Bug 66010

Summary: REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: andersca, ap, aroben, dwonda, fpizlo, ggaren, oliver, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch none

Ryosuke Niwa
Reported 2011-08-10 13:38:52 PDT
Reproduction steps: 1. Go to www.google.com/mail/ Crash! This appears to be JSC issue because it doesn't reproduce on Chromium.
Attachments
the patch (1.59 KB, patch)
2011-08-10 15:46 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2011-08-10 14:06:47 PDT
Can we get a crashtrace and platform?
Ryosuke Niwa
Comment 2 2011-08-10 14:10:00 PDT
Stack trace: Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001007daec5 JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative(JSC::DFG::SpeculationCheck const&, JSC::DFG::EntryLocation const&, JSC::DFG::SpeculationRecovery*, JSC::DFG::NodeToRegisterMap&, JSC::DFG::NodeToRegisterMap&) + 5909 1 com.apple.JavaScriptCore 0x00000001007dc25a JSC::DFG::JITCompiler::linkSpeculationChecks(JSC::DFG::SpeculativeJIT&, JSC::DFG::NonSpeculativeJIT&) + 282 2 com.apple.JavaScriptCore 0x00000001007dcc87 JSC::DFG::JITCompiler::compileBody() + 2359 3 com.apple.JavaScriptCore 0x00000001007ddf04 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) + 788 4 com.apple.JavaScriptCore 0x0000000100817241 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*) + 2193 5 com.apple.JavaScriptCore 0x00000001008324db JSC::Interpreter::prepareForRepeatCall(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, int, JSC::ScopeChainNode*) + 523 6 com.apple.JavaScriptCore 0x000000010078a1af JSC::arrayProtoFuncForEach(JSC::ExecState*) + 2831 7 ??? 0x00003b3019e011e8 0 + 65077778584040 8 com.apple.JavaScriptCore 0x0000000100831245 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 1573 9 ??? 0x0000000106f357a0 0 + 4411578272
Geoffrey Garen
Comment 3 2011-08-10 14:10:44 PDT
<rdar://problem/9931900>
Ryosuke Niwa
Comment 4 2011-08-10 14:10:50 PDT
(In reply to comment #1) > Can we get a crashtrace and platform? Snow Leopard on MacPro.
Filip Pizlo
Comment 5 2011-08-10 15:46:46 PDT
Created attachment 103545 [details] the patch
Geoffrey Garen
Comment 6 2011-08-10 16:02:08 PDT
*** Bug 66011 has been marked as a duplicate of this bug. ***
WebKit Review Bot
Comment 7 2011-08-10 17:17:19 PDT
Comment on attachment 103545 [details] the patch Clearing flags on attachment: 103545 Committed r92804: <http://trac.webkit.org/changeset/92804>
WebKit Review Bot
Comment 8 2011-08-10 17:17:24 PDT
All reviewed patches have been landed. Closing bug.
Alexey Proskuryakov
Comment 9 2011-08-13 21:22:36 PDT
*** Bug 66115 has been marked as a duplicate of this bug. ***
Adam Roben (:aroben)
Comment 10 2011-08-15 06:32:47 PDT
Is it not possible to write an automated regression test for this?
Geoffrey Garen
Comment 11 2011-08-15 11:10:32 PDT
Seems like it should be possible. If possible, all checkins should come with a regression test.
Filip Pizlo
Comment 12 2011-08-16 10:38:45 PDT
(In reply to comment #10) > Is it not possible to write an automated regression test for this? Sorry for not noting this in the ChangeLog, but there is no obvious automated regression test. The bug arises out of misuse of a hidden "this" argument to constructor calls. This is a synthetic notion introduced in our bytecode and our JITs - it is not exposed in the JavaScript language. As well, the bug only happens when three different register allocators in the system (the bytecompiler's virtual register allocator, the DFG parser's virtual register allocator, and the DFG back-end's physical register allocator) all make exactly the "wrong" decision based on the input. A test that would cause a failure just before this fix landed would be unlikely to continue to cause failures if even slight changes in register allocation were made subsequently.
Note You need to log in before you can comment on or make changes to this bug.