Bug 35335

Summary:

[REGRESSION in r55185] EXC_BAD_ACCESS on opening inspector.

Product:

WebKit

Reporter:

Pavel Feldman <pfeldman>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

oliver, timothy

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	ggaren: review+

Pavel Feldman

Reported 2010-02-24 02:51:57 PST

1. Go to http://google.com 2. Open inspector Actual: #0 ?? #1 0x00676373 in JSC::JSValue::toThisObject at JSCell.h:325 #2 0x0074d956 in JSC::JSFunction::call at JSFunction.cpp:122 #3 0x0069e7f1 in JSC::call at CallData.cpp:39 #4 0x00731c78 in cti_op_get_by_id_getter_stub at JITStubs.cpp:1450 #5 0x00728236 in WTF::doubleHash at HashTable.h:446 #6 0x0070c07b in JSC::JITCode::execute at JITCode.h:79 #7 0x006f6063 in JSC::Interpreter::execute at Interpreter.cpp:687 #8 0x0074d9a7 in JSC::JSFunction::call at JSFunction.cpp:122 #9 0x0069e7f1 in JSC::call at CallData.cpp:39 #10 0x0075d8e5 in JSC::JSObject::put at JSObject.cpp:149 #11 0x00709386 in JSC::JSValue::put at JSObject.h:645 #12 0x00729c08 in cti_op_put_by_id_generic at JITStubs.cpp:1204 #13 0x00728236 in WTF::doubleHash at HashTable.h:446 #14 0x0070c07b in JSC::JITCode::execute at JITCode.h:79 #15 0x006f6063 in JSC::Interpreter::execute at Interpreter.cpp:687 #16 0x0074d9a7 in JSC::JSFunction::call at JSFunction.cpp:122 #17 0x0069e7f1 in JSC::call at CallData.cpp:39 #18 0x045e57fa in WebCore::ScheduledAction::executeFunctionInContext at ScheduledAction.cpp:106 #19 0x045e5d20 in WebCore::ScheduledAction::execute at ScheduledAction.cpp:126 #20 0x045e5dff in WebCore::ScheduledAction::execute at ScheduledAction.cpp:77 #21 0x03f2b826 in WebCore::DOMTimer::fired at DOMTimer.cpp:149 #22 0x0476fb1f in WebCore::ThreadTimers::sharedTimerFiredInternal at ThreadTimers.cpp:112 #23 0x0476fcbb in WebCore::ThreadTimers::sharedTimerFired at ThreadTimers.cpp:90 #24 0x0462fec6 in WebCore::timerFired at SharedTimerMac.mm:86

Attachments
Patch (10.61 KB, patch) 2010-02-24 13:14 PST, Oliver Hunt	ggaren: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Oliver Hunt

Comment 1 2010-02-24 12:14:28 PST

Got it, compileGetDirectOffset may clobber the base register if the object is not using inline storage. Weee! We really need some way to mark a register as being immutable and have that trigger assertion. Although i guess that wouldn't have helped here as it still depends on hitting the code path.

Oliver Hunt

Comment 2 2010-02-24 12:24:21 PST

<rdar://problem/7686014>

Oliver Hunt

Comment 3 2010-02-24 13:14:47 PST

Created attachment 49424 [details] Patch

Geoffrey Garen

Comment 4 2010-02-24 13:18:10 PST

Comment on attachment 49424 [details] Patch r=me

Oliver Hunt

Comment 5 2010-02-24 13:26:28 PST

Committed r55198: <http://trac.webkit.org/changeset/55198>

Note You need to log in before you can comment on or make changes to this bug.