Bug 43314

Summary: REGRESSION(r64320): crash in cti_op_get_by_val + 473 : immediately after logging in to gmail.com: (r64246-r64341)
Product: WebKit Reporter: Joe Strzemp <maccinema>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Major CC: ap, barraclough, msaboff, zherczeg
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.6   
URL: http://gmail.com
Attachments:
Description Flags
Patch to fix the number of JSValues to memcpy when unshift'ing barraclough: review+, barraclough: commit-queue-

Joe Strzemp
Reported 2010-08-01 12:01:18 PDT
Running OS 10.6.4 webkit: r64341 Webkit consistently crashes in r64341 immediately after logging in to gmail.com. No action other than logging in is required to reproduce the problem. Crashing stack follows: Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100811fd9 cti_op_get_by_val + 473 1 com.apple.JavaScriptCore 0x00000001007d79c8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 728 2 com.apple.Safari 0x0000000100000001 0x100000000 + 1 3 ??? 0x000000011d97a960 0 + 4791445856 4 com.apple.WebCore 0x0000000101141b60 WebCore::JSDOMWindowShell::~JSDOMWindowShell() + 0 5 ??? 0x0000441f0f66ffff 0 + 74900193083391
Attachments
Patch to fix the number of JSValues to memcpy when unshift'ing (1.71 KB, patch)
2010-08-03 19:33 PDT, Michael Saboff 		barraclough: review+
barraclough: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Joe Strzemp
Comment 1 2010-08-01 12:34:11 PDT
Looks to me like the most likely suspect for this crash is changeset 64320: "Changed the handling for removing and adding elements at the front of an array" as JSC::JIT:: emit_op_put_by_val was changed. This started failing somewhere in r64246-r64341.
Joe Strzemp
Comment 2 2010-08-01 12:50:11 PDT
Changing to P1 as this is a reproducible crash.
Gavin Barraclough
Comment 3 2010-08-01 18:34:28 PDT
Cheers Joe, we'll investigate.
Zoltan Herczeg
Comment 4 2010-08-02 02:20:45 PDT
Could you check whether this is valid for the latest revision? As for me, r64451 works with both Qt-debug and Mac-Leopard-release. I entered gmail.com into the url bar (immediately redirects to some login page for Google), set the username and password (of a newly created dummy account), click on "Sign in", and the login is succeded.
Joe Strzemp
Comment 5 2010-08-02 11:22:56 PDT
Webkit still crashes with the most recent nightly: r64451. In order to reproduce, it might require more than just a newly created gmail account. I have lots of gmail messages (more than a "page" full), Buzz, and Chat entries.
Joe Strzemp
Comment 6 2010-08-02 12:00:10 PDT
Interesting note: gmail works in 32-bit mode for me, but crashes in 64-bit mode.
Michael Saboff
Comment 7 2010-08-03 19:33:48 PDT
Created attachment 63404 [details] Patch to fix the number of JSValues to memcpy when unshift'ing
Gavin Barraclough
Comment 8 2010-08-03 20:05:01 PDT
Comment on attachment 63404 [details] Patch to fix the number of JSValues to memcpy when unshift'ing landing by hand
Gavin Barraclough
Comment 9 2010-08-03 20:06:30 PDT
Transmitting file data .. Committed revision 64620.
Alexey Proskuryakov
Comment 10 2010-08-04 00:02:04 PDT
Could this have a regression test?
Gavin Barraclough
Comment 11 2010-08-04 02:09:31 PDT
Hey Alexey, We discussed this, and it may be tricky to trigger with any consistency in an isolated test case since the bug will only occur if malloc returns non-zerofill (used) memory (along with a bunch of other conditions). As such we thought it better to get the fix landed immediately, but Micheal is going to try to produce a good test case. cheers, G.
Note You need to log in before you can comment on or make changes to this bug.