116082 – fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled

Bug 116082 - fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled

Summary: fourthTier: Segfault in jsc with simple test program when running with profil...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Hahnenberg

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-05-13 17:43 PDT by Mark Hahnenberg
Modified:	2013-05-14 13:36 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
test case (423 bytes, application/x-javascript) 2013-05-13 17:58 PDT, Mark Hahnenberg	no flags	Details
crash log (20.20 KB, text/plain) 2013-05-13 21:51 PDT, Mark Hahnenberg	no flags	Details
crash log 2 (20.52 KB, text/plain) 2013-05-13 21:55 PDT, Mark Hahnenberg	no flags	Details
Patch (1.76 KB, patch) 2013-05-14 13:15 PDT, Mark Hahnenberg	fpizlo: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Hahnenberg 2013-05-13 17:43:32 PDT

If I run the attached test on the latest revision on the dfgFourthTier branch, I get a segfault. I've also attached the crash log.

Comment 1 Mark Hahnenberg 2013-05-13 17:51:30 PDT

Nevermind about the test case, I think this has to do with having the profiling option enabled on the command line.

Comment 2 Mark Hahnenberg 2013-05-13 17:58:26 PDT

Created attachment 201656 [details]
test case

Steps to repro:

1) build
2) DYLD_FRAMEWORK_PATH=WebKitBuild/Debug/ WebKitBuild/Debug/jsc -f ~/Code/WebKit-svn-03/OpenSource/test.js -p out.profile
3) Crash.

Comment 3 Mark Hahnenberg 2013-05-13 17:58:47 PDT

I tried disabling both the FTL and concurrent compilation, but the crash still happens.

Comment 4 Filip Pizlo 2013-05-13 21:49:20 PDT

(In reply to comment #0)
> If I run the attached test on the latest revision on the dfgFourthTier branch, I get a segfault. I've also attached the crash log.

Did you attach the crash log?

Comment 5 Mark Hahnenberg 2013-05-13 21:51:03 PDT

Created attachment 201676 [details]
crash log

Comment 6 Mark Hahnenberg 2013-05-13 21:55:39 PDT

Created attachment 201677 [details]
crash log 2

The previous crash log isn't where I was seeing the crash. Attaching a better one.

Comment 7 Mark Hahnenberg 2013-05-14 13:11:22 PDT

From email with Phil:

"It's crashing because CodeBlock::baselineVersion() doesn't know how to handle the case where 'this' is the baseline version but it hasn't been assigned to the m_blahCodeBlock field in BlahExecutable." 

Patch coming soon to a theater near you.

Comment 8 Mark Hahnenberg 2013-05-14 13:15:02 PDT

Created attachment 201747 [details]
Patch

Comment 9 Mark Hahnenberg 2013-05-14 13:36:37 PDT

Committed r150086: <http://trac.webkit.org/changeset/150086>