43314 2010-08-01 12:01:18 -0700 REGRESSION(r64320): crash in cti_op_get_by_val + 473 : immediately after logging in to gmail.com: (r64246-r64341) 2010-08-04 02:09:31 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac (Intel) OS X 10.6 RESOLVED FIXED http://gmail.com P1 Major --- 0 maccinema msaboff ap barraclough msaboff zherczeg oldest_to_newest 258690 0 maccinema 2010-08-01 12:01:18 -0700 Running OS 10.6.4 webkit: r64341 Webkit consistently crashes in r64341 immediately after logging in to gmail.com. No action other than logging in is required to reproduce the problem. Crashing stack follows: Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100811fd9 cti_op_get_by_val + 473 1 com.apple.JavaScriptCore 0x00000001007d79c8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 728 2 com.apple.Safari 0x0000000100000001 0x100000000 + 1 3 ??? 0x000000011d97a960 0 + 4791445856 4 com.apple.WebCore 0x0000000101141b60 WebCore::JSDOMWindowShell::~JSDOMWindowShell() + 0 5 ??? 0x0000441f0f66ffff 0 + 74900193083391 258692 1 maccinema 2010-08-01 12:34:11 -0700 Looks to me like the most likely suspect for this crash is changeset 64320: "Changed the handling for removing and adding elements at the front of an array" as JSC::JIT:: emit_op_put_by_val was changed. This started failing somewhere in r64246-r64341. 258695 2 maccinema 2010-08-01 12:50:11 -0700 Changing to P1 as this is a reproducible crash. 258718 3 barraclough 2010-08-01 18:34:28 -0700 Cheers Joe, we'll investigate. 258756 4 zherczeg 2010-08-02 02:20:45 -0700 Could you check whether this is valid for the latest revision? As for me, r64451 works with both Qt-debug and Mac-Leopard-release. I entered gmail.com into the url bar (immediately redirects to some login page for Google), set the username and password (of a newly created dummy account), click on "Sign in", and the login is succeded. 259004 5 maccinema 2010-08-02 11:22:56 -0700 Webkit still crashes with the most recent nightly: r64451. In order to reproduce, it might require more than just a newly created gmail account. I have lots of gmail messages (more than a "page" full), Buzz, and Chat entries. 259025 6 maccinema 2010-08-02 12:00:10 -0700 Interesting note: gmail works in 32-bit mode for me, but crashes in 64-bit mode. 259817 7 63404 msaboff 2010-08-03 19:33:48 -0700 Created attachment 63404 Patch to fix the number of JSValues to memcpy when unshift'ing 259830 8 63404 barraclough 2010-08-03 20:05:01 -0700 Comment on attachment 63404 Patch to fix the number of JSValues to memcpy when unshift'ing landing by hand 259832 9 barraclough 2010-08-03 20:06:30 -0700 Transmitting file data .. Committed revision 64620. 259901 10 ap 2010-08-04 00:02:04 -0700 Could this have a regression test? 259935 11 barraclough 2010-08-04 02:09:31 -0700 Hey Alexey, We discussed this, and it may be tricky to trigger with any consistency in an isolated test case since the bug will only occur if malloc returns non-zerofill (used) memory (along with a bunch of other conditions). As such we thought it better to get the fix landed immediately, but Micheal is going to try to produce a good test case. cheers, G. 63404 2010-08-03 19:33:48 -0700 2010-08-03 20:05:01 -0700 Patch to fix the number of JSValues to memcpy when unshift'ing 43314.patch text/plain 1752 msaboff SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDY0NTkyKQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTggQEAKKzIwMTAtMDgtMDMgIE1pY2hhZWwg U2Fib2ZmICA8bXNhYm9mZkBhcHBsZS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZ IChPT1BTISkuCisKKyAgICAgICAgRml4IGZvciBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9NDMzMTQuICBUaGUgcHJpb3IgY29kZQorICAgICAgICB3YXMgdXNpbmcgdGhl IHdyb25nICJsZW5ndGgiIHZhbHVlIHRvIG1vdmUgYXJyYXkgY29udGVudHMgd2hlbiBhZGRpbmcK KyAgICAgICAgc3BhY2UgdG8gdGhlIGJlZ2lubmluZyBvZiBhbiBhcnJheSBmb3IgYW4gdW5zaGlm dCgpIG9yIHNpbWlsYXIKKyAgICAgICAgb3BlcmF0aW9uLiAgSW5zdGVhZCBvZiB1c2luZyBtX3Zl Y3Rvckxlbmd0aCwgdGhlIGxlbmd0aCBvZiB0aGUKKyAgICAgICAgYWxsb2NhdGVkIEpTVmFsdWUg YXJyYXksIHRoZSBjb2RlIHdhcyB1c2luZyBtX2xlbmd0aCwgdGhlIGRlY2xhcmVkCisgICAgICAg IGxlbmd0aCBvZiB0aGUgYXJyYXkuICBUaGVzZSB0d28gdmFsdWVzIGRvIG5vdCBuZWVkIHRvIG1h dGNoLgorCisgICAgICAgICogSmF2YVNjcmlwdENvcmUueGNvZGVwcm9qL3Byb2plY3QucGJ4cHJv ajoKKyAgICAgICAgKiBydW50aW1lL0pTQXJyYXkuY3BwOgorICAgICAgICAoSlNDOjpKU0FycmF5 OjppbmNyZWFzZVZlY3RvclByZWZpeExlbmd0aCk6CisKIDIwMTAtMDgtMDMgIEFsZXggTWlsb3dz a2kgIDxhbGV4QG1pbG93c2tpLmNvbT4KIAogICAgICAgICBSZXZpZXdlZCBieSBCZXRoIERha2lu LgpJbmRleDogSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU0FycmF5LmNwcAo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBKYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTQXJyYXkuY3BwCShyZXZpc2lvbiA2NDU5MikKKysr IEphdmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNBcnJheS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTYx Myw3ICs2MTMsNyBAQCBib29sIEpTQXJyYXk6OmluY3JlYXNlVmVjdG9yUHJlZml4TGVuZ3RoCiAg ICAgbmV3U3RvcmFnZSA9IHJlaW50ZXJwcmV0X2Nhc3Q8QXJyYXlTdG9yYWdlKj4oc3RhdGljX2Nh c3Q8Y2hhcio+KG5ld0Jhc2VTdG9yYWdlKSArIG1faW5kZXhCaWFzICogc2l6ZW9mKEpTVmFsdWUp KTsKIAogICAgIG1lbWNweShuZXdTdG9yYWdlLCBzdG9yYWdlLCBzdG9yYWdlU2l6ZSgwKSk7Ci0g ICAgbWVtY3B5KCZuZXdTdG9yYWdlLT5tX3ZlY3RvcltuZXdMZW5ndGggLSBtX3ZlY3Rvckxlbmd0 aF0sICZzdG9yYWdlLT5tX3ZlY3RvclswXSwgc3RvcmFnZS0+bV9sZW5ndGggKiBzaXplb2YoSlNW YWx1ZSkpOworICAgIG1lbWNweSgmbmV3U3RvcmFnZS0+bV92ZWN0b3JbbmV3TGVuZ3RoIC0gbV92 ZWN0b3JMZW5ndGhdLCAmc3RvcmFnZS0+bV92ZWN0b3JbMF0sIHZlY3Rvckxlbmd0aCAqIHNpemVv ZihKU1ZhbHVlKSk7CiAgICAgCiAgICAgbmV3U3RvcmFnZS0+bV9hbGxvY0Jhc2UgPSBuZXdCYXNl U3RvcmFnZTsKICAgICBtX3ZlY3Rvckxlbmd0aCA9IG5ld0xlbmd0aDsK