Bug 107340

After http://trac.webkit.org/changeset/140201, editing/selection/move-by-word-visually-multi-line.html fails in a release build and crashes on a debug build. The crash in the main thread is Process: DumpRenderTree [58187] Path: /Volumes/VOLUME/*/DumpRenderTree Identifier: DumpRenderTree Version: 0 Code Type: X86-64 (Native) Parent Process: Python [56880] User ID: 501 Date/Time: 2013-01-18 15:08:05.559 -0800 OS Version: Mac OS X 10.8.2 (12C54) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000107f29000-0000000107fc6000 [ 628K] r-x/rwx SM=COW /Volumes/VOLUME/* Application Specific Information: CRASHING TEST: editing/selection/move-by-word-visually-multi-line.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010827932c JSC::DFG::SpeculativeJIT::compileInt32ToDouble(JSC::DFG::Node&) + 172 (DFGSpeculativeJIT.cpp:2475) 1 com.apple.JavaScriptCore 0x00000001082a79b9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) + 5321 (DFGSpeculativeJIT64.cpp:2355) 2 com.apple.JavaScriptCore 0x0000000108276478 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) + 3048 (DFGSpeculativeJIT.cpp:1911) 3 com.apple.JavaScriptCore 0x0000000108276e3d JSC::DFG::SpeculativeJIT::compile() + 253 (DFGSpeculativeJIT.cpp:2020) 4 com.apple.JavaScriptCore 0x0000000108236d09 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) + 25 (DFGJITCompiler.cpp:108) 5 com.apple.JavaScriptCore 0x000000010823834a JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) + 314 (DFGJITCompiler.cpp:304) 6 com.apple.JavaScriptCore 0x0000000108223423 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) + 1507 (DFGDriver.cpp:156) 7 com.apple.JavaScriptCore 0x0000000108222e2c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) + 60 (DFGDriver.cpp:174) 8 com.apple.JavaScriptCore 0x00000001082ebc21 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) + 241 (JITDriver.h:95) 9 com.apple.JavaScriptCore 0x00000001082ec375 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) + 341 (ExecutionHarness.h:68) 10 com.apple.JavaScriptCore 0x00000001082e8da9 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) + 617 (Executable.cpp:538) 11 com.apple.JavaScriptCore 0x00000001082e8ac5 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) + 341 (Executable.cpp:463) 12 com.apple.JavaScriptCore 0x000000010815287f JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) + 351 (Executable.h:677) 13 com.apple.JavaScriptCore 0x000000010814899e JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) + 158 (CodeBlock.cpp:2873) 14 com.apple.JavaScriptCore 0x00000001083545df cti_optimize + 287 (JITStubs.cpp:1890) 15 com.apple.JavaScriptCore 0x000000010835cb80 0x1080c4000 + 2722688 16 com.apple.JavaScriptCore 0x000000010831a324 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) + 84 (JITCode.h:135) 17 com.apple.JavaScriptCore 0x000000010831759f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1519 (Interpreter.cpp:1055) 18 com.apple.JavaScriptCore 0x0000000108134712 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 306 (CallData.cpp:40) 19 com.apple.WebCore 0x000000010a4799e2 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 (JSMainThreadExecState.h:56) 20 com.apple.WebCore 0x000000010a5bb216 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1238 (JSEventListener.cpp:129) 21 com.apple.WebCore 0x0000000109f8f093 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 499 (EventTarget.cpp:257) 22 com.apple.WebCore 0x0000000109f8ec7f WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 383 (EventTarget.cpp:203) 23 com.apple.WebCore 0x0000000109ed91d0 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 272 (DOMWindow.cpp:1695) 24 com.apple.WebCore 0x0000000109ee0298 WebCore::DOMWindow::dispatchLoadEvent() + 296 (DOMWindow.cpp:1669) 25 com.apple.WebCore 0x0000000109d2748f WebCore::Document::dispatchWindowLoadEvent() + 143 (Document.cpp:3648) 26 com.apple.WebCore 0x0000000109d24efd WebCore::Document::implicitClose() + 493 (Document.cpp:2404) 27 com.apple.WebCore 0x000000010a05771b WebCore::FrameLoader::checkCallImplicitClose() + 155 (FrameLoader.cpp:836) 28 com.apple.WebCore 0x000000010a0573e3 WebCore::FrameLoader::checkCompleted() + 323 (FrameLoader.cpp:780) 29 com.apple.WebCore 0x000000010a057585 WebCore::FrameLoader::loadDone() + 21 (FrameLoader.cpp:725) 30 com.apple.WebCore 0x0000000109a685b2 WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*) + 114 (CachedResourceLoader.cpp:723) 31 com.apple.WebCore 0x000000010b11f63f WebCore::SubresourceLoader::releaseResources() + 191 (SubresourceLoader.cpp:323) 32 com.apple.WebCore 0x000000010aed57c9 WebCore::ResourceLoader::didFinishLoading(double) + 73 (ResourceLoader.cpp:319) 33 com.apple.WebCore 0x000000010b11f245 WebCore::SubresourceLoader::didFinishLoading(double) + 581 (SubresourceLoader.cpp:280) 34 com.apple.WebCore 0x000000010aed5fb5 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 53 (ResourceLoader.cpp:458) 35 com.apple.WebCore 0x000000010aed2c0a -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 186 (ResourceHandleMac.mm:823) 36 com.apple.Foundation 0x00007fff8c606f58 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28 37 com.apple.Foundation 0x00007fff8c606e9c -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227 38 com.apple.Foundation 0x00007fff8c606d98 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63 39 com.apple.CFNetwork 0x00007fff94f2bfd1 ___delegate_didFinishLoading_block_invoke_0 + 40 40 com.apple.CFNetwork 0x00007fff94f1e753 ___withDelegateAsync_block_invoke_0 + 90 41 com.apple.CFNetwork 0x00007fff94fad2ca __block_global_1 + 28 42 com.apple.CoreFoundation 0x00007fff8f692724 CFArrayApplyFunction + 68 43 com.apple.CFNetwork 0x00007fff94f0fa6c RunloopBlockContext::perform() + 126 44 com.apple.CFNetwork 0x00007fff94f0f94b MultiplexerSource::perform() + 221 45 com.apple.CoreFoundation 0x00007fff8f674101 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 46 com.apple.CoreFoundation 0x00007fff8f673a25 __CFRunLoopDoSources0 + 245 47 com.apple.CoreFoundation 0x00007fff8f696dc5 __CFRunLoopRun + 789 48 com.apple.CoreFoundation 0x00007fff8f6966b2 CFRunLoopRunSpecific + 290 49 com.apple.Foundation 0x00007fff8c68489e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 50 DumpRenderTree 0x0000000107f42039 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 5017 (DumpRenderTree.mm:1389) 51 DumpRenderTree 0x0000000107f40c2a runTestingServerLoop() + 282 (DumpRenderTree.mm:852) 52 DumpRenderTree 0x0000000107f404f7 dumpRenderTree(int, char const**) + 423 (DumpRenderTree.mm:901) 53 DumpRenderTree 0x0000000107f42829 main + 105 (DumpRenderTree.mm:939) 54 libdyld.dylib 0x00007fff8f51f7e1 start + 1