Bug 128149

Summary: REGRESSION: Crash using Web Inspector - Overflow of variablesAtTail in ByteCodeParser::setLocal()
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: bburg
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Description Michael Saboff 2014-02-03 18:00:15 PST 
From Radar <rdar://problem/15974955>:

I get this by opening the Web Inspector of www.apple.com and navigating around.  Clicking on a script in the navigator seems to be the best way to make this happen.

Here is the crash trace in the debugger;

(lldb) bt
* thread #15: tid = 0x14187e, 0x0000000108767b0a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333, name = 'JSC Compilation Thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x0000000108767b0a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333
    frame #1: 0x000000010808e289 JavaScriptCore`WTF::CrashOnOverflow::overflowed() + 9 at CheckedArithmetic.h:78
    frame #2: 0x00000001081acf8f JavaScriptCore`WTF::Vector<JSC::DFG::Node*, 16ul, WTF::CrashOnOverflow>::at(this=0x00007fa6fa587b80, i=31) + 79 at Vector.h:584
    frame #3: 0x00000001081acf2d JavaScriptCore`WTF::Vector<JSC::DFG::Node*, 16ul, WTF::CrashOnOverflow>::operator[](this=0x00007fa6fa587b80, i=31) + 29 at Vector.h:604
    frame #4: 0x00000001081e42cf JavaScriptCore`JSC::Operands<JSC::DFG::Node*, JSC::DFG::NodePointerTraits>::local(this=0x00007fa6fa587b30, idx=31) + 47 at Operands.h:74
    frame #5: 0x00000001081e4282 JavaScriptCore`JSC::DFG::ByteCodeParser::setLocal(this=0x000000011105f9b0, operand=VirtualRegister at 0x000000011105ac10, value=0x00000001190d8500, setMode=ImmediateSet) + 514 at DFGByteCodeParser.cpp:341
    frame #6: 0x00000001081ce011 JavaScriptCore`JSC::DFG::ByteCodeParser::DelayedSetLocal::execute(this=0x000000011105aca0, parser=0x000000011105f9b0, setMode=ImmediateSet) + 113 at DFGByteCodeParser.cpp:1122
    frame #7: 0x00000001081cfbd9 JavaScriptCore`JSC::DFG::ByteCodeParser::setDirect(this=0x000000011105f9b0, operand=VirtualRegister at 0x000000011105acc8, value=0x00000001190d8500, setMode=ImmediateSet) + 201 at DFGByteCodeParser.cpp:249
    frame #8: 0x00000001081cc7e9 JavaScriptCore`JSC::DFG::ByteCodeParser::set(this=0x000000011105f9b0, operand=VirtualRegister at 0x000000011105ad10, value=0x00000001190d8500, setMode=ImmediateSet) + 73 at DFGByteCodeParser.cpp:254
    frame #9: 0x00000001081c7883 JavaScriptCore`JSC::DFG::ByteCodeParser::parseBlock(this=0x000000011105f9b0, limit=46) + 33235 at DFGByteCodeParser.cpp:3046
    frame #10: 0x00000001081be548 JavaScriptCore`JSC::DFG::ByteCodeParser::parseCodeBlock(this=0x000000011105f9b0) + 1960 at DFGByteCodeParser.cpp:3681
    frame #11: 0x00000001081bd4df JavaScriptCore`JSC::DFG::ByteCodeParser::handleInlining(this=0x000000011105f9b0, callTargetNode=0x00000001190d4b80, resultOperand=-1, callLinkStatus=0x000000011105d3f8, registerOffset=-16, argumentCountIncludingThis=9, nextOffset=1220, kind=CodeForCall) + 1615 at DFGByteCodeParser.cpp:1391
    frame #12: 0x00000001081bb945 JavaScriptCore`JSC::DFG::ByteCodeParser::handleCall(this=0x000000011105f9b0, result=-1, op=Call, kind=CodeForCall, instructionSize=8, callee=-1, argumentCountIncludingThis=9, registerOffset=-16) + 1045 at DFGByteCodeParser.cpp:1218
    frame #13: 0x00000001081bb527 JavaScriptCore`JSC::DFG::ByteCodeParser::handleCall(this=0x000000011105f9b0, pc=0x00007fa6fb3c59e8, op=Call, kind=CodeForCall) + 87 at DFGByteCodeParser.cpp:1157
    frame #14: 0x00000001081c75b8 JavaScriptCore`JSC::DFG::ByteCodeParser::parseBlock(this=0x000000011105f9b0, limit=1222) + 32520 at DFGByteCodeParser.cpp:3010
    frame #15: 0x00000001081be548 JavaScriptCore`JSC::DFG::ByteCodeParser::parseCodeBlock(this=0x000000011105f9b0) + 1960 at DFGByteCodeParser.cpp:3681
    frame #16: 0x00000001081cb88e JavaScriptCore`JSC::DFG::ByteCodeParser::parse(this=0x000000011105f9b0) + 910 at DFGByteCodeParser.cpp:3737
    frame #17: 0x00000001081cbbbe JavaScriptCore`JSC::DFG::parse(graph=0x00000001110603b0) + 62 at DFGByteCodeParser.cpp:3762
    frame #18: 0x00000001082e899e JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x00007fa7026abe70, longLivedState=0x0000000111060d00) + 190 at DFGPlan.cpp:189
    frame #19: 0x00000001082e8618 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x00007fa7026abe70, longLivedState=0x0000000111060d00) + 264 at DFGPlan.cpp:150
    frame #20: 0x000000010838ad74 JavaScriptCore`JSC::DFG::Worklist::runThread(this=0x00007fa6f9f8c260) + 468 at DFGWorklist.cpp:240
    frame #21: 0x0000000108389e55 JavaScriptCore`JSC::DFG::Worklist::threadFunction(argument=0x00007fa6f9f8c260) + 21 at DFGWorklist.cpp:261
    frame #22: 0x00000001087b65a8 JavaScriptCore`WTF::threadEntryPoint(contextData=0x00007fa6f9f45670) + 152 at Threading.cpp:69
    frame #23: 0x00000001087b7208 JavaScriptCore`WTF::wtfThreadEntryPoint(param=0x00007fa6f9f88a20) + 296 at ThreadingPthreads.cpp:170
    frame #24: 0x00007fff89aa2899 libsystem_pthread.dylib`_pthread_body + 138
    frame #25: 0x00007fff89aa272a libsystem_pthread.dylib`_pthread_start + 137
    frame #26: 0x00007fff89aa6fc9 libsystem_pthread.dylib`thread_start + 13

The VirtualRegister in question which is beyond the size of variablesAtTail is from an inlined call frame.  Turning off inlining seems to workaround the issue.
Comment 1 BJ Burg 2014-02-10 13:40:21 PST 
Another way to reproduce is to inspect most any GitHub webpage, and then viewing some of the hashcode-named JS files with the navigation sidebar.
Comment 2 Michael Saboff 2014-03-05 15:56:55 PST 
I can no longer reproduce this, either with www.apple.com or a github page (https://github.com/sampsyo/beets/tree/master/beets).

I hit another crash and file <https://bugs.webkit.org/show_bug.cgi?id=129763> - "Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()"