Bug 128054

Summary:

Crash in JSC::ArrayProfile::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*)

Product:

WebKit

Reporter:

Dimitris Apostolou <dimitris.apostolou>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

CLOSED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.9

URL:

http://www.jorgexolalpa.com/

Attachments:

Description	Flags
Crash log	none

Description Dimitris Apostolou 2014-02-01 18:34:22 PST

Created attachment 222896 [details]
Crash log

r163227

Reproducibility: always

Steps:
1. http://www.jorgexolalpa.com/
2. Hover mouse on any of the link titles on the top left.

What happened:
2. Crash.

Thread 8 Crashed:: JSC Compilation Thread
0   com.apple.JavaScriptCore      	0x00000001054eb5d4 JSC::ArrayProfile::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*) + 4
1   com.apple.JavaScriptCore      	0x00000001055564c7 JSC::DFG::ByteCodeParser::handleIntrinsic(int, JSC::Intrinsic, int, int, unsigned int) + 535
2   com.apple.JavaScriptCore      	0x0000000105555bc1 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CodeSpecializationKind, unsigned int, int, int, int) + 657
3   com.apple.JavaScriptCore      	0x000000010555dd93 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 19107
4   com.apple.JavaScriptCore      	0x000000010555846b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1867
5   com.apple.JavaScriptCore      	0x00000001055577bc JSC::DFG::ByteCodeParser::handleInlining(JSC::DFG::Node*, int, JSC::CallLinkStatus const&, int, int, unsigned int, JSC::CodeSpecializationKind) + 1276
6   com.apple.JavaScriptCore      	0x0000000105555c98 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CodeSpecializationKind, unsigned int, int, int, int) + 872
7   com.apple.JavaScriptCore      	0x000000010555c206 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 12054
8   com.apple.JavaScriptCore      	0x000000010555846b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1867
9   com.apple.JavaScriptCore      	0x00000001055628e4 JSC::DFG::ByteCodeParser::parse() + 628
10  com.apple.JavaScriptCore      	0x00000001055629f9 JSC::DFG::parse(JSC::DFG::Graph&) + 41
11  com.apple.JavaScriptCore      	0x00000001055cd993 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 211
12  com.apple.JavaScriptCore      	0x00000001055cd6dd JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) + 269
13  com.apple.JavaScriptCore      	0x00000001056449db JSC::DFG::Worklist::runThread() + 539
14  com.apple.JavaScriptCore      	0x00000001058ea57f WTF::wtfThreadEntryPoint(void*) + 15
15  libsystem_pthread.dylib       	0x00007fff972bf899 _pthread_body + 138
16  libsystem_pthread.dylib       	0x00007fff972bf72a _pthread_start + 137
17  libsystem_pthread.dylib       	0x00007fff972c3fc9 thread_start + 13

Expected result:
Webkit does not crash.

Comment 1 Dimitris Apostolou 2014-02-05 23:55:01 PST

Fixed with r163498