Bug 65930

Summary: DFG JIT failure loading web site
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, ggaren, webkit.review.bot
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch none

Description Oliver Hunt 2011-08-09 11:20:31 PDT 
<rdar://problem/9922643>
8/9/11 11:17 AM Oliver Hunt:
* SUMMARY
Navigating to http://www.skinnytaste.com/2011/06/ricotta-cheese-chocolate-chip-muffins.html crashes the DFG JIT reproducibly in a debug build

* STEPS TO REPRODUCE
1. Do a debug build of safari
2. Load http://www.skinnytaste.com/2011/06/ricotta-cheese-chocolate-chip-muffins.html

* RESULTS
Crash:
ASSERTION FAILED: m_data[index].name != InvalidVirtualRegister
/Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore/dfg/DFGRegisterBank.h(329) : void JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::releaseAtIndex(unsigned int)
1   JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::releaseAtIndex(unsigned int)
2   JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::release(JSC::X86Registers::RegisterID)
3   JSC::DFG::JITCodeGenerator::fillDouble(unsigned int)
4   JSC::DFG::DoubleOperand::fpr()
5   JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&, JSC::DFG::Node&)
6   JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&, JSC::DFG::BasicBlock&)
7   JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&)
8   JSC::DFG::JITCompiler::compileBody()
9   JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
10  JSC::tryDFGCompileFunction(JSC::ExecState*, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
11  JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*)
12  JSC::FunctionExecutable::compileForCall(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*)
13  JSC::FunctionExecutable::compileFor(JSC::ExecState*, JSC::ScopeChainNode*, JSC::CodeSpecializationKind)
14  JSC::lazyLinkFor(JSC::JITStackFrame&, JSC::CodeSpecializationKind)
15  cti_vm_lazyLinkCall
16  jscGeneratedNativeCode
17  JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
18  JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*)
19  JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue)
20  WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue)
21  WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*)
22  WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&)
23  WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&)
24  WebCore::ScriptElement::prepareScript(WTF::TextPosition<WTF::OneBasedNumber> const&, WebCore::ScriptElement::LegacyTypeSupport)
25  WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition<WTF::OneBasedNumber> const&)
26  WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition<WTF::OneBasedNumber> const&)
27  WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()
28  WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&)
29  WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
30  WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
31  WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution()
Comment 1 Filip Pizlo 2011-08-09 13:34:21 PDT 
*** Bug 65937 has been marked as a duplicate of this bug. ***
Comment 2 Filip Pizlo 2011-08-09 14:08:18 PDT 
Created attachment 103395 [details]
the patch
Comment 3 Oliver Hunt 2011-08-09 14:11:45 PDT 
Comment on attachment 103395 [details]
the patch

r=me
Comment 4 Filip Pizlo 2011-08-09 14:19:54 PDT 
Comment on attachment 103395 [details]
the patch

Tests pass, ready to land.
Comment 5 WebKit Review Bot 2011-08-09 14:39:11 PDT 
Comment on attachment 103395 [details]
the patch

Clearing flags on attachment: 103395

Committed r92710: <http://trac.webkit.org/changeset/92710>
Comment 6 WebKit Review Bot 2011-08-09 14:39:15 PDT 
All reviewed patches have been landed.  Closing bug.