66010 2011-08-10 13:38:52 -0700 REGRESSION(r92670-r92744): WebKit crashes when opening Gmail 2011-08-16 10:38:45 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P1 Critical --- 1 rniwa webkit-unassigned andersca ap aroben dwonda fpizlo ggaren oliver webkit.review.bot oldest_to_newest 449367 0 rniwa 2011-08-10 13:38:52 -0700 Reproduction steps: 1. Go to www.google.com/mail/ Crash! This appears to be JSC issue because it doesn't reproduce on Chromium. 449390 1 oliver 2011-08-10 14:06:47 -0700 Can we get a crashtrace and platform? 449391 2 rniwa 2011-08-10 14:10:00 -0700 Stack trace: Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001007daec5 JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative(JSC::DFG::SpeculationCheck const&, JSC::DFG::EntryLocation const&, JSC::DFG::SpeculationRecovery*, JSC::DFG::NodeToRegisterMap&, JSC::DFG::NodeToRegisterMap&) + 5909 1 com.apple.JavaScriptCore 0x00000001007dc25a JSC::DFG::JITCompiler::linkSpeculationChecks(JSC::DFG::SpeculativeJIT&, JSC::DFG::NonSpeculativeJIT&) + 282 2 com.apple.JavaScriptCore 0x00000001007dcc87 JSC::DFG::JITCompiler::compileBody() + 2359 3 com.apple.JavaScriptCore 0x00000001007ddf04 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) + 788 4 com.apple.JavaScriptCore 0x0000000100817241 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*) + 2193 5 com.apple.JavaScriptCore 0x00000001008324db JSC::Interpreter::prepareForRepeatCall(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, int, JSC::ScopeChainNode*) + 523 6 com.apple.JavaScriptCore 0x000000010078a1af JSC::arrayProtoFuncForEach(JSC::ExecState*) + 2831 7 ??? 0x00003b3019e011e8 0 + 65077778584040 8 com.apple.JavaScriptCore 0x0000000100831245 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 1573 9 ??? 0x0000000106f357a0 0 + 4411578272 449392 3 ggaren 2011-08-10 14:10:44 -0700 <rdar://problem/9931900> 449393 4 rniwa 2011-08-10 14:10:50 -0700 (In reply to comment #1) > Can we get a crashtrace and platform? Snow Leopard on MacPro. 449450 5 103545 fpizlo 2011-08-10 15:46:46 -0700 Created attachment 103545 the patch 449460 6 ggaren 2011-08-10 16:02:08 -0700 *** Bug 66011 has been marked as a duplicate of this bug. *** 449510 7 103545 webkit.review.bot 2011-08-10 17:17:19 -0700 Comment on attachment 103545 the patch Clearing flags on attachment: 103545 Committed r92804: <http://trac.webkit.org/changeset/92804> 449511 8 webkit.review.bot 2011-08-10 17:17:24 -0700 All reviewed patches have been landed. Closing bug. 450917 9 ap 2011-08-13 21:22:36 -0700 *** Bug 66115 has been marked as a duplicate of this bug. *** 451052 10 aroben 2011-08-15 06:32:47 -0700 Is it not possible to write an automated regression test for this? 451157 11 ggaren 2011-08-15 11:10:32 -0700 Seems like it should be possible. If possible, all checkins should come with a regression test. 451729 12 fpizlo 2011-08-16 10:38:45 -0700 (In reply to comment #10) > Is it not possible to write an automated regression test for this? Sorry for not noting this in the ChangeLog, but there is no obvious automated regression test. The bug arises out of misuse of a hidden "this" argument to constructor calls. This is a synthetic notion introduced in our bytecode and our JITs - it is not exposed in the JavaScript language. As well, the bug only happens when three different register allocators in the system (the bytecompiler's virtual register allocator, the DFG parser's virtual register allocator, and the DFG back-end's physical register allocator) all make exactly the "wrong" decision based on the input. A test that would cause a failure just before this fix landed would be unlikely to continue to cause failures if even slight changes in register allocation were made subsequently. 103545 2011-08-10 15:46:46 -0700 2011-08-10 17:17:19 -0700 the patch usethis_patch_1.diff text/plain 1630 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gOTI3OTkpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAK KzIwMTEtMDgtMTAgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KKworICAgICAgICBS RUdSRVNTSU9OKHI5MjY3MC1yOTI3NDQpOiBXZWJLaXQgY3Jhc2hlcyB3aGVuIG9wZW5pbmcgR21h aWwKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTY2MDEw CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisgICAgICAgIAorICAgICAg ICBNYWRlIHN1cmUgdGhhdCBDb25zdHJ1Y3QgY2FsbHMgdXNlKCkgb24gdGhlIHRoaXMgYXJndW1l bnQuCisKKyAgICAgICAgKiBkZmcvREZHSklUQ29kZUdlbmVyYXRvci5jcHA6CisgICAgICAgIChK U0M6OkRGRzo6SklUQ29kZUdlbmVyYXRvcjo6ZW1pdENhbGwpOgorCiAyMDExLTA4LTEwICBNYXJr IEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CiAKICAgICAgICAgSlNDIHNob3Vs ZCBhbHdheXMgdGhyb3cgd2hlbiBmdW5jdGlvbiBhcmcgbGlzdCBpcyB0b28gbG9uZwpJbmRleDog U291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdKSVRDb2RlR2VuZXJhdG9yLmNwcAo9PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR0pJVENvZGVHZW5lcmF0b3IuY3Bw CShyZXZpc2lvbiA5Mjc5OSkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHSklUQ29k ZUdlbmVyYXRvci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTk5OSw2ICs5OTksOSBAQCB2b2lkIEpJ VENvZGVHZW5lcmF0b3I6OmVtaXRDYWxsKE5vZGUmIG5vCiAgICAgbV9qaXQuc3RvcmVQdHIoTWFj cm9Bc3NlbWJsZXI6OlRydXN0ZWRJbW1QdHIoSlNWYWx1ZTo6ZW5jb2RlKGpzTnVtYmVyKG51bUFy Z3MpKSksIGFkZHJlc3NPZkNhbGxEYXRhKFJlZ2lzdGVyRmlsZTo6QXJndW1lbnRDb3VudCkpOwog ICAgIG1faml0LnN0b3JlUHRyKEdQUkluZm86OmNhbGxGcmFtZVJlZ2lzdGVyLCBhZGRyZXNzT2ZD YWxsRGF0YShSZWdpc3RlckZpbGU6OkNhbGxlckZyYW1lKSk7CiAgICAgCisgICAgaWYgKG5vZGUu b3AgPT0gQ29uc3RydWN0KQorICAgICAgICB1c2UobV9qaXQuZ3JhcGgoKS5tX3ZhckFyZ0NoaWxk cmVuW25vZGUuZmlyc3RDaGlsZCgpICsgMV0pOworICAgIAogICAgIGZvciAoaW50IGFyZ0lkeCA9 IChub2RlLm9wID09IENhbGwgPyAwIDogMSk7IGFyZ0lkeCA8IG51bUFyZ3M7IGFyZ0lkeCsrKSB7 CiAgICAgICAgIE5vZGVJbmRleCBhcmdOb2RlSW5kZXggPSBtX2ppdC5ncmFwaCgpLm1fdmFyQXJn Q2hpbGRyZW5bbm9kZS5maXJzdENoaWxkKCkgKyAxICsgYXJnSWR4XTsKICAgICAgICAgSlNWYWx1 ZU9wZXJhbmQgYXJnKHRoaXMsIGFyZ05vZGVJbmRleCk7Cg==