Bug 128054

Summary: Crash in JSC::ArrayProfile::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*)
Product: WebKit Reporter: Dimitris Apostolou <dimitris.apostolou>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: CLOSED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.9   
URL: http://www.jorgexolalpa.com/
Attachments:
Description Flags
Crash log none

Dimitris Apostolou
Reported 2014-02-01 18:34:22 PST
Created attachment 222896 [details] Crash log r163227 Reproducibility: always Steps: 1. http://www.jorgexolalpa.com/ 2. Hover mouse on any of the link titles on the top left. What happened: 2. Crash. Thread 8 Crashed:: JSC Compilation Thread 0 com.apple.JavaScriptCore 0x00000001054eb5d4 JSC::ArrayProfile::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*) + 4 1 com.apple.JavaScriptCore 0x00000001055564c7 JSC::DFG::ByteCodeParser::handleIntrinsic(int, JSC::Intrinsic, int, int, unsigned int) + 535 2 com.apple.JavaScriptCore 0x0000000105555bc1 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CodeSpecializationKind, unsigned int, int, int, int) + 657 3 com.apple.JavaScriptCore 0x000000010555dd93 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 19107 4 com.apple.JavaScriptCore 0x000000010555846b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1867 5 com.apple.JavaScriptCore 0x00000001055577bc JSC::DFG::ByteCodeParser::handleInlining(JSC::DFG::Node*, int, JSC::CallLinkStatus const&, int, int, unsigned int, JSC::CodeSpecializationKind) + 1276 6 com.apple.JavaScriptCore 0x0000000105555c98 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CodeSpecializationKind, unsigned int, int, int, int) + 872 7 com.apple.JavaScriptCore 0x000000010555c206 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 12054 8 com.apple.JavaScriptCore 0x000000010555846b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1867 9 com.apple.JavaScriptCore 0x00000001055628e4 JSC::DFG::ByteCodeParser::parse() + 628 10 com.apple.JavaScriptCore 0x00000001055629f9 JSC::DFG::parse(JSC::DFG::Graph&) + 41 11 com.apple.JavaScriptCore 0x00000001055cd993 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 211 12 com.apple.JavaScriptCore 0x00000001055cd6dd JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) + 269 13 com.apple.JavaScriptCore 0x00000001056449db JSC::DFG::Worklist::runThread() + 539 14 com.apple.JavaScriptCore 0x00000001058ea57f WTF::wtfThreadEntryPoint(void*) + 15 15 libsystem_pthread.dylib 0x00007fff972bf899 _pthread_body + 138 16 libsystem_pthread.dylib 0x00007fff972bf72a _pthread_start + 137 17 libsystem_pthread.dylib 0x00007fff972c3fc9 thread_start + 13 Expected result: Webkit does not crash.
Attachments
Crash log (56.41 KB, application/octet-stream)
2014-02-01 18:34 PST, Dimitris Apostolou 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Dimitris Apostolou
Comment 1 2014-02-05 23:55:01 PST
Fixed with r163498
Note You need to log in before you can comment on or make changes to this bug.