Bug 96184

Summary:

[GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::speculateArray(JSC::DFG::Array::Mode, JSC::DFG::Edge, JSC::X86Registers::RegisterID)

Product:

WebKit

Reporter:

Priit Laes (IRC: plaes) <plaes>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

UNCONFIRMED

Severity:

Normal

CC:

bugs-noreply, fpizlo, mrobinson, zan

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

URL:

http://android-coding.blogspot.com/2011/08/simple-listview-using.html

Attachments:

Description	Flags
Crash log	none

Priit Laes (IRC: plaes)

Reported 2012-09-08 09:55:42 PDT

Webkit-gtk-1.9.91, epiphany on x86. Getting it on twitter page (logged in): (gdb) bt #0 0xb53aef5e in JSC::DFG::SpeculativeJIT::speculateArray(JSC::DFG::Array::Mode, JSC::DFG::Edge, JSC::X86Registers::RegisterID) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #1 0xb538d18c in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #2 0xb53b355e in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #3 0xb53b3b12 in JSC::DFG::SpeculativeJIT::compile() () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #4 0xb5351ecb in JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #5 0xb535466e in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #6 0xb534ad6e in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.194] () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #7 0xb54e6a12 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #8 0xb54e6b3a in JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #9 0xb52c919d in JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #10 0xb541fb47 in cti_optimize () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #11 0x8c62e08b in ?? () #12 0xb53d9fc9 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #13 0xb54d3cf2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #14 0xb67c5152 in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) () from /usr/lib/libwebkitgtk-3.0.so.0 #15 0xb67c59b7 in WebCore::ScheduledAction::execute(WebCore::Document*) () from /usr/lib/libwebkitgtk-3.0.so.0 #16 0xb67c5a90 in WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) () from /usr/lib/libwebkitgtk-3.0.so.0 #17 0xb6d56d7e in WebCore::DOMTimer::fired() () from /usr/lib/libwebkitgtk-3.0.so.0 #18 0xb6eb443a in WebCore::ThreadTimers::sharedTimerFiredInternal() () from /usr/lib/libwebkitgtk-3.0.so.0 #19 0xb6eb44b5 in WebCore::ThreadTimers::sharedTimerFired() () from /usr/lib/libwebkitgtk-3.0.so.0 #20 0xb787462b in WebCore::timeout_cb(void*) () from /usr/lib/libwebkitgtk-3.0.so.0 #21 0xb58b8d8f in g_timeout_dispatch (source=0x9fe5e30, callback=0xb7874610 <WebCore::timeout_cb(void*)>, user_data=0x0) at gmain.c:4026 #22 0xb58b8038 in g_main_dispatch (context=0x8142e68) at gmain.c:2715 #23 g_main_context_dispatch (context=0x8142e68) at gmain.c:3219 #24 0xb58b83f8 in g_main_context_iterate (dispatch=1, block=-1249090400, context=0x8142e68, self=<optimized out>) at gmain.c:3290 #25 g_main_context_iterate (context=0x8142e68, block=-1249090400, dispatch=1, self=<optimized out>) at gmain.c:3227 #26 0xb58b84dd in g_main_context_iteration (context=0x8142e68, may_block=1) at gmain.c:3351 #27 0xb5afaf0f in g_application_run (application=0x81498f8, argc=1, argv=0xbfffed74) at gapplication.c:1607 #28 0x080710d1 in main (argc=1, argv=0xbfffed74) at ephy-main.c:499

Attachments
Crash log (59.86 KB, text/plain) 2013-05-29 10:45 PDT, Nick Heer	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Priit Laes (IRC: plaes)

Comment 1 2012-09-09 08:59:00 PDT

One page that's causing it reliably.

Priit Laes (IRC: plaes)

Comment 2 2012-09-09 08:59:15 PDT

http://android-coding.blogspot.com/2011/08/simple-listview-using.html

Priit Laes (IRC: plaes)

Comment 3 2012-09-11 01:43:21 PDT

Red herring seems to be 7aed8d8263a38a669db87eea22e6946516541d09 (where this function was added). Will check whether next patch that touches this code fixes that.

Priit Laes (IRC: plaes)

Comment 4 2012-09-11 05:51:54 PDT

After applying 04c1974fb3141d7af2ec6123ab884016d10a1d4e it crashes like this: Program received signal SIGSEGV, Segmentation fault. 0xb51f0ba9 in JSC::ArrayProfile::computeUpdatedPrediction(JSC::OperationInProgress) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 (gdb) bt #0 0xb51f0ba9 in JSC::ArrayProfile::computeUpdatedPrediction(JSC::OperationInProgress) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #1 0xb52526c6 in JSC::DFG::ByteCodeParser::handleIntrinsic(bool, int, JSC::Intrinsic, int, int, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #2 0xb525635a in JSC::DFG::ByteCodeParser::handleCall(JSC::Interpreter*, JSC::Instruction*, JSC::DFG::NodeType, JSC::CodeSpecializationKind) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #3 0xb52591b4 in JSC::DFG::ByteCodeParser::parseBlock(unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #4 0xb525ac4b in JSC::DFG::ByteCodeParser::parseCodeBlock() () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #5 0xb525b2f7 in JSC::DFG::ByteCodeParser::parse() () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #6 0xb525bc7c in JSC::DFG::parse(JSC::ExecState*, JSC::DFG::Graph&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #7 0xb5272bc1 in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.189] () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #8 0xb540fa62 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #9 0xb540fb8a in JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #10 0xb51f138d in JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #11 0xb5348b97 in cti_optimize () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #12 0xa63b63db in ?? () #13 0xb5304704 in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #14 0xb53fe292 in JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) () from /usr/lib/libjavascriptcoregtk-3.0.so.0 #15 0xb67cadab in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) () from /usr/lib/libwebkitgtk-3.0.so.0 #16 0xb67cb44b in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) () from /usr/lib/libwebkitgtk-3.0.so.0 #17 0xb69923de in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) () from /usr/lib/libwebkitgtk-3.0.so.0 #18 0xb6995b71 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) () from /usr/lib/libwebkitgtk-3.0.so.0 #19 0xb6b691cd in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) () from /usr/lib/libwebkitgtk-3.0.so.0 #20 0xb6b69c0d in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) () from /usr/lib/libwebkitgtk-3.0.so.0 #21 0xb6b5321d in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() () from /usr/lib/libwebkitgtk-3.0.so.0 #22 0xb6b532d8 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) () from /usr/lib/libwebkitgtk-3.0.so.0 #23 0xb6b5346b in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) () from /usr/lib/libwebkitgtk-3.0.so.0 #24 0xb6b5427f in WebCore::HTMLDocumentParser::resumeParsingAfterYield() () from /usr/lib/libwebkitgtk-3.0.so.0 #25 0xb6b66015 in WebCore::HTMLParserScheduler::continueNextChunkTimerFired(WebCore::Timer<WebCore::HTMLParserScheduler>*) () from /usr/lib/libwebkitgtk-3.0.so.0 #26 0xb6b662c7 in WebCore::Timer<WebCore::HTMLParserScheduler>::fired() () from /usr/lib/libwebkitgtk-3.0.so.0 #27 0xb6eb443a in WebCore::ThreadTimers::sharedTimerFiredInternal() () from /usr/lib/libwebkitgtk-3.0.so.0 #28 0xb6eb44b5 in WebCore::ThreadTimers::sharedTimerFired() () from /usr/lib/libwebkitgtk-3.0.so.0 #29 0xb787462b in WebCore::timeout_cb(void*) () from /usr/lib/libwebkitgtk-3.0.so.0 #30 0xb57e0d8f in g_timeout_dispatch (source=0x9f02148, callback=0xb7874610 <WebCore::timeout_cb(void*)>, user_data=0x0) at gmain.c:4026 #31 0xb57e0038 in g_main_dispatch (context=0x8149538) at gmain.c:2715 #32 g_main_context_dispatch (context=0x8149538) at gmain.c:3219 #33 0xb57e03f8 in g_main_context_iterate (dispatch=1, block=-1249975136, context=0x8149538, self=<optimized out>) at gmain.c:3290 #34 g_main_context_iterate (context=0x8149538, block=-1249975136, dispatch=1, self=<optimized out>) at gmain.c:3227 #35 0xb57e04dd in g_main_context_iteration (context=0x8149538, may_block=1) at gmain.c:3351 #36 0xb5a22f0f in g_application_run (application=0x8145928, argc=1, argv=0xbfffed54) at gapplication.c:1607 #37 0x080710d1 in main (argc=1, argv=0xbfffed54) at ephy-main.c:499

Martin Robinson

Comment 5 2012-09-11 08:39:02 PDT

CCing a JSC developer.

Filip Pizlo

Comment 6 2012-09-11 11:51:06 PDT

Does this repro on ToT? The SpeculativeJIT::speculateArray() method doesn't even exist in ToT.

Priit Laes (IRC: plaes)

Comment 7 2012-09-11 12:11:46 PDT

(In reply to comment #6) > Does this repro on ToT? The SpeculativeJIT::speculateArray() method doesn't even exist in ToT. That code has been mostly refactored by now and speculativeArray() was replaced by checkArray() in r126715. I was hoping that r126715 fixes the crash, but after applying it, crash happens in JSC::ArrayProfile::computeUpdatedPrediction(JSC::OperationInProgress) (see comment #4). Haven't yet had chance to test with ToT, mainly because I need this machine for some other purposes. The crash seems to be happening only on x86, on amd64 that page works.

Nick Heer

Comment 8 2013-05-29 10:45:13 PDT

Created attachment 203214 [details] Crash log I'm seeing this on almost all Blogspot domains. Crash log attached.

Zan Dobersek

Comment 9 2013-05-29 11:29:56 PDT

(In reply to comment #8) > Created an attachment (id=203214) [details] > Crash log > > I'm seeing this on almost all Blogspot domains. Crash log attached. Can you note the version of (presumably) WebKitGTK+ you're using?

Note You need to log in before you can comment on or make changes to this bug.