UNCONFIRMED 105756
Crash occurs while using Naver map 
https://bugs.webkit.org/show_bug.cgi?id=105756
Summary Crash occurs while using Naver map
Hojong Han
Reported 2012-12-26 00:03:10 PST
Press +/- several times in a row after loading http://m.map.naver.com then crash occurs as call stack below. #0 0xb77bcfc1 in JSC::speculationFromValue(JSC::JSValue) () #1 0xb79610a3 in JSC::DFG::ByteCodeParser::getPrediction() () #2 0xb796b179 in JSC::DFG::ByteCodeParser::handleCall(JSC::Interpreter*, JSC::Instruction*, JSC::DFG::NodeType, JSC::CodeSpecializationKind) () #3 0xb796d748 in JSC::DFG::ByteCodeParser::parseBlock(unsigned int) () #4 0xb796f5af in JSC::DFG::ByteCodeParser::parseCodeBlock() () #5 0xb796a597 in JSC::DFG::ByteCodeParser::handleInlining(bool, int, unsigned int, int, bool, JSC::JSFunction*, int, int, unsigned int, JSC::CodeSpecializationKind) () #6 0xb796b031 in JSC::DFG::ByteCodeParser::handleCall(JSC::Interpreter*, JSC::Instruction*, JSC::DFG::NodeType, JSC::CodeSpecializationKind) () #7 0xb796d748 in JSC::DFG::ByteCodeParser::parseBlock(unsigned int) () #8 0xb796f5af in JSC::DFG::ByteCodeParser::parseCodeBlock() () #9 0xb797007d in JSC::DFG::parse(JSC::ExecState*, JSC::DFG::Graph&) () #10 0xb77c344f in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.225] () #11 0xb76d3ef2 in JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) () #12 0xb77a007d in JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) () #13 0xb76b58c3 in cti_optimize () Problem happens when JS function like below goes through DFG optimization. mapGetClass:function(elEl,sClassName) { var regExp=new RegExp("(^|\\s+)"+sClassName+"(\\(([^)]*)\\))?(\\s+|$)","i"); var bFlag=regExp.test(elEl.className); RegExp.$0=RegExp.$3; if(bFlag){ return(RegExp.$3||"").split(",") } return null } This is because tag is not updated even though "elEl.calssName" (CellTag) and "bFlag" (BooleanTag) use the same virtual register. At first I wrote a patch changing function operationRegExpTest like operationRegExpExec. Give me any idea and comment if there're better and easy ways to correct this bug.
Attachments
Patch (7.57 KB, patch)
2012-12-26 00:23 PST, Hojong Han 		no flags
DetailsFormatted DiffDiff
Patch (6.82 KB, patch)
2012-12-26 04:01 PST, Hojong Han 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Hojong Han
Comment 1 2012-12-26 00:23:42 PST
Created attachment 180732 [details] Patch
WebKit Review Bot
Comment 2 2012-12-26 01:09:09 PST
Comment on attachment 180732 [details] Patch Attachment 180732 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/15548055 New failing tests: inspector-protocol/debugger-terminate-dedicated-worker-while-paused.html
Hojong Han
Comment 3 2012-12-26 04:01:30 PST
Created attachment 180741 [details] Patch
Sam Weinig
Comment 4 2012-12-29 14:58:00 PST
This should probably have a test case.
Anders Carlsson
Comment 5 2014-02-05 11:01:52 PST
Comment on attachment 180741 [details] Patch Clearing review flag on patches from before 2014. If this patch is still relevant, please reset the r? flag.
Note You need to log in before you can comment on or make changes to this bug.