23225 2009-01-10 00:52:08 -0800 REGRESSION (r38592-r38645): Assertion failure in reparseInPlace() (m_sourceElements) at sfgate.com 2009-01-15 13:15:51 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED http://events.sfgate.com/san-francisco-ca/events/show/85733715-qadim-ensemble HasReduction, InRadar, Regression P1 Normal --- 1 mitz oliver ap ddkilzer koivisto oliver pknight sam oldest_to_newest 105106 0 mitz 2009-01-10 00:52:08 -0800 Visiting the URL with TOT causes ASSERTION FAILED: m_sourceElements (JavaScriptCore/parser/Parser.cpp:76 void JSC::Parser::reparseInPlace(JSC::JSGlobalData*, JSC::FunctionBodyNode*)) Backtrace: #0 0x00b56987 in JSC::Parser::reparseInPlace (this=0x1d1b2d70, globalData=0x6ed3000, functionBodyNode=0x1caefb50) at Parser.cpp:76 #1 0x00b56bb3 in JSC::FunctionBodyNode::generateBytecode (this=0x1caefb50, scopeChainNode=0x1d0de450) at Nodes.cpp:2597 #2 0x00bec93e in JSC::FunctionBodyNode::bytecode (this=0x1caefb50, scopeChain=0x1d0de450) at Nodes.h:2188 #3 0x00bd16a9 in JSC::Interpreter::cti_op_call_JSFunction (args=0x0) at JavaScriptCore/interpreter/Interpreter.cpp:4812 #4 0x00bcad60 in JSC::Interpreter::retrieveCaller () at JavaScriptCore/interpreter/Interpreter.cpp:4019 #5 0x00bece66 in JSC::JIT::execute (code=0x2194ba94, registerFile=0x68e0e34, callFrame=0x1f110048, globalData=0x6ed3000, exception=0xbfffddd0) at JIT.h:351 #6 0x00bd35ee in JSC::Interpreter::execute (this=0x68e0e00, programNode=0x2135a120, callFrame=0x1ea23264, scopeChain=0x1d0de450, thisObj=0x1cfefdc0, exception=0xbfffddd0) at JavaScriptCore/interpreter/Interpreter.cpp:908 #7 0x00b56f5c in JSC::evaluate (exec=0x1ea23264, scopeChain=@0x1ea23220, source=@0xbfffe188, thisValue={m_ptr = 0x1cfefdc0}) at Completion.cpp:67 105109 1 oliver 2009-01-10 03:54:07 -0800 The error appears to occur on line 364 of http://js.zvents.com/javascripts/happy_default.js?43797: list.push(['<label for="',type.label,'">','<input id="',type.label,'" ',inputSnippet,' class="ZventsNearbyRadio" type="radio" name="ZventsNearbyRadio" value="',type.type,'" ',is.first?'checked="checked" ':'',' onclick="',onclickSnippet,'" />',selectorSnippet,'</label>',].join(''));}});var tab_cols=this.args.columns?this.args.columns:2;return list.length==0?'':['<div class="ZventsNearbySelectWrapper">','<form id="ZventsNearbySelect" class="ZventsNearbyForm" name="ZventsNearbyForm">',list.tabulate({down:true,cols:tab_cols}),'</form>','</div>'].join('');}}};&#65279; If you examine the source provider it looks like a '?' is being inserted into the source which makes no sense but does bust the js 105119 2 ddkilzer 2009-01-10 13:07:39 -0800 (In reply to comment #1) > [...],list.tabulate({down:true,cols:tab_cols}),'</form>','</div>'].join('');}}};&#65279; > > If you examine the source provider it looks like a '?' is being inserted into > the source which makes no sense but does bust the js Is it an encoding issue? That's probably not a normal question mark based on the encoding of the previous comment. 105120 3 ddkilzer 2009-01-10 13:10:02 -0800 <rdar://problem/6487432> 105176 4 oliver 2009-01-10 20:25:15 -0800 Maybe terminal was just getting confused? 105177 5 oliver 2009-01-10 20:39:02 -0800 You're right, if i force utf-8, then it shows up as y-with-umlauts: ÿ 105280 6 pknight 2009-01-11 15:57:10 -0800 Those bytes at the end are actually EF BB BF, the UTF-8 BOM. This sequence shouldn't appear in the middle of the stream. 105347 7 oliver 2009-01-12 11:40:50 -0800 Okay, the wonders of JS mean a byte order marker should be ignored if it appears midway through the content -- the lexer should be skipping it, and if it's skipping it then it shouldn't effect parsing. That means if this is causing a parse error the reparsing is screwing up and declaring parseable content unparseable. 105550 8 oliver 2009-01-13 12:41:39 -0800 This bug causes the "flags" to be missing on the inset Google map when loaded on a Release build. 105902 9 oliver 2009-01-15 08:52:18 -0800 Vastly reduced testcase: http://nerget.com/bugs/bug23225.html 105907 10 ddkilzer 2009-01-15 09:36:40 -0800 The bisect-builds script reports: Works: r38592 Fails: r38645 105908 11 ddkilzer 2009-01-15 09:43:27 -0800 (In reply to comment #10) > The bisect-builds script reports: > Works: r38592 Fails: r38645 r38635 is the most likely suspect in that range. http://trac.webkit.org/changeset/38635 105909 12 oliver 2009-01-15 09:50:21 -0800 Well yes, r38635 is the introduction of reparsing :P 105917 13 26761 oliver 2009-01-15 10:49:39 -0800 Created attachment 26761 Decompose the lexer output from the reparsing Looking at this, it looks like the something causes us to extend the length of the inner function by one character so that it ends up incorrectly including the final } 105918 14 oliver 2009-01-15 10:58:38 -0800 Okay, have further reduced this test case to 36 bytes and only a single level of functions -- we get the wrong length for a function if immediately following the function we get a bom, although i still don't know the reason for this :-/ 105943 15 oliver 2009-01-15 12:18:16 -0800 Got a fix, very simple, just banging out a testcase 105956 16 oliver 2009-01-15 13:15:51 -0800 Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/parser/Lexer.cpp M LayoutTests/ChangeLog A LayoutTests/fast/js/bom-in-file-retains-correct-offset-expected.txt A LayoutTests/fast/js/bom-in-file-retains-correct-offset.html A LayoutTests/fast/js/resources/bom-in-file-retains-correct-offset.js Committed r39942 26761 2009-01-15 10:49:39 -0800 2009-01-15 10:49:39 -0800 Decompose the lexer output from the reparsing reparsing.txt text/plain 1658 oliver XG4gMHgwMDAwMDAwYSAgICAKZiAgMHgwMDAwMDA2NiAgICAKdSAgMHgwMDAwMDA3NSAgICAKbiAg MHgwMDAwMDA2ZSAgICAKYyAgMHgwMDAwMDA2MyAgICAKdCAgMHgwMDAwMDA3NCAgICAKaSAgMHgw MDAwMDA2OSAgICAKbyAgMHgwMDAwMDA2ZiAgICAKbiAgMHgwMDAwMDA2ZSAgICAKICAgMHgwMDAw MDAyMCAgICAKZiAgMHgwMDAwMDA2NiAgICAKKCAgMHgwMDAwMDAyOCAgICAKKSAgMHgwMDAwMDAy OSAgICAKICAgMHgwMDAwMDAyMCAgICAKeyAgMHgwMDAwMDA3YiAgICAKZiAgMHgwMDAwMDA2NiAg ICAweDAwMDAwMDY2ICAgCnUgIDB4MDAwMDAwNzUgICAgMHgwMDAwMDA3NSAgIApuICAweDAwMDAw MDZlICAgIDB4MDAwMDAwNmUgICAKYyAgMHgwMDAwMDA2MyAgICAweDAwMDAwMDYzICAgCnQgIDB4 MDAwMDAwNzQgICAgMHgwMDAwMDA3NCAgIAppICAweDAwMDAwMDY5ICAgIDB4MDAwMDAwNjkgICAK byAgMHgwMDAwMDA2ZiAgICAweDAwMDAwMDZmICAgCm4gIDB4MDAwMDAwNmUgICAgMHgwMDAwMDA2 ZSAgIAogICAweDAwMDAwMDIwICAgIDB4MDAwMDAwMjAgICAKZyAgMHgwMDAwMDA2NyAgICAweDAw MDAwMDY3ICAgCiggIDB4MDAwMDAwMjggICAgMHgwMDAwMDAyOCAgIAopICAweDAwMDAwMDI5ICAg IDB4MDAwMDAwMjkgICAKeyAgMHgwMDAwMDA3YiAgICAweDAwMDAwMDdiICAgCmEgIDB4MDAwMDAw NjEgICAgMHgwMDAwMDA2MSAgIDB4MDAwMDAwNjEKbCAgMHgwMDAwMDA2YyAgICAweDAwMDAwMDZj ICAgMHgwMDAwMDA2YwplICAweDAwMDAwMDY1ICAgIDB4MDAwMDAwNjUgICAweDAwMDAwMDY1CnIg IDB4MDAwMDAwNzIgICAgMHgwMDAwMDA3MiAgIDB4MDAwMDAwNzIKdCAgMHgwMDAwMDA3NCAgICAw eDAwMDAwMDc0ICAgMHgwMDAwMDA3NAooICAweDAwMDAwMDI4ICAgIDB4MDAwMDAwMjggICAweDAw MDAwMDI4CicgIDB4MDAwMDAwMjcgICAgMHgwMDAwMDAyNyAgIDB4MDAwMDAwMjcKZiAgMHgwMDAw MDA2NiAgICAweDAwMDAwMDY2ICAgMHgwMDAwMDA2NgpvICAweDAwMDAwMDZmICAgIDB4MDAwMDAw NmYgICAweDAwMDAwMDZmCm8gIDB4MDAwMDAwNmYgICAgMHgwMDAwMDA2ZiAgIDB4MDAwMDAwNmYK JyAgMHgwMDAwMDAyNyAgICAweDAwMDAwMDI3ICAgMHgwMDAwMDAyNwopICAweDAwMDAwMDI5ICAg IDB4MDAwMDAwMjkgICAweDAwMDAwMDI5Cn0gIDB4MDAwMDAwN2QgICAgMHgwMDAwMDA3ZCAgIDB4 MDAwMDAwN2QKOyAgMHgwMDAwMDAzYiAgICAweDAwMDAwMDNiICAgMHhmZmZmZmZmZgo8dXRmOCBi b20gaXMgZ29uZT4KZyAgMHgwMDAwMDA2NyAgICAweDAwMDAwMDY3ICAgCiggIDB4MDAwMDAwMjgg ICAgMHgwMDAwMDAyOCAgIAopICAweDAwMDAwMDI5ICAgIDB4MDAwMDAwMjkgICAKfSAgMHgwMDAw MDA3ZCAgICAweGZmZmZmZmZmICAgCjsgIDB4MDAwMDAwM2IgICAgCmYgIDB4MDAwMDAwNjYgICAg CiggIDB4MDAwMDAwMjggICAgCikgIDB4MDAwMDAwMjkgICAgCjsgIDB4MDAwMDAwM2IgICAgClxu IDB4MDAwMDAwMGEgICAgCiAgMHhmZmZmZmZmZiAgICAKICAgICAgICAgICAgICAKICAgICAgICAg ICAgICAKICAgICAgICAgICAgICAKICAgICAgICAgICAgICAKICAgICAgICAgICAgICAKICAgICAg ICAgICAgICAKICAgICAgICAgICAgICAKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgo=