Bug 135822

Summary: REGRESSION: Web Inspector crashes in JSC::repatchCall under requestAnimationFrame when capturing an execution
Product: WebKit Reporter: Brian Burg <burg>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: ggaren, joepeck, mark.lam, msaboff, saam, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.nihilogic.dk/labs/tetris/

Description Brian Burg 2014-08-11 17:30:29 PDT 
Steps to reproduce:

1. Use an engineering build which has WEB_REPLAY enabled.
2. Navigate to the page
3. Open the web inspector
4. Open the timelines sidebar panel
5. Right-click on the navigation bar and select "Show Replay Controls"
6. Press the recording button (centered)

After recording for a few (5-10) seconds, the inspector crashes.

This is very reproducible on this page. I am currently trying to narrow down the reproduction steps, as it is probably triggered by the timelines overview, not anything specific to WEB_REPLAY. I will update this bug if a debug build/lldb hits any useful asserts.

Stack trace:

1   0x1119bba6a JSC::repatchCall(JSC::RepatchBuffer&, JSC::CodeLocationCall, JSC::FunctionPtr)
2   0x1119ba7e8 JSC::repatchIn(JSC::ExecState*, JSC::JSCell*, JSC::Identifier const&, bool, JSC::PropertySlot const&, JSC::StructureStubInfo&)
3   0x11181efa9 operationInOptimize
4   0x3b491b3df194
5   0x1118f64f9 callToJavaScript
6   0x111803093 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
7   0x1117e86ea JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
8   0x1115cc55e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
9   0x1117b1f39 JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue)
10  0x11181ddcd operationGetById
11  0x3b491b416934
12  0x3b491b45ae57
13  0x3b491b492882
14  0x3b491b48e66e
15  0x3b491b36a8c7
16  0x1118f64f9 callToJavaScript
17  0x111803093 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
18  0x1117e86ea JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
19  0x1115cc55e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
20  0x11184c33b JSC::boundFunctionCall(JSC::ExecState*)
21  0x1118f6697 callToNativeFunction
22  0x1117e8730 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
23  0x1115cc5af JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*)
24  0x11235ab14 WebCore::JSCallbackData::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, bool*)
25  0x1125491cf WebCore::JSRequestAnimationFrameCallback::handleEvent(double)
26  0x11292e387 WebCore::ScriptedAnimationController::serviceScriptedAnimations(double)
27  0x111fda27b WebCore::DisplayRefreshMonitor::displayDidRefresh()
28  0x111a50b94 WTF::dispatchFunctionsFromMainThread()
29  0x7fff9390d13e __NSThreadPerformPerform
30  0x7fff96b0e5b1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
31  0x7fff96affc62 __CFRunLoopDoSources0
Comment 1 Radar WebKit Bug Importer 2014-08-12 03:02:03 PDT 
<rdar://problem/17988544>
Comment 2 Brian Burg 2014-08-21 11:54:43 PDT 
Seems to not reproduce anymore. It may have been related to msaboff's fix yesterday.