Bug 43314

Summary:

REGRESSION(r64320): crash in cti_op_get_by_val + 473 : immediately after logging in to gmail.com: (r64246-r64341)

Product:

WebKit

Reporter:

Joe Strzemp <maccinema>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Major

CC:

ap, barraclough, msaboff, zherczeg

Priority:

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.6

URL:

http://gmail.com

Attachments:

Description	Flags
Patch to fix the number of JSValues to memcpy when unshift'ing	barraclough: review+, barraclough: commit-queue-

Description Joe Strzemp 2010-08-01 12:01:18 PDT

Running OS 10.6.4  webkit: r64341

Webkit consistently crashes in r64341 immediately after logging in to gmail.com.
No action other than logging in is required to reproduce the problem.

Crashing stack follows:

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000100811fd9 cti_op_get_by_val + 473
1   com.apple.JavaScriptCore      	0x00000001007d79c8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 728
2   com.apple.Safari              	0x0000000100000001 0x100000000 + 1
3   ???                           	0x000000011d97a960 0 + 4791445856
4   com.apple.WebCore             	0x0000000101141b60 WebCore::JSDOMWindowShell::~JSDOMWindowShell() + 0
5   ???                           	0x0000441f0f66ffff 0 + 74900193083391

Comment 1 Joe Strzemp 2010-08-01 12:34:11 PDT

Looks to me like the most likely suspect for this crash is changeset 64320:
"Changed the handling for removing and adding elements at the front of an array"
as JSC::JIT:: emit_op_put_by_val was changed.

This started failing somewhere in r64246-r64341.

Comment 2 Joe Strzemp 2010-08-01 12:50:11 PDT

Changing to P1 as this is a reproducible crash.

Comment 3 Gavin Barraclough 2010-08-01 18:34:28 PDT

Cheers Joe, we'll investigate.

Comment 4 Zoltan Herczeg 2010-08-02 02:20:45 PDT

Could you check whether this is valid for the latest revision?

As for me, r64451 works with both Qt-debug and Mac-Leopard-release. I entered gmail.com into the url bar (immediately redirects to some login page for Google), set the username and password (of a newly created dummy account), click on "Sign in", and the login is succeded.

Comment 5 Joe Strzemp 2010-08-02 11:22:56 PDT

Webkit still crashes with the most recent nightly: r64451.

In order to reproduce, it might require more than just a newly created gmail account.
I have lots of gmail messages (more than a "page" full), Buzz, and Chat entries.

Comment 6 Joe Strzemp 2010-08-02 12:00:10 PDT

Interesting note:   gmail works in 32-bit mode for me, but crashes in 64-bit mode.

Comment 7 Michael Saboff 2010-08-03 19:33:48 PDT

Created attachment 63404 [details]
Patch to fix the number of JSValues to memcpy when unshift'ing

Comment 8 Gavin Barraclough 2010-08-03 20:05:01 PDT

Comment on attachment 63404 [details]
Patch to fix the number of JSValues to memcpy when unshift'ing

landing by hand

Comment 9 Gavin Barraclough 2010-08-03 20:06:30 PDT

Transmitting file data ..
Committed revision 64620.

Comment 10 Alexey Proskuryakov 2010-08-04 00:02:04 PDT

Could this have a regression test?

Comment 11 Gavin Barraclough 2010-08-04 02:09:31 PDT

Hey Alexey,

We discussed this, and it may be tricky to trigger with any consistency in an isolated test case since the bug will only occur if malloc returns non-zerofill (used) memory (along with a bunch of other conditions).  As such we thought it better to get the fix landed immediately, but Micheal is going to try to produce a good test case.

cheers,
G.