19580 2008-06-16 08:24:25 -0700 REGRESSION (r34432): PGO-only crash in HTMLCollection::resetCollectionInfo (codegen issue?) 2008-07-10 15:59:40 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) PC Windows XP RESOLVED FIXED data:text/html,<form name=myForm><textarea name=myText></textarea></form><script>window.myForm.myText.value='test';</script> HasReduction, InRadar, PlatformOnly, Regression P1 Major --- 1 808caaa4.8ce9.9cd6c799e9f6 aroben abarth ap aroben dave.english dev+webkit greger.cronquist jun.zhn lvpoker redmojave rogerd.parish sam.kellyc sam zwarich oldest_to_newest 83464 0 808caaa4.8ce9.9cd6c799e9f6 2008-06-16 08:24:25 -0700 source: --- <form name=myForm> <textarea name=myText></textarea> </form> <script>window.myForm.myText.value='test';</script> --- debugger outout: --- Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=0012f250 ecx=7fd1e3a0 edx=00000020 esi=7fd1e3a0 edi=0012f248 eip=100ad160 esp=0012f1dc ebp=0012f1fc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 WebKit!WebCore__HTMLCollection__resetCollectionInfo+10: 100ad160 8b9800010000 mov ebx,[eax+0x100] ds:0023:00000100=???????? 0:000> k ChildEBP RetAddr 0012f1fc 100b592e WebKit!WebCore__HTMLCollection__resetCollectionInfo+0x10 0012f210 100ba061 WebKit!WebCore__HTMLCollection__namedItems+0x1e 0012f230 102cb8c0 WebKit!WebCore__HTMLFormElement__getNamedElements+0x21 0012f258 102669a8 WebKit!WebCore__JSHTMLFormElement__canGetItemsForName+0x40 0012f274 103dc15b WebKit!WebCore__JSHTMLFormElement__getOwnPropertySlot+0x18 0012f2ac 10071956 WebKit!KJS__JSValue__get+0x51 0012f49c 1009dc5f WebKit!KJS__Machine__privateExecute+0x2e86 0012f4f4 1009dad7 WebKit!KJS__Machine__execute+0xcf 0012f53c 1013dfc1 WebKit!KJS__Interpreter__evaluate+0xd7 0012f578 1012ac99 WebKit!WebCore__ScriptController__evaluate+0xb1 0012f594 10023a6e WebKit!WebCore__FrameLoader__executeScript+0x49 0012f758 100326d7 WebKit!WebCore__HTMLTokenizer__scriptExecution+0x10e 0012f7f8 1005e9d9 WebKit!WebCore__HTMLTokenizer__scriptHandler+0x257 0012f830 1005e108 WebKit!WebCore__HTMLTokenizer__parseSpecial+0x369 0012f96c 1005ee32 WebKit!WebCore__HTMLTokenizer__parseTag+0x11a8 7fef7410 00000000 WebKit!WebCore__HTMLTokenizer__write+0x2b2 --- host is safari 4DP(4.526.12.2). 83486 1 mitz 2008-06-16 10:18:59 -0700 I cannot reproduce the crash on Mac OS X. 84362 2 ap 2008-06-25 02:18:40 -0700 *** Bug 19763 has been marked as a duplicate of this bug. *** 84363 3 ap 2008-06-25 02:21:07 -0700 Per bug bug 19763, a crash with this stack trace happens when opening yahoo.com now. 84364 4 ap 2008-06-25 02:22:16 -0700 <rdar://problem/6033046> 84525 5 dev+webkit 2008-06-26 15:35:13 -0700 This doesn't seem to crash with a debug build. 84729 6 dev+webkit 2008-06-29 14:05:03 -0700 *** Bug 19818 has been marked as a duplicate of this bug. *** 84770 7 aroben 2008-06-30 11:46:57 -0700 Looks like m_base->document() is returning 0. 84771 8 aroben 2008-06-30 11:50:32 -0700 (In reply to comment #7) > Looks like m_base->document() is returning 0. This seems to only affect nightly builds, not ToT Safari. 84816 9 aroben 2008-06-30 20:33:23 -0700 (In reply to comment #8) > (In reply to comment #7) > > Looks like m_base->document() is returning 0. > > This seems to only affect nightly builds, not ToT Safari. Apparently it only affects Release builds, not Debug builds, so my statement above was not quite right (ToT Safari is affected, in Release builds). 84912 10 aroben 2008-07-01 15:13:20 -0700 data:text/html,<form name=myForm><textarea name=myText></textarea></form><script>window.myForm.myText.value='test';</script> 84913 11 aroben 2008-07-01 15:21:22 -0700 r34388 does not crash. 84930 12 jhoneycutt 2008-07-01 18:17:23 -0700 <rdar://problem/6029794> 84932 13 aroben 2008-07-01 18:23:48 -0700 Looks like I narrowed this down incorrectly. It *does* crash in r34503. 84933 14 aroben 2008-07-01 18:53:25 -0700 It looks like at some point a JSHTMLFormElement is getting passed instead of an HTMLFormElement. 84934 15 aroben 2008-07-01 18:56:15 -0700 (In reply to comment #14) > It looks like at some point a JSHTMLFormElement is getting passed instead of an > HTMLFormElement. Specifically, HTMLFormElement::elements calls HTMLFormCollection::create and passes in "this", but for some reason "this" is being turned into the JSHTMLFormElement that wraps this HTMLFormElement. 84935 16 aroben 2008-07-01 18:58:05 -0700 Here's the disassembly for HTMLFormElement::elements: PassRefPtr<HTMLCollection> HTMLFormElement::elements() { 00E10710 push ebp 00E10711 mov ebp,esp 00E10713 push ecx return HTMLFormCollection::create(this); 00E10714 test ecx,ecx 00E10716 push ecx 00E10717 mov dword ptr [esp],ecx 00E1071A je WebCore::HTMLFormElement::elements+0Fh (0E1071Fh) 00E1071C inc dword ptr [ecx+4] 00E1071F lea eax,[ebp-4] 00E10722 push esi 00E10723 push eax 00E10724 call WebCore::HTMLFormCollection::create (0E09F70h) 00E10729 mov esi,dword ptr [ebp+8] 00E1072C pop ecx 00E1072D pop ecx 00E1072E mov ecx,dword ptr [eax] 00E10730 and dword ptr [eax],0 00E10733 mov eax,dword ptr [ebp-4] 00E10736 test eax,eax 00E10738 mov dword ptr [esi],ecx 00E1073A jne 010A4FF6 00E10740 mov eax,esi 00E10742 pop esi } 00E10743 leave 00E10744 ret 4 84936 17 aroben 2008-07-01 19:02:35 -0700 For comparison, here's the disassembly from a Debug build: PassRefPtr<HTMLCollection> HTMLFormElement::elements() { 00E318C0 push ebp 00E318C1 mov ebp,esp 00E318C3 sub esp,0Ch 00E318C6 mov dword ptr [ebp-0Ch],0CCCCCCCCh 00E318CD mov dword ptr [ebp-8],0CCCCCCCCh 00E318D4 mov dword ptr [ebp-4],0CCCCCCCCh 00E318DB mov dword ptr [ebp-4],ecx return HTMLFormCollection::create(this); 00E318DE push ecx 00E318DF mov ecx,esp 00E318E1 mov eax,dword ptr [this] 00E318E4 push eax 00E318E5 call WTF::PassRefPtr<WebCore::HTMLFormElement>::PassRefPtr<WebCore::HTMLFormElement> (0AE5A06h) 00E318EA lea ecx,[ebp-0Ch] 00E318ED push ecx 00E318EE call WebCore::HTMLFormCollection::create (114B9C0h) 00E318F3 add esp,8 00E318F6 push eax 00E318F7 mov ecx,dword ptr [ebp+8] 00E318FA call WTF::PassRefPtr<WebCore::HTMLCollection>::PassRefPtr<WebCore::HTMLCollection><WebCore::HTMLFormCollection> (0E33E50h) 00E318FF lea ecx,[ebp-0Ch] 00E31902 call WTF::PassRefPtr<WebCore::HTMLFormCollection>::~PassRefPtr<WebCore::HTMLFormCollection> (0E32CB0h) 00E31907 mov eax,dword ptr [ebp+8] } 00E3190A add esp,0Ch 00E3190D cmp ebp,esp 00E3190F call WTF::HashTableConstIteratorAdapter<WTF::HashTable<void *,std::pair<void *,PrintJobManager *>,WTF::PairFirstExtractor<std::pair<void *,PrintJobManager *> >,WTF::PtrHash<void *>,WTF::PairHashTraits<WTF::HashTraits<void *>,WTF::HashTraits<PrintJobManager *> >,WTF::HashTraits<void *> >,std::pair<void *,PrintJobManager *> >::operator->+0Ch (6F3FFCh) 00E31914 mov esp,ebp 00E31916 pop ebp 00E31917 ret 4 84938 18 aroben 2008-07-01 19:27:03 -0700 It looks like in a released version of WebKit.dll HTMLFormElement::elements was inlined within HTMLFormElement::getNamedElements. 84939 19 aroben 2008-07-01 19:33:42 -0700 (In reply to comment #18) > It looks like in a released version of WebKit.dll HTMLFormElement::elements was > inlined within HTMLFormElement::getNamedElements. Of course that was back before r34432, when HTMLFormCollection::create was added. 84940 20 aroben 2008-07-01 19:40:07 -0700 (In reply to comment #16) > Here's the disassembly for HTMLFormElement::elements: > > PassRefPtr<HTMLCollection> HTMLFormElement::elements() > { > 00E10710 push ebp > 00E10711 mov ebp,esp > 00E10713 push ecx > return HTMLFormCollection::create(this); > 00E10714 test ecx,ecx > 00E10716 push ecx > 00E10717 mov dword ptr [esp],ecx > 00E1071A je WebCore::HTMLFormElement::elements+0Fh (0E1071Fh) > 00E1071C inc dword ptr [ecx+4] > 00E1071F lea eax,[ebp-4] > 00E10722 push esi > 00E10723 push eax > 00E10724 call WebCore::HTMLFormCollection::create (0E09F70h) It looks like the value in esi ends up being the value of the argument passed to HTMLFormCollection::create. If this were working correctly, ecx would be the value passed to HTMLFormCollection::create. 84950 21 808caaa4.8ce9.9cd6c799e9f6 2008-07-01 23:27:21 -0700 (In reply to comment #20) I wonder if that isn't push esp.... 84987 22 aroben 2008-07-02 10:34:18 -0700 I reverted the parts of r34432 that are relevant to HTMLFormCollection, and the bug no longer occurs. Here's the disassembly from a PGO build with part of r34432 reverted: PassRefPtr<HTMLCollection> HTMLFormElement::elements() { 00E09F20 push ebp 00E09F21 mov ebp,esp 00E09F23 sub esp,14h 00E09F26 push ebx 00E09F27 push esi 00E09F28 push edi 00E09F29 mov dword ptr [ebp-14h],ecx return new HTMLFormCollection(this); 00E09F2C call WTF::TCMalloc_ThreadCache::GetCache (0D80790h) 00E09F31 push 20h 00E09F33 mov edi,eax 00E09F35 call WTF::ClassIndex (0DB72D0h) 00E09F3A movzx esi,byte ptr WebCore::CSSStyleSelector::s_styleNotYetAvailable+54h (1213628h)[eax] 00E09F41 mov eax,dword ptr WebCore::CSSStyleSelector::s_styleNotYetAvailable+1D4h (12137A8h)[esi*4] 00E09F48 pop ecx 00E09F49 lea ebx,[edi+esi*8+0Ch] 00E09F4D mov ecx,ebx 00E09F4F mov dword ptr [ebp-8],eax 00E09F52 call WTF::RefPtr<KJS::SourceElements>::operator! (0E18310h) 00E09F57 test al,al 00E09F59 jne 010A57DC 00E09F5F mov eax,dword ptr [ebp-8] 00E09F62 sub dword ptr [edi],eax 00E09F64 dec word ptr [ebx+4] 00E09F68 movzx eax,word ptr [ebx+4] 00E09F6C cmp ax,word ptr [ebx+6] 00E09F70 jb 010A5840 00E09F76 mov edi,dword ptr [ebx] 00E09F78 test edi,edi 00E09F7A mov eax,dword ptr [edi] 00E09F7C mov dword ptr [ebx],eax 00E09F7E je 010A582D 00E09F84 mov eax,dword ptr [ebp-14h] 00E09F87 test eax,eax 00E09F89 push ecx 00E09F8A mov dword ptr [esp],eax 00E09F8D je WebCore::HTMLFormElement::elements+72h (0E09F92h) 00E09F8F inc dword ptr [eax+4] 00E09F92 call WebCore::HTMLFormCollection::HTMLFormCollection (0E0E570h) 00E09F97 test eax,eax 00E09F99 mov ecx,dword ptr [ebp+8] 00E09F9C pop edi 00E09F9D pop esi 00E09F9E mov dword ptr [ecx],eax 00E09FA0 pop ebx 00E09FA1 je WebCore::HTMLFormElement::elements+86h (0E09FA6h) 00E09FA3 inc dword ptr [eax+4] 00E09FA6 mov eax,ecx } 00E09FA8 leave 00E09FA9 ret 4 85001 23 aroben 2008-07-02 12:08:16 -0700 Disabling LTCG for just HTMLFormElement.cpp does not seem to fix the issue. 85012 24 808caaa4.8ce9.9cd6c799e9f6 2008-07-02 14:33:49 -0700 (In reply to comment #23) *At least*, HTMLFormCollection::create() has same problem. With r34813, mov eax, [ebp+0Ch] and dword ptr [ebp+0Ch], 0 push ecx ; PassRefPtr<>(form) mov edi, ecx ; edi is fastMalloced space mov [esp], eax call ??0HTMLFormCollection@WebCore... ; ctor Oh, HTMLFormCollection::this and form cannot be same. I wonder if 1st push ecx isn't push esp, again. // btw, almost all fastMalloc() is inlined (by LTCG) ... is it desired?? // It's pretty large, for each, and may affect mem cache, I feel. // I haven't check which is finally faster, inlined or not inlined. 85013 25 808caaa4.8ce9.9cd6c799e9f6 2008-07-02 14:48:08 -0700 (In reply to comment #24. errata) push ecx ; *should be* PassRefPtr<>(form) mov edi, ecx ; ecx is fastMalloced space, edi should be _this for HTMLFormCollection 85417 26 mrowe 2008-07-07 18:00:00 -0700 *** Bug 19934 has been marked as a duplicate of this bug. *** 85529 27 aroben 2008-07-09 09:51:42 -0700 *** Bug 19752 has been marked as a duplicate of this bug. *** 85670 28 aroben 2008-07-10 15:12:42 -0700 Turning off LTCG for all of WebCore fixes the crash. I now suspect that I wasn't building correctly when turning off LTCG for certain files previously. 85692 29 aroben 2008-07-10 15:52:03 -0700 (In reply to comment #23) > Disabling LTCG for just HTMLFormElement.cpp does not seem to fix the issue. Yes it does! You just have to actually get HTMLFormElement.cpp to rebuild! 85693 30 22224 aroben 2008-07-10 15:55:49 -0700 Created attachment 22224 patch + changelog 85694 31 22224 zwarich 2008-07-10 15:57:53 -0700 Comment on attachment 22224 patch + changelog r=me 85695 32 aroben 2008-07-10 15:59:40 -0700 Landed in r35105 22224 2008-07-10 15:55:49 -0700 2008-07-10 15:57:53 -0700 patch + changelog 0001--Fix-Bug-19580-REGRESSION-r34432-PGO-only.patch text/plain 2671 aroben RnJvbSAzYWUyZDFhYmZhODk2YjQyZTNlOTdhZmU4ZGVmMmZkYjcxMDk0ODRkIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBBZGFtIFJvYmVuIDxhcm9iZW5AYXBwbGUuY29tPgpEYXRlOiBU aHUsIDEwIEp1bCAyMDA4IDE4OjUzOjM0IC0wNDAwClN1YmplY3Q6IFtQRlJdICAgICAgICAgRml4 IEJ1ZyAxOTU4MDogUkVHUkVTU0lPTiAocjM0NDMyKTogUEdPLW9ubHkgY3Jhc2ggaW4gSFRNTENv bGxlY3Rpb246OnJlc2V0Q29sbGVjdGlvbkluZm8gKGNvZGVnZW4gaXNzdWU/KQoKICAgICAgICA8 aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE5NTgwPgogICAgICAgIDxy ZGFyOi8vNjAyOTc5ND4KCiAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCgogICAg ICAgICogV2ViQ29yZS52Y3Byb2ovV2ViQ29yZS52Y3Byb2o6IERpc2FibGUgTFRDRyBmb3IgSFRN TEZvcm1FbGVtZW50LmNwcCwKICAgICAgICB3aGljaCB3YXMgY2F1c2luZyBzb21lIGJhZCBjb2Rl Z2VuIGluIEhUTUxGb3JtRWxlbWVudDo6ZWxlbWVudHMuCiAgICAgICAgKiBodG1sL0hUTUxGb3Jt RWxlbWVudC5jcHA6IFRvdWNoZWQgdGhpcyBmaWxlIHRvIGZvcmNlIGl0IHRvIHJlYnVpbGQuCi0t LQogV2ViQ29yZS9DaGFuZ2VMb2cgICAgICAgICAgICAgICAgICAgICB8ICAgMTQgKysrKysrKysr KysrKysKIFdlYkNvcmUvV2ViQ29yZS52Y3Byb2ovV2ViQ29yZS52Y3Byb2ogfCAgICA4IC0tLS0t LS0tCiBXZWJDb3JlL2h0bWwvSFRNTEZvcm1FbGVtZW50LmNwcCAgICAgIHwgICAgMiArLQogMyBm aWxlcyBjaGFuZ2VkLCAxNSBpbnNlcnRpb25zKCspLCA5IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZWVmZDhlYS4u MTY5YjJhMyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2ViQ29yZS9DaGFu Z2VMb2cKQEAgLTEsMyArMSwxNyBAQAorMjAwOC0wNy0xMCAgQWRhbSBSb2JlbiAgPGFyb2JlbkBh cHBsZS5jb20+CisKKyAgICAgICAgRml4IEJ1ZyAxOTU4MDogUkVHUkVTU0lPTiAocjM0NDMyKTog UEdPLW9ubHkgY3Jhc2ggaW4KKyAgICAgICAgSFRNTENvbGxlY3Rpb246OnJlc2V0Q29sbGVjdGlv bkluZm8gKGNvZGVnZW4gaXNzdWU/KQorCisgICAgICAgIDxodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9MTk1ODA+CisgICAgICAgIDxyZGFyOi8vNjAyOTc5ND4KKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIFdlYkNvcmUudmNw cm9qL1dlYkNvcmUudmNwcm9qOiBEaXNhYmxlIExUQ0cgZm9yIEhUTUxGb3JtRWxlbWVudC5jcHAs CisgICAgICAgIHdoaWNoIHdhcyBjYXVzaW5nIHNvbWUgYmFkIGNvZGVnZW4gaW4gSFRNTEZvcm1F bGVtZW50OjplbGVtZW50cy4KKyAgICAgICAgKiBodG1sL0hUTUxGb3JtRWxlbWVudC5jcHA6IFRv dWNoZWQgdGhpcyBmaWxlIHRvIGZvcmNlIGl0IHRvIHJlYnVpbGQuCisKIDIwMDgtMDctMDkgIEFs ZXggTWF0aGV3cyAgPHBvc3Nlc3NlZHBlbmd1aW5ib2JAZ21haWwuY29tPgogCiAgICAgICAgIFJl dmlld2VkIGJ5IE9saXZlciBIdW50LgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9XZWJDb3JlLnZjcHJv ai9XZWJDb3JlLnZjcHJvaiBiL1dlYkNvcmUvV2ViQ29yZS52Y3Byb2ovV2ViQ29yZS52Y3Byb2oK aW5kZXggNTRlYzJiYi4uNDdjZmI3YyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9XZWJDb3JlLnZjcHJv ai9XZWJDb3JlLnZjcHJvagorKysgYi9XZWJDb3JlL1dlYkNvcmUudmNwcm9qL1dlYkNvcmUudmNw cm9qCkBAIC0xMjY5MCwxNCArMTI2OTAsNiBAQAogCQkJPEZpbGUNCiAJCQkJUmVsYXRpdmVQYXRo PSIuLlxodG1sXEhUTUxGb3JtRWxlbWVudC5jcHAiDQogCQkJCT4NCi0JCQkJPEZpbGVDb25maWd1 cmF0aW9uDQotCQkJCQlOYW1lPSJSZWxlYXNlX1BHT3xXaW4zMiINCi0JCQkJCT4NCi0JCQkJCTxU b29sDQotCQkJCQkJTmFtZT0iVkNDTENvbXBpbGVyVG9vbCINCi0JCQkJCQlXaG9sZVByb2dyYW1P cHRpbWl6YXRpb249InRydWUiDQotCQkJCQkvPg0KLQkJCQk8L0ZpbGVDb25maWd1cmF0aW9uPg0K IAkJCTwvRmlsZT4NCiAJCQk8RmlsZQ0KIAkJCQlSZWxhdGl2ZVBhdGg9Ii4uXGh0bWxcSFRNTEZv cm1FbGVtZW50LmgiDQpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9odG1sL0hUTUxGb3JtRWxlbWVudC5j cHAgYi9XZWJDb3JlL2h0bWwvSFRNTEZvcm1FbGVtZW50LmNwcAppbmRleCBiNTY0Mjg3Li5lZmRi YzAyIDEwMDY0NAotLS0gYS9XZWJDb3JlL2h0bWwvSFRNTEZvcm1FbGVtZW50LmNwcAorKysgYi9X ZWJDb3JlL2h0bWwvSFRNTEZvcm1FbGVtZW50LmNwcApAQCAtODMsNyArODMsNyBAQCBIVE1MRm9y bUVsZW1lbnQ6On5IVE1MRm9ybUVsZW1lbnQoKQogewogICAgIGRlbGV0ZSBtX2VsZW1lbnRBbGlh c2VzOwogICAgIGRlbGV0ZSBjb2xsZWN0aW9uSW5mbzsKLSAgICAKKwogICAgIGZvciAodW5zaWdu ZWQgaSA9IDA7IGkgPCBmb3JtRWxlbWVudHMuc2l6ZSgpOyArK2kpCiAgICAgICAgIGZvcm1FbGVt ZW50c1tpXS0+Zm9ybURlc3Ryb3llZCgpOwogICAgIGZvciAodW5zaWduZWQgaSA9IDA7IGkgPCBp bWdFbGVtZW50cy5zaXplKCk7ICsraSkKLS0gCjEuNS42LnJjMy4xNTYuZzFhMDEKCg==