Bug 106329 - REGRESSION (r138921): Crash in JSC::Arguments::create
Summary: REGRESSION (r138921): Crash in JSC::Arguments::create
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.8
: P1 Critical
Assignee: Filip Pizlo
URL: http://www.warcaststudios.com/atom-ic...
Keywords: InRadar, Regression
Depends on: 106459
Blocks: 105845
  Show dependency treegraph
 
Reported: 2013-01-08 08:47 PST by Kevin M. Dean
Modified: 2013-01-09 08:19 PST (History)
2 users (show)

See Also:


Attachments
the patch (10.56 KB, patch)
2013-01-08 13:59 PST, Filip Pizlo
mhahnenberg: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin M. Dean 2013-01-08 08:47:25 PST
This is spawned off testing Bug 105845 where the gallery is not even working correctly since a previous bug, but now...

View the gallery link and click to view a picture. As soon as I move the mouse after... Crash.

Process:         WebProcess [8205]
Path:            /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess
Identifier:      com.apple.WebProcess
Version:         537+ (537.25+)
Code Type:       X86-64 (Native)
Parent Process:  SafariForWebKitDevelopment [8202]
User ID:         501

Date/Time:       2013-01-07 23:38:08.342 -0500
OS Version:      Mac OS X 10.8.2 (12C60)
Report Version:  10

Interval Since Last Report:          1161632 sec
Crashes Since Last Report:           -7
Per-App Interval Since Last Report:  84921 sec
Per-App Crashes Since Last Report:   2
Anonymous UUID:                      3FB4F99D-AA2A-BF09-84EE-B9783AA375CE

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000018

VM Regions Near 0x18:
--> 
    __TEXT                 000000010845b000-000000010845c000 [    4K] r-x/rwx SM=COW  /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess

Application Specific Information:
Bundle controller class:
BrowserBundleController


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore          0x000000010890b207 JSC::Arguments::create(JSC::JSGlobalData&, JSC::ExecState*, JSC::InlineCallFrame*) + 199
1   ???                               0x000000010aa33df6 0 + 4473437686
2   com.apple.JavaScriptCore          0x00000001089952f4 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 548
3   com.apple.JavaScriptCore          0x00000001088a34a5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69
4   com.apple.WebCore                 0x000000010926bf1f WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 143
5   com.apple.WebCore                 0x00000001097d7f7f WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 479
6   com.apple.WebCore                 0x00000001097d7c1c WebCore::ScheduledAction::execute(WebCore::Document*) + 156
7   com.apple.WebCore                 0x0000000108f88573 WebCore::DOMTimer::fired() + 323
8   com.apple.WebCore                 0x000000010999e83f WebCore::ThreadTimers::sharedTimerFiredInternal() + 159
9   com.apple.WebCore                 0x0000000109827cb3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51
10  com.apple.CoreFoundation          0x00007fff8ef4cda4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
11  com.apple.CoreFoundation          0x00007fff8ef4c8bd __CFRunLoopDoTimer + 557
12  com.apple.CoreFoundation          0x00007fff8ef32099 __CFRunLoopRun + 1513
13  com.apple.CoreFoundation          0x00007fff8ef316b2 CFRunLoopRunSpecific + 290
14  com.apple.HIToolbox               0x00007fff94dad0a4 RunCurrentEventLoopInMode + 209
15  com.apple.HIToolbox               0x00007fff94dace42 ReceiveNextEventCommon + 356
16  com.apple.HIToolbox               0x00007fff94daccd3 BlockUntilNextEventMatchingListInMode + 62
17  com.apple.AppKit                  0x00007fff929ec613 _DPSNextEvent + 685
18  com.apple.AppKit                  0x00007fff929ebed2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
19  com.apple.AppKit                  0x00007fff929e3283 -[NSApplication run] + 517
20  com.apple.WebCore                 0x00000001097d39d3 WebCore::RunLoop::run() + 67
21  com.apple.WebKit2                 0x00000001085b443f int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMainDelegate>(WebKit::CommandLine const&) + 575
22  com.apple.WebKit2                 0x0000000108557557 WebKitMain + 299
23  com.apple.WebProcess              0x000000010845be7b main + 214
24  libdyld.dylib                     0x00007fff904cc7e1 start + 1
Comment 1 Alexey Proskuryakov 2013-01-08 10:21:57 PST
For me, this is a little tricky to reproduce - sometimes, I have to click multiple thumbnails before crashing. But it looks like this started with <http://trac.webkit.org/changeset/138921>.
Comment 2 Alexey Proskuryakov 2013-01-08 10:22:28 PST
<rdar://problem/12974196>
Comment 3 Filip Pizlo 2013-01-08 13:56:52 PST
Ooops, this is a really silly regression.  I will have a patch shortly.
Comment 4 Filip Pizlo 2013-01-08 13:59:33 PST
Created attachment 181752 [details]
the patch
Comment 5 Mark Hahnenberg 2013-01-08 14:02:37 PST
Comment on attachment 181752 [details]
the patch

r=me
Comment 6 Filip Pizlo 2013-01-08 14:03:38 PST
Landed in http://trac.webkit.org/changeset/139109