Bug 141042

Summary: BUILD REGRESSION: Release 180391; EXC_BAD_ACCESS Crash at JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq when page is redrawn.
Product: WebKit Reporter: Cody A. Taylor <cody.taylor>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Critical    
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.10   
Attachments:
Description Flags
Four Stack Traces none

Cody A. Taylor
Reported 2015-01-29 11:56:37 PST
Created attachment 245637 [details] Four Stack Traces Occurs on Safari version (at least) 8.0 to 8.0.2. The crash is happening on a proprietary website, so I am unable to share the URL. I am able to state that this is an Angular search/filter application. There are div boxes being 'hidden' or 'shown' as result of the filtering. Form types include input boxes, checkboxs, radio buttons, sliders, and select controls. The application is being updated on any input with `lodash.throttle` every 500 ms. Increasing the time does not seem to make any difference. Being multi-threaded I'm not sure how to track down the exact point of origin. However, this does appear on every stacktrace as the "Crashed Thread": ``` 0 com.apple.JavaScriptCore 0x00000001092e9f6e WTFCrash + 62 1 com.apple.JavaScriptCore 0x000000010941f94d JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq() + 3485 2 com.apple.JavaScriptCore 0x0000000109407dcd JSC::FTL::LowerDFGToLLVM::compileNode(unsigned int) + 3453 3 com.apple.JavaScriptCore 0x0000000109406fe8 JSC::FTL::LowerDFGToLLVM::compileBlock(JSC::DFG::BasicBlock*) + 808 4 com.apple.JavaScriptCore 0x0000000109406475 JSC::FTL::LowerDFGToLLVM::lower() + 3509 5 com.apple.JavaScriptCore 0x00000001094056a9 JSC::FTL::lowerDFGToLLVM(JSC::FTL::State&) + 41 6 com.apple.JavaScriptCore 0x00000001093b3ff6 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 1398 7 com.apple.JavaScriptCore 0x00000001093b381d JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 493 8 com.apple.JavaScriptCore 0x00000001093ed062 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 546 9 com.apple.JavaScriptCore 0x00000001090eaa9f WTF::wtfThreadEntryPoint(void*) + 15 10 libsystem_pthread.dylib 0x00007fff8d82b2fc _pthread_body + 131 11 libsystem_pthread.dylib 0x00007fff8d82b279 _pthread_start + 176 12 libsystem_pthread.dylib 0x00007fff8d8294b1 thread_start + 13 ``` Any pointers are appreciated.
Attachments
Four Stack Traces (27.41 KB, application/octet-stream)
2015-01-29 11:56 PST, Cody A. Taylor 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Cody A. Taylor
Comment 1 2015-01-29 12:29:42 PST
Note that the same thing is occurring with the latest nightly build: 'WebKit-SVN-r179336.dmg'.
Cody A. Taylor
Comment 2 2015-02-11 06:31:23 PST
Changeset http://trac.webkit.org/changeset/179882 fixes this problem, Closing. *** This bug has been marked as a duplicate of bug 139398 ***
Cody A. Taylor
Comment 3 2015-03-26 20:02:43 PDT
I closed with a test of a nightly build at http://trac.webkit.org/changeset/179912 and there was no crashes. I tested again when https://support.apple.com/en-us/HT204560 (Safari 8.0.4, http://trac.webkit.org/changeset/180391) and the application again crashes. The following is the crashing thread. Thread 11 Crashed:: FTL Worklist Worker Thread 0 com.apple.JavaScriptCore 0x0000000100de04be WTFCrash + 62 1 com.apple.JavaScriptCore 0x0000000100f1610d JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq() + 3485 2 com.apple.JavaScriptCore 0x0000000100efe58d JSC::FTL::LowerDFGToLLVM::compileNode(unsigned int) + 3453 3 com.apple.JavaScriptCore 0x0000000100efd7a8 JSC::FTL::LowerDFGToLLVM::compileBlock(JSC::DFG::BasicBlock*) + 808 4 com.apple.JavaScriptCore 0x0000000100efcc35 JSC::FTL::LowerDFGToLLVM::lower() + 3509 5 com.apple.JavaScriptCore 0x0000000100efbe69 JSC::FTL::lowerDFGToLLVM(JSC::FTL::State&) + 41 6 com.apple.JavaScriptCore 0x0000000100eaa736 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 1398 7 com.apple.JavaScriptCore 0x0000000100ea9f5d JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 493 8 com.apple.JavaScriptCore 0x0000000100ee3822 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 546 9 com.apple.JavaScriptCore 0x0000000100be0c0f WTF::wtfThreadEntryPoint(void*) + 15 10 libsystem_pthread.dylib 0x00007fff90832268 _pthread_body + 131 11 libsystem_pthread.dylib 0x00007fff908321e5 _pthread_start + 176 12 libsystem_pthread.dylib 0x00007fff9083041d thread_start + 13 Please provide some direction to help describe this issue better.
Cody A. Taylor
Comment 4 2015-03-27 07:37:27 PDT
Further, I have tested the nightly builds just before (http://trac.webkit.org/changeset/180379) and just after (http://trac.webkit.org/changeset/180413) the changeset for release 600.4.10 (http://trac.webkit.org/changeset/180391). My manual tests pass with nightly builds at 180379 & 180413, but still experience a crash with Safari 8.0.4. There is not any code changes that I suspect would cause this issue in this range, therefore I suspect this is a build-settings bug. Lastly, the most recent nightly at changeset http://trac.webkit.org/changeset/182008 also seems to pass my manual tests.
Cody A. Taylor
Comment 5 2015-04-27 11:02:23 PDT
This should not have been re-opened. This was a failure of my understanding in SVN branching. *** This bug has been marked as a duplicate of bug 139398 ***
Note You need to log in before you can comment on or make changes to this bug.