Bug 22413

Summary: REGRESSION (r38652): Google Code page crashes WebKit
Product: WebKit Reporter: Charles Ying <charles_ying>
Component: New BugsAssignee: Gavin Barraclough <barraclough>
Status: RESOLVED FIXED    
Severity: Normal CC: 858wildcat, ap, barraclough, dieter, doggeral, hbridge+bugzilla, irony42, jimoase, josehenton13, kai.conragan, roncouver, vorkbob, Wout.Mertens, zwarich
Priority: P1 Keywords: GoogleBug, NeedsReduction, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://code.google.com/apis/ajaxlibs/documentation/
Attachments:
Description Flags
Ooops zwarich: review+

Charles Ying
Reported 2008-11-21 14:25:19 PST
WebKit nightly r38654 crashes on the above web page.
Attachments
Ooops (984 bytes, patch)
2008-11-22 01:15 PST, Gavin Barraclough 		zwarich: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-11-21 21:41:51 PST
I can confirm this with a local debug build of r38680.
Cameron Zwarich (cpst)
Comment 2 2008-11-21 22:40:49 PST
I thought this might be a reparsing bug, but it works fine in r38635, the revision that introduced reparsing.
Cameron Zwarich (cpst)
Comment 3 2008-11-21 23:18:30 PST
I can verify that this regresses in r38652, the introduction of polymorphic caching of prototype accesses.
Gavin Barraclough
Comment 4 2008-11-22 01:15:56 PST
Created attachment 25373 [details] Ooops
Cameron Zwarich (cpst)
Comment 5 2008-11-22 04:00:50 PST
Comment on attachment 25373 [details] Ooops Add a reference to this bug in the ChangeLog, and add a reproducibly failing layout test for this situation to fast/js/pic. Assuming you do that, r=me.
Cameron Zwarich (cpst)
Comment 6 2008-11-22 04:31:04 PST
*** Bug 22408 has been marked as a duplicate of this bug. ***
Cameron Zwarich (cpst)
Comment 7 2008-11-23 21:31:31 PST
Gavin, hopefully you can get around to making a test and landing this soon. This bug makes WebKit unusable for a lot of people.
Gavin Barraclough
Comment 8 2008-11-23 22:01:50 PST
Sending JavaScriptCore/ChangeLog Sending JavaScriptCore/jit/JIT.cpp Transmitting file data .. Committed revision 38697.
Mark Rowe (bdash)
Comment 9 2008-11-24 00:33:53 PST
*** Bug 22438 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 10 2008-11-24 00:34:00 PST
*** Bug 22442 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 11 2008-11-24 00:34:09 PST
*** Bug 22445 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 12 2008-11-24 00:34:14 PST
*** Bug 22437 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 13 2008-11-24 00:34:21 PST
*** Bug 22446 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 14 2008-11-24 00:34:27 PST
*** Bug 22436 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 15 2008-11-24 00:34:37 PST
*** Bug 22435 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 16 2008-11-24 01:35:09 PST
(In reply to comment #8) > Sending JavaScriptCore/ChangeLog > Sending JavaScriptCore/jit/JIT.cpp Can a test be added for this bug?
Mark Rowe (bdash)
Comment 17 2008-11-24 03:15:31 PST
*** Bug 22434 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 18 2008-11-24 03:15:52 PST
*** Bug 22424 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 19 2008-11-24 03:16:01 PST
*** Bug 22425 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 20 2008-11-24 03:16:11 PST
*** Bug 22422 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 21 2008-11-24 03:16:25 PST
*** Bug 22427 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.