65930 2011-08-09 11:20:31 -0700 DFG JIT failure loading web site 2011-08-09 14:39:15 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 oliver webkit-unassigned barraclough fpizlo ggaren webkit.review.bot oldest_to_newest 448688 0 oliver 2011-08-09 11:20:31 -0700 <rdar://problem/9922643> 8/9/11 11:17 AM Oliver Hunt: * SUMMARY Navigating to http://www.skinnytaste.com/2011/06/ricotta-cheese-chocolate-chip-muffins.html crashes the DFG JIT reproducibly in a debug build * STEPS TO REPRODUCE 1. Do a debug build of safari 2. Load http://www.skinnytaste.com/2011/06/ricotta-cheese-chocolate-chip-muffins.html * RESULTS Crash: ASSERTION FAILED: m_data[index].name != InvalidVirtualRegister /Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore/dfg/DFGRegisterBank.h(329) : void JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::releaseAtIndex(unsigned int) 1 JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::releaseAtIndex(unsigned int) 2 JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::release(JSC::X86Registers::RegisterID) 3 JSC::DFG::JITCodeGenerator::fillDouble(unsigned int) 4 JSC::DFG::DoubleOperand::fpr() 5 JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&, JSC::DFG::Node&) 6 JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&, JSC::DFG::BasicBlock&) 7 JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&) 8 JSC::DFG::JITCompiler::compileBody() 9 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) 10 JSC::tryDFGCompileFunction(JSC::ExecState*, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&) 11 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*) 12 JSC::FunctionExecutable::compileForCall(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*) 13 JSC::FunctionExecutable::compileFor(JSC::ExecState*, JSC::ScopeChainNode*, JSC::CodeSpecializationKind) 14 JSC::lazyLinkFor(JSC::JITStackFrame&, JSC::CodeSpecializationKind) 15 cti_vm_lazyLinkCall 16 jscGeneratedNativeCode 17 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 18 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) 19 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) 20 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) 21 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) 22 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) 23 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) 24 WebCore::ScriptElement::prepareScript(WTF::TextPosition<WTF::OneBasedNumber> const&, WebCore::ScriptElement::LegacyTypeSupport) 25 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition<WTF::OneBasedNumber> const&) 26 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition<WTF::OneBasedNumber> const&) 27 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() 28 WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) 29 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 30 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) 31 WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() 448764 1 fpizlo 2011-08-09 13:34:21 -0700 *** Bug 65937 has been marked as a duplicate of this bug. *** 448788 2 103395 fpizlo 2011-08-09 14:08:18 -0700 Created attachment 103395 the patch 448792 3 103395 oliver 2011-08-09 14:11:45 -0700 Comment on attachment 103395 the patch r=me 448799 4 103395 fpizlo 2011-08-09 14:19:54 -0700 Comment on attachment 103395 the patch Tests pass, ready to land. 448817 5 103395 webkit.review.bot 2011-08-09 14:39:11 -0700 Comment on attachment 103395 the patch Clearing flags on attachment: 103395 Committed r92710: <http://trac.webkit.org/changeset/92710> 448818 6 webkit.review.bot 2011-08-09 14:39:15 -0700 All reviewed patches have been landed. Closing bug. 103395 2011-08-09 14:08:18 -0700 2011-08-09 14:39:11 -0700 the patch useafterfpr_patch_2.diff text/plain 4618 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gOTI3MDMpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTYgQEAK KzIwMTEtMDgtMDkgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KKworICAgICAgICBE RkcgSklUIGZhaWx1cmUgbG9hZGluZyB3ZWIgc2l0ZQorICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NjU5MzAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKyAgICAgICAgCisgICAgICAgIFB1dCB0aGUgdXNlKCkgY2FsbCBhZnRlciB0 aGUgZnByKCkvZ3ByKCkgY2FsbHMsIHNpbmNlIGRvaW5nIG90aGVyd2lzZQorICAgICAgICBicmVh a3MgdGhlIHJlZ2lzdGVyIGFsbG9jYXRvci4KKworICAgICAgICAqIGRmZy9ERkdOb25TcGVjdWxh dGl2ZUpJVC5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6Tm9uU3BlY3VsYXRpdmVKSVQ6OmNvbXBp bGUpOgorCiAyMDExLTA4LTA4ICBPbGl2ZXIgSHVudCAgPG9saXZlckBhcHBsZS5jb20+CiAKICAg ICAgICAgVXNpbmcgbXByb3RlY3QgdG8gY3JlYXRlIGd1YXJkIHBhZ2VzIGJyZWFrcyBvdXIgdXNl IG9mIG1hZHZpc2UgdG8gcmVsZWFzZSBleGVjdXRhYmxlIG1lbW9yeQpJbmRleDogU291cmNlL0ph dmFTY3JpcHRDb3JlL2RmZy9ERkdOb25TcGVjdWxhdGl2ZUpJVC5jcHAKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g U291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdOb25TcGVjdWxhdGl2ZUpJVC5jcHAJKHJldmlz aW9uIDkyNzAxKQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdOb25TcGVjdWxhdGl2 ZUpJVC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTUxMCw5ICs1MTAsMTEgQEAgdm9pZCBOb25TcGVj dWxhdGl2ZUpJVDo6Y29tcGlsZShTcGVjdWxhdAogICAgICAgICBpZiAoKGNoaWxkSW5mby5yZWdp c3RlckZvcm1hdCgpIHwgRGF0YUZvcm1hdEpTKSA9PSBEYXRhRm9ybWF0SlNEb3VibGUpIHsKICAg ICAgICAgICAgIERvdWJsZU9wZXJhbmQgb3AxKHRoaXMsIG5vZGUuY2hpbGQxKCkpOwogICAgICAg ICAgICAgR1BSVGVtcG9yYXJ5IHJlc3VsdCh0aGlzKTsKKyAgICAgICAgICAgIEZQUlJlZyBmcHIg PSBvcDEuZnByKCk7CisgICAgICAgICAgICBHUFJSZWcgZ3ByID0gcmVzdWx0LmdwcigpOwogICAg ICAgICAgICAgb3AxLnVzZSgpOwotICAgICAgICAgICAgbnVtYmVyVG9JbnQzMihvcDEuZnByKCks IHJlc3VsdC5ncHIoKSk7Ci0gICAgICAgICAgICBpbnRlZ2VyUmVzdWx0KHJlc3VsdC5ncHIoKSwg bV9jb21waWxlSW5kZXgsIFVzZUNoaWxkcmVuQ2FsbGVkRXhwbGljaXRseSk7CisgICAgICAgICAg ICBudW1iZXJUb0ludDMyKGZwciwgZ3ByKTsKKyAgICAgICAgICAgIGludGVnZXJSZXN1bHQoZ3By LCBtX2NvbXBpbGVJbmRleCwgVXNlQ2hpbGRyZW5DYWxsZWRFeHBsaWNpdGx5KTsKICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICB9CiAKSW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHJldmlzaW9uIDkyNzA2KQorKysgTGF5 b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTggQEAKKzIwMTEt MDgtMDkgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KKworICAgICAgICBERkcgSklU IGZhaWx1cmUgbG9hZGluZyB3ZWIgc2l0ZQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9NjU5MzAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKyAgICAgICAgCisgICAgICAgIFJlcHJvZHVjZWQgdGhlIGZhaWx1cmUgc2VlbiBpbgor ICAgICAgICBodHRwOi8vd3d3LnNraW5ueXRhc3RlLmNvbS8yMDExLzA2L3JpY290dGEtY2hlZXNl LWNob2NvbGF0ZS1jaGlwLW11ZmZpbnMuaHRtbAorCisgICAgICAgICogZmFzdC9qcy9ib3hlZC1k b3VibGUtdG8taW50LWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFzdC9qcy9ib3hl ZC1kb3VibGUtdG8taW50Lmh0bWw6IEFkZGVkLgorICAgICAgICAqIGZhc3QvanMvc2NyaXB0LXRl c3RzL2JveGVkLWRvdWJsZS10by1pbnQuanM6IEFkZGVkLgorICAgICAgICAoYm94ZWREb3VibGVU b0ludCk6CisKIDIwMTEtMDgtMDkgIEFuZGVycyBDYXJsc3NvbiAgPGFuZGVyc2NhQGFwcGxlLmNv bT4KIAogICAgICAgICBBZGQgdXBkYXRlZCBtZWRpYSB0ZXN0IHJlc3VsdHMgZm9yIExpb24uCklu ZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2pzL2JveGVkLWRvdWJsZS10by1pbnQtZXhwZWN0ZWQudHh0 Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2Zhc3QvanMvYm94ZWQtZG91YmxlLXRvLWludC1l eHBlY3RlZC50eHQJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L2pzL2JveGVkLWRv dWJsZS10by1pbnQtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDE0IEBACitU aGlzIHRlc3RzIHRoYXQgY29udmVydGluZyBhIGJveGVkIGRvdWJsZSB0byBhbiBpbnRlZ2VyIGRv ZXMgbm90IGNyYXNoIHRoZSByZWdpc3RlciBhbGxvY2F0b3IuCisKK09uIHN1Y2Nlc3MsIHlvdSB3 aWxsIHNlZSBhIHNlcmllcyBvZiAiUEFTUyIgbWVzc2FnZXMsIGZvbGxvd2VkIGJ5ICJURVNUIENP TVBMRVRFIi4KKworCitQQVNTIGJveGVkRG91YmxlVG9JbnQoMSwgMikgaXMgMy41CitQQVNTIGJv eGVkRG91YmxlVG9JbnQoMywgNCkgaXMgNC41CitQQVNTIGJveGVkRG91YmxlVG9JbnQoNSwgNikg aXMgNy41CitQQVNTIGJveGVkRG91YmxlVG9JbnQoNywgOCkgaXMgOC41CitQQVNTIGJveGVkRG91 YmxlVG9JbnQoOSwgMTApIGlzIDExLjUKK1BBU1Mgc3VjY2Vzc2Z1bGx5UGFyc2VkIGlzIHRydWUK KworVEVTVCBDT01QTEVURQorCkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2pzL2JveGVkLWRvdWJs ZS10by1pbnQuaHRtbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9mYXN0L2pzL2JveGVkLWRv dWJsZS10by1pbnQuaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zhc3QvanMvYm94 ZWQtZG91YmxlLXRvLWludC5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDEzIEBACis8IURP Q1RZUEUgSFRNTCBQVUJMSUMgIi0vL0lFVEYvL0RURCBIVE1MLy9FTiI+Cis8aHRtbD4KKzxoZWFk PgorPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJyZXNvdXJjZXMvanMtdGVzdC1zdHlsZS5j c3MiPgorPHNjcmlwdCBzcmM9InJlc291cmNlcy9qcy10ZXN0LXByZS5qcyI+PC9zY3JpcHQ+Cis8 L2hlYWQ+Cis8Ym9keT4KKzxwIGlkPSJkZXNjcmlwdGlvbiI+PC9wPgorPGRpdiBpZD0iY29uc29s ZSI+PC9kaXY+Cis8c2NyaXB0IHNyYz0ic2NyaXB0LXRlc3RzL2JveGVkLWRvdWJsZS10by1pbnQu anMiPjwvc2NyaXB0PgorPHNjcmlwdCBzcmM9InJlc291cmNlcy9qcy10ZXN0LXBvc3QuanMiPjwv c2NyaXB0PgorPC9ib2R5PgorPC9odG1sPgpJbmRleDogTGF5b3V0VGVzdHMvZmFzdC9qcy9zY3Jp cHQtdGVzdHMvYm94ZWQtZG91YmxlLXRvLWludC5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0 cy9mYXN0L2pzL3NjcmlwdC10ZXN0cy9ib3hlZC1kb3VibGUtdG8taW50LmpzCShyZXZpc2lvbiAw KQorKysgTGF5b3V0VGVzdHMvZmFzdC9qcy9zY3JpcHQtdGVzdHMvYm94ZWQtZG91YmxlLXRvLWlu dC5qcwkocmV2aXNpb24gMCkKQEAgLTAsMCArMSwxNyBAQAorZGVzY3JpcHRpb24oCisiVGhpcyB0 ZXN0cyB0aGF0IGNvbnZlcnRpbmcgYSBib3hlZCBkb3VibGUgdG8gYW4gaW50ZWdlciBkb2VzIG5v dCBjcmFzaCB0aGUgcmVnaXN0ZXIgYWxsb2NhdG9yLiIKKyk7CisKK2Z1bmN0aW9uIGJveGVkRG91 YmxlVG9JbnQoeCwgeSkgeworICAgIHZhciB5ID0geCAvIDI7CisgICAgdmFyIHogPSB5ICsgMjsK KyAgICByZXR1cm4gKHkgfCAxKSArIHo7Cit9CisKK3Nob3VsZEJlKCJib3hlZERvdWJsZVRvSW50 KDEsIDIpIiwgIjMuNSIpOworc2hvdWxkQmUoImJveGVkRG91YmxlVG9JbnQoMywgNCkiLCAiNC41 Iik7CitzaG91bGRCZSgiYm94ZWREb3VibGVUb0ludCg1LCA2KSIsICI3LjUiKTsKK3Nob3VsZEJl KCJib3hlZERvdWJsZVRvSW50KDcsIDgpIiwgIjguNSIpOworc2hvdWxkQmUoImJveGVkRG91Ymxl VG9JbnQoOSwgMTApIiwgIjExLjUiKTsKKwordmFyIHN1Y2Nlc3NmdWxseVBhcnNlZCA9IHRydWU7 Cg==