94999 2012-08-25 03:02:41 -0700 [GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage 2012-09-02 16:54:15 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED http://jsplumb.org/jquery/demo.html P2 Critical --- 0 plaes fpizlo cgarcia fpizlo gustavo mrobinson oldest_to_newest 704672 0 plaes 2012-08-25 03:02:41 -0700 I'm getting following crash when playing around (just moving the boxes around) with the demo at http://jsplumb.org/jquery/demo.html: #0 0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #1 0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #2 0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #3 0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #4 0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #5 0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #6 0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #7 0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #8 0x00007fff9c0df9ed in ?? () WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64. 705463 1 fpizlo 2012-08-27 11:52:15 -0700 I don't get this in ToT. Do you kno (In reply to comment #0) > I'm getting following crash when playing around (just moving the boxes around) with the demo at http://jsplumb.org/jquery/demo.html: > > #0 0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #1 0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #2 0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #3 0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #4 0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #5 0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #6 0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #7 0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #8 0x00007fff9c0df9ed in ?? () > > > > WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64. 705465 2 fpizlo 2012-08-27 11:52:48 -0700 I don't get this in ToT. Does anyone know what revision WebKitGtk 1.9.90 would have been? Also, if anyone can repro in ToT then I'd love to know! (In reply to comment #1) > I don't get this in ToT. Do you kno > > (In reply to comment #0) > > I'm getting following crash when playing around (just moving the boxes around) with the demo at http://jsplumb.org/jquery/demo.html: > > > > #0 0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #1 0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #2 0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #3 0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #4 0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #5 0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #6 0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #7 0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #8 0x00007fff9c0df9ed in ?? () > > > > > > > > WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64. 705671 3 mrobinson 2012-08-27 14:20:54 -0700 The 1.9.90 release is branched from r126422. The only major change in this branch is that threaded GC is turned off. 705692 4 fpizlo 2012-08-27 14:45:18 -0700 (In reply to comment #3) > The 1.9.90 release is branched from r126422. The only major change in this branch is that threaded GC is turned off. Thanks! Do you guys still see this issue in ToT? I don't, but then I'm on Mac. 706680 5 mrobinson 2012-08-28 13:31:35 -0700 On ToT, I don't see this crash. Turning parallel GC off doesn't cause it to happen either. Any idea if there's a change after r126422 that may have fixed this issue? 710186 6 plaes 2012-09-01 00:51:23 -0700 Cannot produce anymore with ToT. Closing. 710231 7 mrobinson 2012-09-01 06:52:29 -0700 It's actually useful to keep this bug open because we need to find the fix and merge it into the stable branch. 710232 8 mrobinson 2012-09-01 07:03:45 -0700 The stable releases are released from a branch. I've added this changeset to the list of proposed merges at https://trac.webkit.org/wiki/WebKitGTK/1.8.x . 710361 9 mrobinson 2012-09-02 16:54:15 -0700 I've bisected this fix to http://trac.webkit.org/changeset/126715 and added the changeset to the list of proposed merges at https://trac.webkit.org/wiki/WebKitGTK/1.10.x.