Bug 35335

Summary: [REGRESSION in r55185] EXC_BAD_ACCESS on opening inspector.
Product: WebKit Reporter: Pavel Feldman <pfeldman>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: oliver, timothy
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch ggaren: review+

Description Pavel Feldman 2010-02-24 02:51:57 PST 
1. Go to http://google.com
2. Open inspector

Actual:
#0	??
#1	0x00676373 in JSC::JSValue::toThisObject at JSCell.h:325
#2	0x0074d956 in JSC::JSFunction::call at JSFunction.cpp:122
#3	0x0069e7f1 in JSC::call at CallData.cpp:39
#4	0x00731c78 in cti_op_get_by_id_getter_stub at JITStubs.cpp:1450
#5	0x00728236 in WTF::doubleHash at HashTable.h:446
#6	0x0070c07b in JSC::JITCode::execute at JITCode.h:79
#7	0x006f6063 in JSC::Interpreter::execute at Interpreter.cpp:687
#8	0x0074d9a7 in JSC::JSFunction::call at JSFunction.cpp:122
#9	0x0069e7f1 in JSC::call at CallData.cpp:39
#10	0x0075d8e5 in JSC::JSObject::put at JSObject.cpp:149
#11	0x00709386 in JSC::JSValue::put at JSObject.h:645
#12	0x00729c08 in cti_op_put_by_id_generic at JITStubs.cpp:1204
#13	0x00728236 in WTF::doubleHash at HashTable.h:446
#14	0x0070c07b in JSC::JITCode::execute at JITCode.h:79
#15	0x006f6063 in JSC::Interpreter::execute at Interpreter.cpp:687
#16	0x0074d9a7 in JSC::JSFunction::call at JSFunction.cpp:122
#17	0x0069e7f1 in JSC::call at CallData.cpp:39
#18	0x045e57fa in WebCore::ScheduledAction::executeFunctionInContext at ScheduledAction.cpp:106
#19	0x045e5d20 in WebCore::ScheduledAction::execute at ScheduledAction.cpp:126
#20	0x045e5dff in WebCore::ScheduledAction::execute at ScheduledAction.cpp:77
#21	0x03f2b826 in WebCore::DOMTimer::fired at DOMTimer.cpp:149
#22	0x0476fb1f in WebCore::ThreadTimers::sharedTimerFiredInternal at ThreadTimers.cpp:112
#23	0x0476fcbb in WebCore::ThreadTimers::sharedTimerFired at ThreadTimers.cpp:90
#24	0x0462fec6 in WebCore::timerFired at SharedTimerMac.mm:86
Comment 1 Oliver Hunt 2010-02-24 12:14:28 PST 
Got it, compileGetDirectOffset may clobber the base register if the object is not using inline storage.  Weee!

We really need some way to mark a register as being immutable and have that trigger assertion.  Although i guess that wouldn't have helped here as it still depends on hitting the code path.
Comment 2 Oliver Hunt 2010-02-24 12:24:21 PST 
<rdar://problem/7686014>
Comment 3 Oliver Hunt 2010-02-24 13:14:47 PST 
Created attachment 49424 [details]
Patch
Comment 4 Geoffrey Garen 2010-02-24 13:18:10 PST 
Comment on attachment 49424 [details]
Patch

r=me
Comment 5 Oliver Hunt 2010-02-24 13:26:28 PST 
Committed r55198: <http://trac.webkit.org/changeset/55198>