Bug 53527

Summary:	[Chromium] fast/frames/iframe-reparenting-new-page.html is flakey
Product:	WebKit	Reporter:	Dimitri Glazkov (Google) <dglazkov>
Component:	Frames	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED INVALID
Severity:	Normal	CC:	dglazkov, dimich, jennb, leviw, vsevik
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	PC
OS:	OS X 10.5

Dimitri Glazkov (Google)

Reported 2011-02-01 13:36:33 PST

It seems like it's been in this state for a while. Most recent crash stack trace (I must admit, I have no idea what this means): ==== Stack trace ============================================ Security context: 0BADB805 <JS Object>#0# 1: InstantiateFunction [native apinatives.js:72] (this=0BAD4449 <JS Object>#1#,a=08BAC4E1 <FunctionTemplateInfo>#2#,b=08BC7125 <String[17]: queryCommandValue>) 2: Instantiate [native apinatives.js:49] (this=0BAD4449 <JS Object>#1#,a=08BAC4E1 <FunctionTemplateInfo>#2#,b=08BC7125 <String[17]: queryCommandValue>) 3: ConfigureTemplateInstance [native apinatives.js:103] (this=0BAD4449 <JS Object>#1#,a=07308EE9 <an Object>>#3#,b=08BAB755 <ObjectTemplateInfo>#4#) 4: Instantiate [native apinatives.js:53] (this=0BAD4449 <JS Object>#1#,a=08BAB755 <ObjectTemplateInfo>#4#,b=08BB004D <undefined>) 5: arguments adaptor frame: 1->2 6: InstantiateFunction [native apinatives.js:76] (this=0BAD4449 <JS Object>#1#,a=08BAAFA1 <FunctionTemplateInfo>#5#,b=08BB004D <undefined>) 7: Instantiate [native apinatives.js:49] (this=0BAD4449 <JS Object>#1#,a=08BAAFA1 <FunctionTemplateInfo>#5#,b=08BB004D <undefined>) 8: arguments adaptor frame: 1->2 9: InstantiateFunction [native apinatives.js:80] (this=0BAD4449 <JS Object>#1#,a=08BAAF55 <FunctionTemplateInfo>#6#,b=08BB004D <undefined>) 10: Instantiate [native apinatives.js:49] (this=0BAD4449 <JS Object>#1#,a=08BAAF55 <FunctionTemplateInfo>#6#,b=08BB004D <undefined>) 11: arguments adaptor frame: 1->2 ==== Details ================================================ [1]: InstantiateFunction [native apinatives.js:72] (this=0BAD4449 <JS Object>#1#,a=08BAC4E1 <FunctionTemplateInfo>#2#,b=08BC7125 <String[17]: queryCommandValue>) { // stack-allocated locals var .catch-var = 08BB004D <undefined> // heap-allocated locals var .arguments = 0730AE0D <an Arguments>>#7# var i = 08BB004D <undefined> var d = 0BAD745D <an Object>>#8# var j = 08BB004D <undefined> var l = 08BB004D <undefined> var h = 08BB00B5 <false> var g = 89 var arguments = 0730AE0D <an Arguments>>#7# var k = 08BB004D <undefined> // expression stack (top to bottom) [05] : 08BAC4E1 <FunctionTemplateInfo>#2# --------- s o u r c e c o d e --------- function InstantiateFunction(a,b){???var d=kApiFunctionCache;?var g=%GetTemplateField(a,2);?var h=?(g in d)&&(d[g]!=-1);?if(!h){?try{?d[g]=null;?var i=%CreateApiFunction(a);?if(b)%FunctionSetName(i,b);?d[g]=i;?var j=%GetTemplateField(a,5);?i.prototype=j?Instantiate(j):{};?%SetProperty(i.prototype,"constructor",i,2);?var k=%Get... ----------------------------------------- } [2]: Instantiate [native apinatives.js:49] (this=0BAD4449 <JS Object>#1#,a=08BAC4E1 <FunctionTemplateInfo>#2#,b=08BC7125 <String[17]: queryCommandValue>) { // stack-allocated locals var d = 0 var h = 08BB004D <undefined> var g = 08BB004D <undefined> --------- s o u r c e c o d e --------- function Instantiate(a,b){?if(!%IsTemplate(a))return a;?var d=%GetTemplateField(a,0);?switch(d){?case 0:?return InstantiateFunction(a,b);?case 1:?var g=%GetTemplateField(a,2);?var h=g?new(Instantiate(g))():{};?ConfigureTemplateInstance(h,a);?h=%ToFastProperties(h);?return h;?default:?throw'Unknown API tag <'+d+'>';?}?} ----------------------------------------- } [3]: ConfigureTemplateInstance [native apinatives.js:103] (this=0BAD4449 <JS Object>#1#,a=07308EE9 <an Object>>#3#,b=08BAB755 <ObjectTemplateInfo>#4#) { // stack-allocated locals var i = 08BC7125 <String[17]: queryCommandValue> var d = 08D42D81 <JS Object>#9# var j = 08BAC4E1 <FunctionTemplateInfo>#2# var l = 0BADDE89 <JS Function queryCommandSupported>#10# var h = 63 var g = 08BB00B5 <false> var k = 4 // expression stack (top to bottom) --------- s o u r c e c o d e --------- function ConfigureTemplateInstance(a,b){?var d=%GetTemplateField(b,1);?if(d){??var g=%DisableAccessChecks(a);?try{?for(var h=0;h<d[0];h+=3){?var i=d[h+1];?var j=d[h+2];?var k=d[h+3];?var l=Instantiate(j,i);?%SetProperty(a,i,l,k);?}?}finally{?if(g)%EnableAccessChecks(a);?}?}?} ----------------------------------------- } [4]: Instantiate [native apinatives.js:53] (this=0BAD4449 <JS Object>#1#,a=08BAB755 <ObjectTemplateInfo>#4#,b=08BB004D <undefined>) { // stack-allocated locals var d = 1 var h = 07308EE9 <an Object>>#3# var g = 08BB004D <undefined> --------- s o u r c e c o d e --------- function Instantiate(a,b){?if(!%IsTemplate(a))return a;?var d=%GetTemplateField(a,0);?switch(d){?case 0:?return InstantiateFunction(a,b);?case 1:?var g=%GetTemplateField(a,2);?var h=g?new(Instantiate(g))():{};?ConfigureTemplateInstance(h,a);?h=%ToFastProperties(h);?return h;?default:?throw'Unknown API tag <'+d+'>';?}?} ----------------------------------------- } [5]: arguments adaptor frame: 1->2 { // actual arguments [00] : 08BAB755 <ObjectTemplateInfo>#4# } [6]: InstantiateFunction [native apinatives.js:76] (this=0BAD4449 <JS Object>#1#,a=08BAAFA1 <FunctionTemplateInfo>#5#,b=08BB004D <undefined>) { // stack-allocated locals var .catch-var = 08BB004D <undefined> // heap-allocated locals var .arguments = 07308649 <an Arguments>>#11# var i = 0BADD409 <JS Function Document>#12# var d = 0BAD745D <an Object>>#8# var j = 08BAB755 <ObjectTemplateInfo>#4# var l = 08BB004D <undefined> var h = 08BB00B5 <false> var g = 49 var arguments = 07308649 <an Arguments>>#11# var k = 08BB004D <undefined> // expression stack (top to bottom) [05] : 0BADD409 <JS Function Document>#12# --------- s o u r c e c o d e --------- function InstantiateFunction(a,b){???var d=kApiFunctionCache;?var g=%GetTemplateField(a,2);?var h=?(g in d)&&(d[g]!=-1);?if(!h){?try{?d[g]=null;?var i=%CreateApiFunction(a);?if(b)%FunctionSetName(i,b);?d[g]=i;?var j=%GetTemplateField(a,5);?i.prototype=j?Instantiate(j):{};?%SetProperty(i.prototype,"constructor",i,2);?var k=%Get... ----------------------------------------- } [7]: Instantiate [native apinatives.js:49] (this=0BAD4449 <JS Object>#1#,a=08BAAFA1 <FunctionTemplateInfo>#5#,b=08BB004D <undefined>) { // stack-allocated locals var d = 0 var h = 08BB004D <undefined> var g = 08BB004D <undefined> --------- s o u r c e c o d e --------- function Instantiate(a,b){?if(!%IsTemplate(a))return a;?var d=%GetTemplateField(a,0);?switch(d){?case 0:?return InstantiateFunction(a,b);?case 1:?var g=%GetTemplateField(a,2);?var h=g?new(Instantiate(g))():{};?ConfigureTemplateInstance(h,a);?h=%ToFastProperties(h);?return h;?default:?throw'Unknown API tag <'+d+'>';?}?} ----------------------------------------- } [8]: arguments adaptor frame: 1->2 { // actual arguments [00] : 08BAAFA1 <FunctionTemplateInfo>#5# } [9]: InstantiateFunction [native apinatives.js:80] (this=0BAD4449 <JS Object>#1#,a=08BAAF55 <FunctionTemplateInfo>#6#,b=08BB004D <undefined>) { // stack-allocated locals var .catch-var = 08BB004D <undefined> // heap-allocated locals var .arguments = 073067D1 <an Arguments>>#13# var i = 0BADCF89 <JS Function HTMLDocument>#14# var d = 0BAD745D <an Object>>#8# var j = 08BACB0D <ObjectTemplateInfo>#15# var l = 08BB004D <undefined> var h = 08BB00B5 <false> var g = 48 var arguments = 073067D1 <an Arguments>>#13# var k = 08BAAFA1 <FunctionTemplateInfo>#5# // expression stack (top to bottom) --------- s o u r c e c o d e --------- function InstantiateFunction(a,b){???var d=kApiFunctionCache;?var g=%GetTemplateField(a,2);?var h=?(g in d)&&(d[g]!=-1);?if(!h){?try{?d[g]=null;?var i=%CreateApiFunction(a);?if(b)%FunctionSetName(i,b);?d[g]=i;?var j=%GetTemplateField(a,5);?i.prototype=j?Instantiate(j):{};?%SetProperty(i.prototype,"constructor",i,2);?var k=%Get... ----------------------------------------- } [10]: Instantiate [native apinatives.js:49] (this=0BAD4449 <JS Object>#1#,a=08BAAF55 <FunctionTemplateInfo>#6#,b=08BB004D <undefined>) { // stack-allocated locals var d = 0 var h = 08BB004D <undefined> var g = 08BB004D <undefined> --------- s o u r c e c o d e --------- function Instantiate(a,b){?if(!%IsTemplate(a))return a;?var d=%GetTemplateField(a,0);?switch(d){?case 0:?return InstantiateFunction(a,b);?case 1:?var g=%GetTemplateField(a,2);?var h=g?new(Instantiate(g))():{};?ConfigureTemplateInstance(h,a);?h=%ToFastProperties(h);?return h;?default:?throw'Unknown API tag <'+d+'>';

Attachments
Add attachment proposed patch, testcase, etc.

Dimitri Glazkov (Google)

Comment 1 2011-02-01 13:40:57 PST

http://test-results.appspot.com/dashboards/flakiness_dashboard.html#showExpectations=true&master=ChromiumWebkit&tests=fast%2Fframes%2Fiframe-reparenting-new-page.html

Dmitry Titov

Comment 2 2011-02-01 17:56:34 PST

This only happens on Chromium Win. Mac and Linux never saw this particular crash since test was enabled. They show 1 and 2 crashes on flakiness dashboard, but that was another one, caused by a patch since reverted.

Dmitry Titov

Comment 3 2011-02-07 23:03:33 PST

I couldn't get it to repro on any platform, we looked at JS dump with Mads Ager and the best theory is that it's out-of-memory situation since it fails in trying to allocate a function object (locals before allocation are initialized, after - uninitialized). Also, I don't see this crash on the flakiness dashboard, all the latest runs are green. Will watch it for a while and enable if it doesn't fail any more.

Vsevolod Vlasov

Comment 4 2011-12-07 09:30:06 PST

This is still crashing sometimes on mac and linux debug builds and misses expectations on win debug every once in a while.

Levi Weintraub

Comment 5 2012-03-20 02:04:57 PDT

This test no longer exists as of http://trac.webkit.org/changeset/111361.

Note You need to log in before you can comment on or make changes to this bug.