Bug 69412

Summary:

REGRESSION (r95399): Web process hangs when opening documents on Google Docs

Product:

WebKit

Reporter:

Juan Falgueras <juanfc>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Major

CC:

ap, barraclough, darin, fpizlo, rcombs, webkit.review.bot

Priority:

Keywords:

Regression

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

URL:

http://docs.google.com

Attachments:

Description	Flags
Safari WebContent sample	none
Webkit sample	none
the patch	oliver: review-
the patch	none
the patch	oliver: review+

Juan Falgueras

Reported 2011-10-05 04:55:05 PDT

Entering in Google Doc (new interface at least) with Nightly Build hangs it.

Attachments
Safari WebContent sample (93.30 KB, text/plain) 2011-10-06 04:12 PDT, Juan Falgueras	no flags	Details
Webkit sample (34.20 KB, text/plain) 2011-10-06 04:13 PDT, Juan Falgueras	no flags	Details
the patch (7.47 KB, patch) 2011-10-10 13:36 PDT, Filip Pizlo	oliver: review-	Details Formatted Diff Diff
the patch (6.44 KB, patch) 2011-10-10 13:51 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
the patch (7.58 KB, patch) 2011-10-10 15:14 PDT, Filip Pizlo	oliver: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2011-10-05 23:38:53 PDT

I can open docs.google.com with r96636 without problem. What nightly build are you seeing this with? Could you please post more detailed steps to reproduce? Also could you please run "sample Safari" and "sample WebProcess" in command line, and attach the results if you can still reproduce this?

Juan Falgueras

Comment 2 2011-10-06 04:12:52 PDT

Created attachment 109943 [details] Safari WebContent sample

Juan Falgueras

Comment 3 2011-10-06 04:13:25 PDT

Created attachment 109944 [details] Webkit sample

Juan Falgueras

Comment 4 2011-10-06 04:13:38 PDT

The problem is not opening the Site, but a simple Document, My KBuild: r96792 If you get into any Doc it draws only its frame, but the contents (JavaScript related?) makes Knightly B. hang, irresponsive. After that (you must close the Gdoc via clicking the window close button) Webkit tells you you need to reload every page. Juan F.

Alexey Proskuryakov

Comment 5 2011-10-06 11:02:30 PDT

Thank you! This doesn't happen with every document, but I can now reproduce with <https://docs.google.com/document/d/1as5xYjyMSCph4960iz0-Kb7hZKf_L6f2vts57NMcVBI/edit?hl=en_US> (no login required). Regressed in <http://trac.webkit.org/changeset/95399>.

Filip Pizlo

Comment 6 2011-10-06 12:34:50 PDT

(In reply to comment #5) > Thank you! > > This doesn't happen with every document, but I can now reproduce with <https://docs.google.com/document/d/1as5xYjyMSCph4960iz0-Kb7hZKf_L6f2vts57NMcVBI/edit?hl=en_US> (no login required). > > Regressed in <http://trac.webkit.org/changeset/95399>. Thanks for zeroing in on this. I'll take a look!

Filip Pizlo

Comment 7 2011-10-10 13:07:20 PDT

*** Bug 69775 has been marked as a duplicate of this bug. ***

Filip Pizlo

Comment 8 2011-10-10 13:21:49 PDT

OK, looks like I see what's going on. The double case of ArithMin and ArithMax are totally broken. When the two values are equal, it adds them together. So Math.min(1.5, 1.5) == 3. The reason for the adding is to have efficient support for Math.min(1.5, NaN) and Math.min(NaN, 1.5). When the two values are unordered (either or both are NaN), Math.min() should return NaN. Easiest way to do that is if you know one is NaN (but you don't know *which* one) then you add the two numbers together, which is gauranteed to result in NaN. But the unordered case was erroneously being reached when the two values were equal. Patch forthcoming.

Filip Pizlo

Comment 9 2011-10-10 13:36:18 PDT

Created attachment 110392 [details] the patch

WebKit Review Bot

Comment 10 2011-10-10 13:38:30 PDT

Attachment 110392 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast..." exit_code: 1 Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:688: More than one command on the same line in if [whitespace/parens] [4] Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:707: More than one command on the same line in if [whitespace/parens] [4] Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:711: More than one command on the same line in if [whitespace/parens] [4] Total errors found: 3 in 9 files If any of these errors are false positives, please file a bug against check-webkit-style.

Oliver Hunt

Comment 11 2011-10-10 13:43:49 PDT

Comment on attachment 110392 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=110392&action=review >> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:688 >> + if (false) return false; > > More than one command on the same line in if [whitespace/parens] [4] This seems unlikely to be correct... >> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:707 >> + if (false) return false; > > More than one command on the same line in if [whitespace/parens] [4] :D >> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:711 >> + if (false) return false; > > More than one command on the same line in if [whitespace/parens] [4] :D > Source/JavaScriptCore/jit/JIT.cpp:540 > -#if ENABLE(DFG_JIT) > - if (m_canBeOptimized) > - m_startOfCode = label(); > +#if ENABLE(DFG_JIT) || ENABLE(JIT_VERBOSE) > + m_startOfCode = label(); Shouldn't this be if (m_canBeOptimized || ENABLE(JIT_VERBOSE)) ?

Filip Pizlo

Comment 12 2011-10-10 13:49:49 PDT

> >> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:688 > >> + if (false) return false; > > > > More than one command on the same line in if [whitespace/parens] [4] > > This seems unlikely to be correct… Ahhhh, that's embarrassing. > > Source/JavaScriptCore/jit/JIT.cpp:540 > > -#if ENABLE(DFG_JIT) > > - if (m_canBeOptimized) > > - m_startOfCode = label(); > > +#if ENABLE(DFG_JIT) || ENABLE(JIT_VERBOSE) > > + m_startOfCode = label(); > > Shouldn't this be if (m_canBeOptimized || ENABLE(JIT_VERBOSE)) ? The alternative scares me, and label() is free. I'm setting it whenever the field exists because otherwise you'd have something like: #if ENABLE(DFG_JIT) || ENABLE(JIT_VERBOSE) #if ENABLE(VALUE_PROFILER) if (m_canBeOptimized || ENABLE(JIT_VERBOSE)) #else if (true) #endif m_startOfCode = label(); #endif Or something like that. Problem is that m_canBeOptimized is a field that doesn't always exist, and m_startOfCode is also a field that doesn't always exist. I'd rather keep it simple.

Filip Pizlo

Comment 13 2011-10-10 13:51:42 PDT

Created attachment 110399 [details] the patch

Oliver Hunt

Comment 14 2011-10-10 14:17:00 PDT

Comment on attachment 110399 [details] the patch Have you verified that 32_64 is correct?

Filip Pizlo

Comment 15 2011-10-10 14:19:29 PDT

(In reply to comment #14) > (From update of attachment 110399 [details]) > Have you verified that 32_64 is correct? Of course not, because that would have been the sensible thing to do. New patch on the way...

Filip Pizlo

Comment 16 2011-10-10 15:14:41 PDT

Created attachment 110412 [details] the patch added 32_64 changes

Adam Barth

Comment 17 2011-10-15 01:50:04 PDT

Comment on attachment 110399 [details] the patch Cleared Oliver Hunt's review+ from obsolete attachment 110399 [details] so that this bug does not appear in http://webkit.org/pending-commit.

Filip Pizlo

Comment 18 2011-10-20 13:32:19 PDT

Landed in http://trac.webkit.org/changeset/97099

Note You need to log in before you can comment on or make changes to this bug.