Bug 116082

Summary: fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
test case
none
crash log
none
crash log 2
none
Patch fpizlo: review+

Mark Hahnenberg
Reported 2013-05-13 17:43:32 PDT
If I run the attached test on the latest revision on the dfgFourthTier branch, I get a segfault. I've also attached the crash log.
Attachments
test case (423 bytes, application/x-javascript)
2013-05-13 17:58 PDT, Mark Hahnenberg 		no flags
Details
crash log (20.20 KB, text/plain)
2013-05-13 21:51 PDT, Mark Hahnenberg 		no flags
Details
crash log 2 (20.52 KB, text/plain)
2013-05-13 21:55 PDT, Mark Hahnenberg 		no flags
Details
Patch (1.76 KB, patch)
2013-05-14 13:15 PDT, Mark Hahnenberg 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-05-13 17:51:30 PDT
Nevermind about the test case, I think this has to do with having the profiling option enabled on the command line.
Mark Hahnenberg
Comment 2 2013-05-13 17:58:26 PDT
Created attachment 201656 [details] test case Steps to repro: 1) build 2) DYLD_FRAMEWORK_PATH=WebKitBuild/Debug/ WebKitBuild/Debug/jsc -f ~/Code/WebKit-svn-03/OpenSource/test.js -p out.profile 3) Crash.
Mark Hahnenberg
Comment 3 2013-05-13 17:58:47 PDT
I tried disabling both the FTL and concurrent compilation, but the crash still happens.
Filip Pizlo
Comment 4 2013-05-13 21:49:20 PDT
(In reply to comment #0) > If I run the attached test on the latest revision on the dfgFourthTier branch, I get a segfault. I've also attached the crash log. Did you attach the crash log?
Mark Hahnenberg
Comment 5 2013-05-13 21:51:03 PDT
Created attachment 201676 [details] crash log
Mark Hahnenberg
Comment 6 2013-05-13 21:55:39 PDT
Created attachment 201677 [details] crash log 2 The previous crash log isn't where I was seeing the crash. Attaching a better one.
Mark Hahnenberg
Comment 7 2013-05-14 13:11:22 PDT
From email with Phil: "It's crashing because CodeBlock::baselineVersion() doesn't know how to handle the case where 'this' is the baseline version but it hasn't been assigned to the m_blahCodeBlock field in BlahExecutable." Patch coming soon to a theater near you.
Mark Hahnenberg
Comment 8 2013-05-14 13:15:02 PDT
Created attachment 201747 [details] Patch
Mark Hahnenberg
Comment 9 2013-05-14 13:36:37 PDT
Committed r150086: <http://trac.webkit.org/changeset/150086>
Note You need to log in before you can comment on or make changes to this bug.