Bug 96184

Summary: [GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::speculateArray(JSC::DFG::Array::Mode, JSC::DFG::Edge, JSC::X86Registers::RegisterID)
Product: WebKit Reporter: Priit Laes (IRC: plaes) <plaes>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: UNCONFIRMED ---    
Severity: Normal CC: bugs-noreply, fpizlo, mrobinson, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://android-coding.blogspot.com/2011/08/simple-listview-using.html
Attachments:
Description Flags
Crash log none

Description Priit Laes (IRC: plaes) 2012-09-08 09:55:42 PDT 
Webkit-gtk-1.9.91, epiphany on x86. Getting it on twitter page (logged in):

(gdb) bt
#0  0xb53aef5e in JSC::DFG::SpeculativeJIT::speculateArray(JSC::DFG::Array::Mode, JSC::DFG::Edge, JSC::X86Registers::RegisterID) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#1  0xb538d18c in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#2  0xb53b355e in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#3  0xb53b3b12 in JSC::DFG::SpeculativeJIT::compile() () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#4  0xb5351ecb in JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#5  0xb535466e in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#6  0xb534ad6e in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.194] () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#7  0xb54e6a12 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#8  0xb54e6b3a in JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#9  0xb52c919d in JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#10 0xb541fb47 in cti_optimize () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#11 0x8c62e08b in ?? ()
#12 0xb53d9fc9 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#13 0xb54d3cf2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#14 0xb67c5152 in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) () from /usr/lib/libwebkitgtk-3.0.so.0
#15 0xb67c59b7 in WebCore::ScheduledAction::execute(WebCore::Document*) () from /usr/lib/libwebkitgtk-3.0.so.0
#16 0xb67c5a90 in WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) () from /usr/lib/libwebkitgtk-3.0.so.0
#17 0xb6d56d7e in WebCore::DOMTimer::fired() () from /usr/lib/libwebkitgtk-3.0.so.0
#18 0xb6eb443a in WebCore::ThreadTimers::sharedTimerFiredInternal() () from /usr/lib/libwebkitgtk-3.0.so.0
#19 0xb6eb44b5 in WebCore::ThreadTimers::sharedTimerFired() () from /usr/lib/libwebkitgtk-3.0.so.0
#20 0xb787462b in WebCore::timeout_cb(void*) () from /usr/lib/libwebkitgtk-3.0.so.0
#21 0xb58b8d8f in g_timeout_dispatch (source=0x9fe5e30, callback=0xb7874610 <WebCore::timeout_cb(void*)>, user_data=0x0) at gmain.c:4026
#22 0xb58b8038 in g_main_dispatch (context=0x8142e68) at gmain.c:2715
#23 g_main_context_dispatch (context=0x8142e68) at gmain.c:3219
#24 0xb58b83f8 in g_main_context_iterate (dispatch=1, block=-1249090400, context=0x8142e68, self=<optimized out>) at gmain.c:3290
#25 g_main_context_iterate (context=0x8142e68, block=-1249090400, dispatch=1, self=<optimized out>) at gmain.c:3227
#26 0xb58b84dd in g_main_context_iteration (context=0x8142e68, may_block=1) at gmain.c:3351
#27 0xb5afaf0f in g_application_run (application=0x81498f8, argc=1, argv=0xbfffed74) at gapplication.c:1607
#28 0x080710d1 in main (argc=1, argv=0xbfffed74) at ephy-main.c:499
Comment 1 Priit Laes (IRC: plaes) 2012-09-09 08:59:00 PDT 
One page that's causing it reliably.
Comment 3 Priit Laes (IRC: plaes) 2012-09-11 01:43:21 PDT 
Red herring seems to be 7aed8d8263a38a669db87eea22e6946516541d09 (where this function was added). Will check whether next patch that touches this code fixes that.
Comment 4 Priit Laes (IRC: plaes) 2012-09-11 05:51:54 PDT 
After applying 04c1974fb3141d7af2ec6123ab884016d10a1d4e it crashes like this:

Program received signal SIGSEGV, Segmentation fault.
0xb51f0ba9 in JSC::ArrayProfile::computeUpdatedPrediction(JSC::OperationInProgress) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
(gdb) bt
#0  0xb51f0ba9 in JSC::ArrayProfile::computeUpdatedPrediction(JSC::OperationInProgress) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#1  0xb52526c6 in JSC::DFG::ByteCodeParser::handleIntrinsic(bool, int, JSC::Intrinsic, int, int, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#2  0xb525635a in JSC::DFG::ByteCodeParser::handleCall(JSC::Interpreter*, JSC::Instruction*, JSC::DFG::NodeType, JSC::CodeSpecializationKind) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#3  0xb52591b4 in JSC::DFG::ByteCodeParser::parseBlock(unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#4  0xb525ac4b in JSC::DFG::ByteCodeParser::parseCodeBlock() () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#5  0xb525b2f7 in JSC::DFG::ByteCodeParser::parse() () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#6  0xb525bc7c in JSC::DFG::parse(JSC::ExecState*, JSC::DFG::Graph&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#7  0xb5272bc1 in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.189] () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#8  0xb540fa62 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#9  0xb540fb8a in JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#10 0xb51f138d in JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::ScopeChainNode*, unsigned int) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#11 0xb5348b97 in cti_optimize () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#12 0xa63b63db in ?? ()
#13 0xb5304704 in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#14 0xb53fe292 in JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
#15 0xb67cadab in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) () from /usr/lib/libwebkitgtk-3.0.so.0
#16 0xb67cb44b in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) () from /usr/lib/libwebkitgtk-3.0.so.0
#17 0xb69923de in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) () from /usr/lib/libwebkitgtk-3.0.so.0
#18 0xb6995b71 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) () from /usr/lib/libwebkitgtk-3.0.so.0
#19 0xb6b691cd in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) () from /usr/lib/libwebkitgtk-3.0.so.0
#20 0xb6b69c0d in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) () from /usr/lib/libwebkitgtk-3.0.so.0
#21 0xb6b5321d in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() () from /usr/lib/libwebkitgtk-3.0.so.0
#22 0xb6b532d8 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) () from /usr/lib/libwebkitgtk-3.0.so.0
#23 0xb6b5346b in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) () from /usr/lib/libwebkitgtk-3.0.so.0
#24 0xb6b5427f in WebCore::HTMLDocumentParser::resumeParsingAfterYield() () from /usr/lib/libwebkitgtk-3.0.so.0
#25 0xb6b66015 in WebCore::HTMLParserScheduler::continueNextChunkTimerFired(WebCore::Timer<WebCore::HTMLParserScheduler>*) () from /usr/lib/libwebkitgtk-3.0.so.0
#26 0xb6b662c7 in WebCore::Timer<WebCore::HTMLParserScheduler>::fired() () from /usr/lib/libwebkitgtk-3.0.so.0
#27 0xb6eb443a in WebCore::ThreadTimers::sharedTimerFiredInternal() () from /usr/lib/libwebkitgtk-3.0.so.0
#28 0xb6eb44b5 in WebCore::ThreadTimers::sharedTimerFired() () from /usr/lib/libwebkitgtk-3.0.so.0
#29 0xb787462b in WebCore::timeout_cb(void*) () from /usr/lib/libwebkitgtk-3.0.so.0
#30 0xb57e0d8f in g_timeout_dispatch (source=0x9f02148, callback=0xb7874610 <WebCore::timeout_cb(void*)>, user_data=0x0) at gmain.c:4026
#31 0xb57e0038 in g_main_dispatch (context=0x8149538) at gmain.c:2715
#32 g_main_context_dispatch (context=0x8149538) at gmain.c:3219
#33 0xb57e03f8 in g_main_context_iterate (dispatch=1, block=-1249975136, context=0x8149538, self=<optimized out>) at gmain.c:3290
#34 g_main_context_iterate (context=0x8149538, block=-1249975136, dispatch=1, self=<optimized out>) at gmain.c:3227
#35 0xb57e04dd in g_main_context_iteration (context=0x8149538, may_block=1) at gmain.c:3351
#36 0xb5a22f0f in g_application_run (application=0x8145928, argc=1, argv=0xbfffed54) at gapplication.c:1607
#37 0x080710d1 in main (argc=1, argv=0xbfffed54) at ephy-main.c:499
Comment 5 Martin Robinson 2012-09-11 08:39:02 PDT 
CCing a JSC developer.
Comment 6 Filip Pizlo 2012-09-11 11:51:06 PDT 
Does this repro on ToT?  The SpeculativeJIT::speculateArray() method doesn't even exist in ToT.
Comment 7 Priit Laes (IRC: plaes) 2012-09-11 12:11:46 PDT 
(In reply to comment #6)
> Does this repro on ToT?  The SpeculativeJIT::speculateArray() method doesn't even exist in ToT.

That code has been mostly refactored by now and speculativeArray() was replaced by checkArray() in r126715.

I was hoping that r126715 fixes the crash, but after applying it, crash happens in JSC::ArrayProfile::computeUpdatedPrediction(JSC::OperationInProgress) (see comment #4).

Haven't yet had chance to test with ToT, mainly because I need this machine for some other purposes.

The crash seems to be happening only on x86, on amd64 that page works.
Comment 8 Nick Heer 2013-05-29 10:45:13 PDT 
Created attachment 203214 [details]
Crash log

I'm seeing this on almost all Blogspot domains. Crash log attached.
Comment 9 Zan Dobersek 2013-05-29 11:29:56 PDT 
(In reply to comment #8)
> Created an attachment (id=203214) [details]
> Crash log
> 
> I'm seeing this on almost all Blogspot domains. Crash log attached.

Can you note the version of (presumably) WebKitGTK+ you're using?