| Summary: | A odd crash | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Peng Xinchao <xinchao.peng> | ||||
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | NEW --- | ||||||
| Severity: | Normal | CC: | bshafiei, fpizlo, ggaren, kling, mark.lam, msaboff, xinchao.peng, ysuzuki | ||||
| Priority: | P2 | ||||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Peng Xinchao
2015-04-16 19:32:08 PDT
1. Do you have steps to reproduce this? 2. If so, what revision # are you building? JS source code is that :
setInterval(function() {
.......
var $osd = $('#osd');
$osd.show();
setTimeout(function() {
$osd.hide();
}, 5000);
...
},1000);
my webkit version is webkit-r150045. platform is arm-gtk .
(In reply to comment #2) > JS source code is that : > > setInterval(function() { > ....... > var $osd = $('#osd'); > $osd.show(); > setTimeout(function() { > $osd.hide(); > }, 5000); > ... > },1000); > my webkit version is webkit-r150045. platform is arm-gtk . That is a very old version of the code. Try updating to the tip of tree and see if the issue still manifests.
After running these JS Source code for 20 minute , Webprocess will coredump :
<script>
setInterval(function() {
var d = new Date();
var time = d.getHours().addNulls() + ":" + d.getMinutes().addNulls();
var $osd = $('#osd');
$osd.show();
$osd.find(".channel_time").text(time);
setTimeout(function() {
$osd.hide();
}, 5000);
}, 10000);
Number.prototype.addNulls = function () {
if (this < 10) {
return "0" + this;
}
return this.toString();
}
</script>
I find two issue :
1: If disable DFG_JIT , the crash don't happen .
2. If "var time = d.getHours().addNulls() + ":" + d.getMinutes().addNulls();" is changed to "var time = d.getHours() + ":" + d.getMinutes();"
The crash don't happen
It looks like process happen crash when addNulls is called
It look like JSC DFG happen error when running "return "0" + this;" Because i found that the crash usually happen when "if (this < 10)". The issue
void SpeculativeJIT::compile(Node* node)
{
}
void SpeculativeJIT::compile(Node* node)
{
.. .
case ToThis: {
ASSERT(node->child1().useKind() == UntypedUse);
....
}
In here , the value of "node->child1().useKind()" is UntypedUse .
I feel very strange 。
why ?
(In reply to comment #7) > > void SpeculativeJIT::compile(Node* node) > { > .. . > case ToThis: { > ASSERT(node->child1().useKind() == UntypedUse); > .... > > } > In here , the value of "node->child1().useKind()" is UntypedUse . > I feel very strange 。 > why ? Again, r150045 is very old (from 2 years ago). There has been many enhancements and bug fixes since then. Have you tried the latest revision (e.g. r182982) to see if the issue is still present? In the newest version (x86_gtk),The crash is still exist .
case ToThis: {
printf(" node->child1().useKind() =%d\n",node->child1().useKind());
ASSERT(node->child1().useKind() == UntypedUse); ---> crash here
TestCase :
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Tutorial Video Widget</title>
<script>
function onLoad() {
setInterval(function() {
var d = new Date();
var time = d.getHours().addNulls() + ":" + d.getMinutes().addNulls();
document.write("time="+time);
document.write("<br>");
}, 1000);
}
Number.prototype.addNulls = function () {
if (this < 100) {
return "0" + this;
}
return this.toString();
}
</script>
</head>
<body onload="onLoad();">
</body>
</html>
Created attachment 254475 [details]
Patch
Comment on attachment 254475 [details]
Patch
This is definitely not the right approach. You're just turning off ToThis in the DFG and creating a bunch of dead code. Note that the ToThis handling in DFG is designed to work with UntypedUse - so this patch doesn't make sense.
|