RESOLVED FIXED 119105
REGRESSION: Crash when opening a message on Gmail 
https://bugs.webkit.org/show_bug.cgi?id=119105
Summary REGRESSION: Crash when opening a message on Gmail
Ryosuke Niwa
Reported 2013-07-25 13:53:58 PDT
Reproduction steps: 1. Download nightly build at r153334 2. Go to mail.google.com and log in 3. Open one of messages Thread 0x179e48 DispatchQueue 1 priority 31 600 start + 1 (libdyld.dylib) [0x7fff8aa727e1] 600 main + 337 (WebProcess) [0x10c701e23] 600 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 579 (WebKit2) [0x10c7ee173] 600 WebCore::RunLoop::run() + 82 (WebCore) [0x10dae5712] 600 -[NSApplication run] + 517 (AppKit) [0x7fff8abc01a3] 600 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 (AppKit) [0x7fff8abc8df2] 600 _DPSNextEvent + 685 (AppKit) [0x7fff8abc9533] 600 BlockUntilNextEventMatchingListInMode + 62 (HIToolbox) [0x7fff869f3ae3] 600 ReceiveNextEventCommon + 356 (HIToolbox) [0x7fff869f3c52] 600 RunCurrentEventLoopInMode + 209 (HIToolbox) [0x7fff869f3eb4] 600 CFRunLoopRunSpecific + 290 (CoreFoundation) [0x7fff8bd2a0e2] 600 __CFRunLoopRun + 789 (CoreFoundation) [0x7fff8bd2a7f5] 600 __CFRunLoopDoSources0 + 245 (CoreFoundation) [0x7fff8bd07455] 600 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 (CoreFoundation) [0x7fff8bd07b31] 600 MultiplexerSource::perform() + 221 (CFNetwork) [0x7fff8341118b] 600 RunloopBlockContext::perform() + 124 (CFNetwork) [0x7fff834112b4] 600 CFArrayApplyFunction + 68 (CoreFoundation) [0x7fff8bd26154] 600 __block_global_1 + 28 (CFNetwork) [0x7fff834b0f3a] 600 ___withDelegateAsync_block_invoke_0 + 90 (CFNetwork) [0x7fff8342054a] 600 ___delegate_didFinishLoading_block_invoke_0 + 40 (CFNetwork) [0x7fff8342e091] 600 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63 (Foundation) [0x7fff863b6bc8] 600 -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227 (Foundation) [0x7fff863b6ccc] 600 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28 (Foundation) [0x7fff863b6d88] 600 WebCore::SubresourceLoader::didFinishLoading(double) + 133 (WebCore) [0x10db925b5] 600 WebCore::CachedRawResource::finishLoading(WebCore::ResourceBuffer*) + 194 (WebCore) [0x10d0b71b2] 600 WebCore::CachedResource::checkNotify() + 76 (WebCore) [0x10d0ba21c] 600 WebCore::XMLHttpRequest::didFinishLoading(unsigned long, double) + 358 (WebCore) [0x10dd26906] 600 WebCore::XMLHttpRequest::callReadyStateChangeListener() + 252 (WebCore) [0x10dd229bc] 600 WebCore::XMLHttpRequestProgressEventThrottle::dispatchReadyStateChangeEvent(WTF::PassRefPtr<WebCore::Event>, WebCore::ProgressEventAction) + 56 (WebCore) [0x10dd27fb8] 600 WebCore::XMLHttpRequestProgressEventThrottle::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 335 (WebCore) [0x10dd27f3f] 600 WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 88 (WebCore) [0x10d310738] 600 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 390 (WebCore) [0x10d3108d6] 600 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 364 (WebCore) [0x10d310bbc] 600 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 908 (WebCore) [0x10d6456ac] 600 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (JavaScriptCore) [0x10cbcbd45] 600 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 715 (JavaScriptCore) [0x10cce544b] 600 JSC::boundFunctionCall(JSC::ExecState*) + 558 (JavaScriptCore) [0x10cd3626e] 600 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (JavaScriptCore) [0x10cbcbd45] 600 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 (JavaScriptCore) [0x10cce540a] 600 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 (JavaScriptCore) [0x10ccfffe1] 600 ??? [0x2d5c4b201045] 600 JSC::boundFunctionCall(JSC::ExecState*) + 558 (JavaScriptCore) [0x10cd3626e] 600 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (JavaScriptCore) [0x10cbcbd45] 600 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 (JavaScriptCore) [0x10cce540a] 600 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 (JavaScriptCore) [0x10ccfffe1] 600 ??? [0x2d5c4b201045] 600 JSC::boundFunctionCall(JSC::ExecState*) + 558 (JavaScriptCore) [0x10cd3626e] 600 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (JavaScriptCore) [0x10cbcbd45] 600 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 (JavaScriptCore) [0x10cce540a] 600 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 (JavaScriptCore) [0x10ccfffe1] 600 ??? [0x2d5c00000001]
Attachments
the patch (14.69 KB, patch)
2013-07-26 13:42 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2013-07-25 17:38:47 PDT
<rdar://problem/14554999>
Filip Pizlo
Comment 2 2013-07-26 13:38:21 PDT
*** Bug 119112 has been marked as a duplicate of this bug. ***
Filip Pizlo
Comment 3 2013-07-26 13:42:17 PDT
Created attachment 207550 [details] the patch
WebKit Commit Bot
Comment 4 2013-07-26 13:45:14 PDT
Attachment 207550 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast/js/dfg-get-by-id-unset-then-proto-less-warmup.html', u'LayoutTests/fast/js/dfg-get-by-id-unset-then-proto-more-warmup.html', u'LayoutTests/fast/js/dfg-get-by-id-unset-then-proto.html', u'LayoutTests/fast/js/jsc-test-list', u'LayoutTests/fast/js/script-tests/dfg-get-by-id-unset-then-proto-less-warmup.js', u'LayoutTests/fast/js/script-tests/dfg-get-by-id-unset-then-proto-more-warmup.js', u'LayoutTests/fast/js/script-tests/dfg-get-by-id-unset-then-proto.js', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/bytecode/CallLinkStatus.cpp', u'Source/JavaScriptCore/bytecode/CodeBlock.cpp', u'Source/JavaScriptCore/dfg/DFGRepatch.cpp']" exit_code: 1 LayoutTests/ChangeLog:11: Need whitespace between colon and description [changelog/filechangedescriptionwhitespace] [5] Total errors found: 1 in 11 files If any of these errors are false positives, please file a bug against check-webkit-style.
Oliver Hunt
Comment 5 2013-07-26 13:47:51 PDT
Comment on attachment 207550 [details] the patch r=me
Ryosuke Niwa
Comment 6 2013-07-26 13:50:31 PDT
For the record, the following is the latest stack trace I'm seeing (before applying this patch): Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001010868d3 JSC::DFG::dfgBuildGetByIDList(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&, JSC::PropertySlot const&, JSC::StructureStubInfo&) + 3811 1 com.apple.JavaScriptCore 0x0000000101075dc6 operationGetByIdBuildListWithReturnAddress + 294 2 ??? 0x00005b1d083a8dca 0 + 100180250234314 3 com.apple.JavaScriptCore 0x000000010112fe81 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 4 com.apple.JavaScriptCore 0x00000001011152aa JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 5 com.apple.JavaScriptCore 0x0000000100ffbbd5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 6 com.apple.WebCore 0x0000000101a7666c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 908 7 com.apple.WebCore 0x0000000101741afc WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 364 8 com.apple.WebCore 0x0000000101741816 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 390 9 com.apple.WebCore 0x0000000101d3bf13 WebCore::Node::handleLocalEvents(WebCore::Event*) + 67 10 com.apple.WebCore 0x0000000101729ef7 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 87 11 com.apple.WebCore 0x000000010172ae18 WebCore::EventDispatcher::dispatchEventAtBubbling(WebCore::WindowEventContext&) + 56 12 com.apple.WebCore 0x000000010172ad07 WebCore::EventDispatcher::dispatch() + 759 13 com.apple.WebCore 0x0000000101d2915f WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 159 14 com.apple.WebCore 0x000000010172a10c WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 124 15 com.apple.WebCore 0x0000000101d3c615 WebCore::Node::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Node*) + 133 16 com.apple.WebCore 0x000000010173189b WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 107 17 com.apple.WebCore 0x000000010173333e WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 1198 18 com.apple.WebKit2 0x0000000100c5f9cc WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) + 419 19 com.apple.WebKit2 0x0000000100c5f7ed WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) + 221 20 com.apple.WebKit2 0x0000000100c72cc8 void CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(CoreIPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) + 83 21 com.apple.WebKit2 0x0000000100ba581f CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 137 22 com.apple.WebKit2 0x0000000100cadf72 WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 34 23 com.apple.WebKit2 0x0000000100b7958d CoreIPC::Connection::dispatchMessage(WTF::PassOwnPtr<CoreIPC::MessageDecoder>) + 105 24 com.apple.WebKit2 0x0000000100b7b0c8 CoreIPC::Connection::dispatchOneMessage() + 106 25 com.apple.WebCore 0x0000000101f15a91 WebCore::RunLoop::performWork() + 129 26 com.apple.WebCore 0x0000000101f16052 WebCore::RunLoop::performWork(void*) + 34 27 com.apple.CoreFoundation 0x00007fff8bd07b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 28 com.apple.CoreFoundation 0x00007fff8bd07455 __CFRunLoopDoSources0 + 245 29 com.apple.CoreFoundation 0x00007fff8bd2a7f5 __CFRunLoopRun + 789 30 com.apple.CoreFoundation 0x00007fff8bd2a0e2 CFRunLoopRunSpecific + 290 31 com.apple.HIToolbox 0x00007fff869f3eb4 RunCurrentEventLoopInMode + 209 32 com.apple.HIToolbox 0x00007fff869f3c52 ReceiveNextEventCommon + 356 33 com.apple.HIToolbox 0x00007fff869f3ae3 BlockUntilNextEventMatchingListInMode + 62 34 com.apple.AppKit 0x00007fff8abc9533 _DPSNextEvent + 685 35 com.apple.AppKit 0x00007fff8abc8df2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 36 com.apple.AppKit 0x00007fff8abc01a3 -[NSApplication run] + 517 37 com.apple.WebCore 0x0000000101f166d2 WebCore::RunLoop::run() + 82 38 com.apple.WebKit2 0x0000000100c1e167 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 579 39 com.apple.WebProcess 0x0000000100b2ee23 main + 337 40 libdyld.dylib 0x00007fff8aa727e1 start + 1
Mark Hahnenberg
Comment 7 2013-07-26 14:05:27 PDT
Comment on attachment 207550 [details] the patch Looks good to me too, fwiw.
Filip Pizlo
Comment 8 2013-07-26 14:12:59 PDT
Landed in http://trac.webkit.org/changeset/153381
Alexey Proskuryakov
Comment 9 2013-07-30 15:42:31 PDT
Landed missing test results in <http://trac.webkit.org/r153501>.
Note You need to log in before you can comment on or make changes to this bug.