Bug 65930

<rdar://problem/9922643> 8/9/11 11:17 AM Oliver Hunt: * SUMMARY Navigating to http://www.skinnytaste.com/2011/06/ricotta-cheese-chocolate-chip-muffins.html crashes the DFG JIT reproducibly in a debug build * STEPS TO REPRODUCE 1. Do a debug build of safari 2. Load http://www.skinnytaste.com/2011/06/ricotta-cheese-chocolate-chip-muffins.html * RESULTS Crash: ASSERTION FAILED: m_data[index].name != InvalidVirtualRegister /Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore/dfg/DFGRegisterBank.h(329) : void JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::releaseAtIndex(unsigned int) 1 JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::releaseAtIndex(unsigned int) 2 JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::release(JSC::X86Registers::RegisterID) 3 JSC::DFG::JITCodeGenerator::fillDouble(unsigned int) 4 JSC::DFG::DoubleOperand::fpr() 5 JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&, JSC::DFG::Node&) 6 JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&, JSC::DFG::BasicBlock&) 7 JSC::DFG::NonSpeculativeJIT::compile(JSC::DFG::SpeculationCheckIndexIterator&) 8 JSC::DFG::JITCompiler::compileBody() 9 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) 10 JSC::tryDFGCompileFunction(JSC::ExecState*, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&) 11 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*) 12 JSC::FunctionExecutable::compileForCall(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*) 13 JSC::FunctionExecutable::compileFor(JSC::ExecState*, JSC::ScopeChainNode*, JSC::CodeSpecializationKind) 14 JSC::lazyLinkFor(JSC::JITStackFrame&, JSC::CodeSpecializationKind) 15 cti_vm_lazyLinkCall 16 jscGeneratedNativeCode 17 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 18 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) 19 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) 20 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) 21 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) 22 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) 23 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) 24 WebCore::ScriptElement::prepareScript(WTF::TextPosition<WTF::OneBasedNumber> const&, WebCore::ScriptElement::LegacyTypeSupport) 25 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition<WTF::OneBasedNumber> const&) 26 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition<WTF::OneBasedNumber> const&) 27 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() 28 WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) 29 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 30 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) 31 WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution()