbadbeef0badbf07) at Register.h:118 #1 0x000000010b8843c5 in JSC::Register::scope (this=0xbadbeef0badbf07) at JSScope.h:237 #2 0x000000010b8842b5 in JSC::ExecState::scope (this=0xbadbeef0badbeef) at CallFrame.h:49 #3 0x000000010b884275 in JSC::ExecState::lexicalGlobalObject (this=0xbadbeef0badbeef) at JSScope.h:248 #4 0x000000010b890c55 in WebCore::currentWorld (exec=0xbadbeef0badbeef) at DOMWrapperWorld.h:77 #5 0x000000010cf6ac78 in WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy (this=0x7f9aecc096f0) at Source/WebCore/bindings/js/ScriptController.cpp:474 #6 0x000000010b8bb629 in WebCore::CachedResourceLoader::canRequest (this=0x7f9af50adf50, type=WebCore::CachedResource::ImageResource, url=@0x7fff57e618f0, options=@0x7fff57e61c28, forPreload=false) at Source/WebCore/loader/cache/CachedResourceLoader.cpp:299 #7 0x000000010b8bbc56 in WebCore::CachedResourceLoader::requestResource (this=0x7f9af50adf50, type=WebCore::CachedResource::ImageResource, request=@0x7fff57e61b48) at Source/WebCore/loader/cache/CachedResourceLoader.cpp:419 #8 0x000000010b8bb4f4 in WebCore::CachedResourceLoader::requestImage (this=0x7f9af50adf50, request=@0x7fff57e61b48) at Source/WebCore/loader/cache/CachedResourceLoader.cpp:163 #9 0x000000010ba51dd9 in WebCore::CSSImageValue::cachedImage (this=0x7f9afb4240c0, loader=0x7f9af50adf50, options=@0x10e89b678) at Source/WebCore/css/CSSImageValue.cpp:90 #10 0x000000010d10994a in WebCore::StyleResolver::loadPendingImage (this=0x7f9afa8666d0, pendingImage=0x7f9afb4b5890, options=@0x10e89b678) at Source/WebCore/css/StyleResolver.cpp:3516 #11 0x000000010d109b04 in WebCore::StyleResolver::loadPendingImage (this=0x7f9afa8666d0, pendingImage=0x7f9afb4b5890) at Source/WebCore/css/StyleResolver.cpp:3536 #12 0x000000010d109f23 in WebCore::StyleResolver::loadPendingImages (this=0x7f9afa8666d0) at Source/WebCore/css/StyleResolver.cpp:3572 #13 0x000000010d1047fe in WebCore::StyleResolver::loadPendingResources (this=0x7f9afa8666d0) at Source/WebCore/css/StyleResolver.cpp:3671 #14 0x000000010d0fd64c in WebCore::StyleResolver::applyMatchedProperties (this=0x7f9afa8666d0, matchResult=@0x7fff57e68b70, element=0x7f9af7ac59c0, shouldUseMatchedPropertiesCache=WebCore::StyleResolver::UseMatchedPropertiesCache) at Source/WebCore/css/StyleResolver.cpp:1768 #15 0x000000010d0fb29d in WebCore::StyleResolver::styleForElement (this=0x7f9afa8666d0, element=0x7f9af7ac59c0, defaultParent=0x0, sharingBehavior=WebCore::AllowStyleSharing, matchingBehavior=WebCore::MatchAllRules, regionForStyling=0x0) at Source/WebCore/css/StyleResolver.cpp:821 #16 0x000000010bdb34a5 in WebCore::Element::styleForRenderer (this=0x7f9af7ac59c0) at Source/WebCore/dom/Element.cpp:1458 #17 0x000000010b8f23b6 in WebCore::Style::resolveLocal (current=@0x7f9af7ac59c0, inheritedChange=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:667 #18 0x000000010b8f1db0 in WebCore::Style::resolveTree (current=@0x7f9af7ac59c0, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:824 #19 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af9a24dc0, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #20 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af7161160, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #21 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af9bd1c10, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #22 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af98f5a90, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #23 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af9aa9d70, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #24 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9afa81df00, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #25 0x000000010b8f1c51 in WebCore::Style::resolveTree (document=@0x7f9aeda8be00, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:898 #26 0x000000010bc18ae6 in WebCore::Document::recalcStyle (this=0x7f9aeda8be00, change=WebCore::Style::NoChange) at Source/WebCore/dom/Document.cpp:1740 #27 0x000000010bc1531f in WebCore::Document::updateStyleIfNeeded (this=0x7f9aeda8be00) at Source/WebCore/dom/Document.cpp:1788 #28 0x000000010bc16094 in WebCore::Document::updateLayout (this=0x7f9aeda8be00) at Source/WebCore/dom/Document.cpp:1807 #29 0x000000010bc1938f in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x7f9aeda8be00) at Source/WebCore/dom/Document.cpp:1848 #30 0x000000010c14dbb7 in WebCore::HTMLObjectElement::renderWidgetForJSBindings (this=0x7f9afb55ba30) at Source/WebCore/html/HTMLObjectElement.cpp:86 #31 0x000000010c160d0b in WebCore::HTMLPlugInElement::pluginWidget (this=0x7f9afb55ba30) at Source/WebCore/html/HTMLPlugInElement.cpp:168 #32 0x000000010c701af9 in WebCore::pluginScriptObjectFromPluginViewBase (pluginElement=@0x7f9afb55ba30, globalObject=0x11b79d070) at Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:56 #33 0x000000010c701ee7 in WebCore::pluginScriptObjectFromPluginViewBase (jsHTMLElement=0x117a42c30) at Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:74 #34 0x000000010c701db9 in WebCore::pluginElementGetCallData (element=0x117a42c30, callData=@0x7fff57e699a8) at Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:164 #35 0x000000010c637205 in WebCore::JSHTMLObjectElement::getCallData (cell=0x117a42c30, callData=@0x7fff57e699a8) at Source/WebCore/bindings/js/JSHTMLObjectElementCustom.cpp:48 #36 0x000000010a36e505 in JSC::jsTypeStringForValue (vm=@0x7f9aee031800, globalObject=0x11b79d070, v={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4691602480, ptr = 0x117a42c30, asBits = {payload = 396635184, tag = 1}}}) at Source/JavaScriptCore/runtime/Operations.cpp:74 #37 0x000000010a36e59e in JSC::jsTypeStringForValue (callFrame=0x7fff57e69a80, v={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4691602480, ptr = 0x117a42c30, asBits = {payload = 396635184, tag = 1}}}) at Source/JavaScriptCore/runtime/Operations.cpp:82 #38 0x000000010a04bcf5 in operationTypeOf (exec=0x7fff57e69a80, value=0x117a42c30) at Source/JavaScriptCore/dfg/DFGOperations.cpp:826 #39 0x000048cbeba5b36a in ?? () #40 0x000048cbeba5a99e in ?? () … 976618 1 mark.lam 2014-02-04 19:14:55 -0800 ref: <rdar://problem/15709259> 976624 2 223201 mark.lam 2014-02-04 19:39:58 -0800 Created attachment 223201 Set VM::topCallFrame in DFG::operationTypeOf() using NativeCallFrameTracer. 976625 3 223202 mark.lam 2014-02-04 19:43:47 -0800 Created attachment 223202 Removed a ' ' in the ChangeLog. 976626 4 223202 mhahnenberg 2014-02-04 19:48:01 -0800 Comment on attachment 223202 Removed a ' ' in the ChangeLog. r=me 976637 5 223202 commit-queue 2014-02-04 20:17:58 -0800 Comment on attachment 223202 Removed a ' ' in the ChangeLog. Clearing flags on attachment: 223202 Committed r163426: <http://trac.webkit.org/changeset/163426> 976638 6 commit-queue 2014-02-04 20:18:01 -0800 All reviewed patches have been landed. Closing bug. 976644 7 ggaren 2014-02-04 20:57:27 -0800 Regression test? 223201 2014-02-04 19:39:58 -0800 2014-02-04 19:43:47 -0800 Set VM::topCallFrame in DFG::operationTypeOf() using NativeCallFrameTracer. bug-128228.patch text/plain 1325 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTYzNDIzKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDE0LTAyLTA0ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBE Rkc6OiBvcGVyYXRpb25UeXBlT2YoKSBuZWVkcyB0byBzZXQgdGhlIFZNOjp0b3BDYWxsRnJhbWUu CisgICAgICAgIDxodHRwczovL3dlYmtpdC5vcmcvYi8xMjgyMjg+CisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBkZmcvREZHT3BlcmF0aW9ucy5jcHA6 CisgICAgICAgIC0gb3BlcmF0aW9uVHlwZU9mKCkgY2FuIGVuZCB1cCBjYWxsaW5nIGludG8gV2Vi Q29yZSB3aGljaCBtYXkgaW4gdHVybgorICAgICAgICAgIGNhbGwgYmFjayB0byBKU0MsIGFuZCBu ZWVkIGEgdmFsaWQgVk06OnRvcENhbGxGcmFtZS4gU28sIHdlIG5lZWQgdG8KKyAgICAgICAgICBz ZXQgdGhlIHZhbHVlIG9mIFZNOjp0b3BDYWxsRnJhbWUgYXQgdGhlIHRvcCBvZiBvcGVyYXRpb25U eXBlT2YoKS4KKwogMjAxNC0wMi0wNCAgTWFyayBIYWhuZW5iZXJnICA8bWhhaG5lbmJlcmdAYXBw bGUuY29tPgogCiAgICAgICAgIEZpeCAhRU5BQkxFKEpJVCkgYnVpbGRzIGFmdGVyIHIxNjM0MTgK SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHT3BlcmF0aW9ucy5jcHAKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdPcGVyYXRpb25zLmNwcAkocmV2 aXNpb24gMTYzNDIzKQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdPcGVyYXRpb25z LmNwcAkod29ya2luZyBjb3B5KQpAQCAtODIzLDYgKzgyMyw4IEBAIHNpemVfdCBKSVRfT1BFUkFU SU9OIG9wZXJhdGlvbklzRnVuY3Rpb24KIAogSlNDZWxsKiBKSVRfT1BFUkFUSU9OIG9wZXJhdGlv blR5cGVPZihFeGVjU3RhdGUqIGV4ZWMsIEpTQ2VsbCogdmFsdWUpCiB7CisgICAgVk0mIHZtID0g ZXhlYy0+dm0oKTsKKyAgICBOYXRpdmVDYWxsRnJhbWVUcmFjZXIgdHJhY2VyKCZ2bSwgZXhlYyk7 CiAgICAgcmV0dXJuIGpzVHlwZVN0cmluZ0ZvclZhbHVlKGV4ZWMsIEpTVmFsdWUodmFsdWUpKS5h c0NlbGwoKTsKIH0KIAo= 223202 2014-02-04 19:43:47 -0800 2014-02-04 20:17:58 -0800 Removed a ' ' in the ChangeLog. bug-128228.patch text/plain 1324 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTYzNDIzKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDE0LTAyLTA0ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBE Rkc6Om9wZXJhdGlvblR5cGVPZigpIG5lZWRzIHRvIHNldCB0aGUgVk06OnRvcENhbGxGcmFtZS4K KyAgICAgICAgPGh0dHBzOi8vd2Via2l0Lm9yZy9iLzEyODIyOD4KKworICAgICAgICBSZXZpZXdl ZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGRmZy9ERkdPcGVyYXRpb25zLmNwcDoK KyAgICAgICAgLSBvcGVyYXRpb25UeXBlT2YoKSBjYW4gZW5kIHVwIGNhbGxpbmcgaW50byBXZWJD b3JlIHdoaWNoIG1heSBpbiB0dXJuCisgICAgICAgICAgY2FsbCBiYWNrIHRvIEpTQywgYW5kIG5l ZWQgYSB2YWxpZCBWTTo6dG9wQ2FsbEZyYW1lLiBTbywgd2UgbmVlZCB0bworICAgICAgICAgIHNl dCB0aGUgdmFsdWUgb2YgVk06OnRvcENhbGxGcmFtZSBhdCB0aGUgdG9wIG9mIG9wZXJhdGlvblR5 cGVPZigpLgorCiAyMDE0LTAyLTA0ICBNYXJrIEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBs ZS5jb20+CiAKICAgICAgICAgRml4ICFFTkFCTEUoSklUKSBidWlsZHMgYWZ0ZXIgcjE2MzQxOApJ bmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdPcGVyYXRpb25zLmNwcAo9PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR09wZXJhdGlvbnMuY3BwCShyZXZp c2lvbiAxNjM0MjMpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR09wZXJhdGlvbnMu Y3BwCSh3b3JraW5nIGNvcHkpCkBAIC04MjMsNiArODIzLDggQEAgc2l6ZV90IEpJVF9PUEVSQVRJ T04gb3BlcmF0aW9uSXNGdW5jdGlvbgogCiBKU0NlbGwqIEpJVF9PUEVSQVRJT04gb3BlcmF0aW9u VHlwZU9mKEV4ZWNTdGF0ZSogZXhlYywgSlNDZWxsKiB2YWx1ZSkKIHsKKyAgICBWTSYgdm0gPSBl eGVjLT52bSgpOworICAgIE5hdGl2ZUNhbGxGcmFtZVRyYWNlciB0cmFjZXIoJnZtLCBleGVjKTsK ICAgICByZXR1cm4ganNUeXBlU3RyaW5nRm9yVmFsdWUoZXhlYywgSlNWYWx1ZSh2YWx1ZSkpLmFz Q2VsbCgpOwogfQogCg==