Bug 119105 - REGRESSION: Crash when opening a message on Gmail
Summary: REGRESSION: Crash when opening a message on Gmail
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar
: 119112 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-07-25 13:53 PDT by Ryosuke Niwa
Modified: 2013-07-30 15:42 PDT (History)
6 users (show)

See Also:

Attachments
the patch (14.69 KB, patch)
2013-07-26 13:42 PDT, Filip Pizlo 		oliver: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2013-07-25 13:53:58 PDT 
Reproduction steps:
1. Download nightly build at r153334
2. Go to mail.google.com and log in
3. Open one of messages

  Thread 0x179e48   DispatchQueue 1          priority 31        
  600 start + 1 (libdyld.dylib) [0x7fff8aa727e1]
    600 main + 337 (WebProcess) [0x10c701e23]
      600 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 579 (WebKit2) [0x10c7ee173]
        600 WebCore::RunLoop::run() + 82 (WebCore) [0x10dae5712]
          600 -[NSApplication run] + 517 (AppKit) [0x7fff8abc01a3]
            600 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 (AppKit) [0x7fff8abc8df2]
              600 _DPSNextEvent + 685 (AppKit) [0x7fff8abc9533]
                600 BlockUntilNextEventMatchingListInMode + 62 (HIToolbox) [0x7fff869f3ae3]
                  600 ReceiveNextEventCommon + 356 (HIToolbox) [0x7fff869f3c52]
                    600 RunCurrentEventLoopInMode + 209 (HIToolbox) [0x7fff869f3eb4]
                      600 CFRunLoopRunSpecific + 290 (CoreFoundation) [0x7fff8bd2a0e2]
                        600 __CFRunLoopRun + 789 (CoreFoundation) [0x7fff8bd2a7f5]
                          600 __CFRunLoopDoSources0 + 245 (CoreFoundation) [0x7fff8bd07455]
                            600 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 (CoreFoundation) [0x7fff8bd07b31]
                              600 MultiplexerSource::perform() + 221 (CFNetwork) [0x7fff8341118b]
                                600 RunloopBlockContext::perform() + 124 (CFNetwork) [0x7fff834112b4]
                                  600 CFArrayApplyFunction + 68 (CoreFoundation) [0x7fff8bd26154]
                                    600 __block_global_1 + 28 (CFNetwork) [0x7fff834b0f3a]
                                      600 ___withDelegateAsync_block_invoke_0 + 90 (CFNetwork) [0x7fff8342054a]
                                        600 ___delegate_didFinishLoading_block_invoke_0 + 40 (CFNetwork) [0x7fff8342e091]
                                          600 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63 (Foundation) [0x7fff863b6bc8]
                                            600 -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227 (Foundation) [0x7fff863b6ccc]
                                              600 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28 (Foundation) [0x7fff863b6d88]
                                                600 WebCore::SubresourceLoader::didFinishLoading(double) + 133 (WebCore) [0x10db925b5]
                                                  600 WebCore::CachedRawResource::finishLoading(WebCore::ResourceBuffer*) + 194 (WebCore) [0x10d0b71b2]
                                                    600 WebCore::CachedResource::checkNotify() + 76 (WebCore) [0x10d0ba21c]
                                                      600 WebCore::XMLHttpRequest::didFinishLoading(unsigned long, double) + 358 (WebCore) [0x10dd26906]
                                                        600 WebCore::XMLHttpRequest::callReadyStateChangeListener() + 252 (WebCore) [0x10dd229bc]
                                                          600 WebCore::XMLHttpRequestProgressEventThrottle::dispatchReadyStateChangeEvent(WTF::PassRefPtr<WebCore::Event>, WebCore::ProgressEventAction) + 56 (WebCore) [0x10dd27fb8]
                                                            600 WebCore::XMLHttpRequestProgressEventThrottle::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 335 (WebCore) [0x10dd27f3f]
                                                              600 WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 88 (WebCore) [0x10d310738]
                                                                600 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 390 (WebCore) [0x10d3108d6]
                                                                  600 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 364 (WebCore) [0x10d310bbc]
                                                                    600 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 908 (WebCore) [0x10d6456ac]
                                                                      600 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (JavaScriptCore) [0x10cbcbd45]
                                                                        600 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 715 (JavaScriptCore) [0x10cce544b]
                                                                          600 JSC::boundFunctionCall(JSC::ExecState*) + 558 (JavaScriptCore) [0x10cd3626e]
                                                                            600 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (JavaScriptCore) [0x10cbcbd45]
                                                                              600 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 (JavaScriptCore) [0x10cce540a]
                                                                                600 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 (JavaScriptCore) [0x10ccfffe1]
                                                                                  600 ??? [0x2d5c4b201045]
                                                                                    600 JSC::boundFunctionCall(JSC::ExecState*) + 558 (JavaScriptCore) [0x10cd3626e]
                                                                                      600 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (JavaScriptCore) [0x10cbcbd45]
                                                                                        600 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 (JavaScriptCore) [0x10cce540a]
                                                                                          600 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 (JavaScriptCore) [0x10ccfffe1]
                                                                                            600 ??? [0x2d5c4b201045]
                                                                                              600 JSC::boundFunctionCall(JSC::ExecState*) + 558 (JavaScriptCore) [0x10cd3626e]
                                                                                                600 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (JavaScriptCore) [0x10cbcbd45]
                                                                                                  600 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650 (JavaScriptCore) [0x10cce540a]
                                                                                                    600 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 (JavaScriptCore) [0x10ccfffe1]
                                                                                                      600 ??? [0x2d5c00000001]
Comment 1 Geoffrey Garen 2013-07-25 17:38:47 PDT 
<rdar://problem/14554999>
Comment 2 Filip Pizlo 2013-07-26 13:38:21 PDT 
*** Bug 119112 has been marked as a duplicate of this bug. ***
Comment 3 Filip Pizlo 2013-07-26 13:42:17 PDT 
Created attachment 207550 [details]
the patch
Comment 4 WebKit Commit Bot 2013-07-26 13:45:14 PDT 
Attachment 207550 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast/js/dfg-get-by-id-unset-then-proto-less-warmup.html', u'LayoutTests/fast/js/dfg-get-by-id-unset-then-proto-more-warmup.html', u'LayoutTests/fast/js/dfg-get-by-id-unset-then-proto.html', u'LayoutTests/fast/js/jsc-test-list', u'LayoutTests/fast/js/script-tests/dfg-get-by-id-unset-then-proto-less-warmup.js', u'LayoutTests/fast/js/script-tests/dfg-get-by-id-unset-then-proto-more-warmup.js', u'LayoutTests/fast/js/script-tests/dfg-get-by-id-unset-then-proto.js', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/bytecode/CallLinkStatus.cpp', u'Source/JavaScriptCore/bytecode/CodeBlock.cpp', u'Source/JavaScriptCore/dfg/DFGRepatch.cpp']" exit_code: 1
LayoutTests/ChangeLog:11:  Need whitespace between colon and description  [changelog/filechangedescriptionwhitespace] [5]
Total errors found: 1 in 11 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 5 Oliver Hunt 2013-07-26 13:47:51 PDT 
Comment on attachment 207550 [details]
the patch

r=me
Comment 6 Ryosuke Niwa 2013-07-26 13:50:31 PDT 
For the record, the following is the latest stack trace I'm seeing (before applying this patch):

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001010868d3 JSC::DFG::dfgBuildGetByIDList(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&, JSC::PropertySlot const&, JSC::StructureStubInfo&) + 3811
1   com.apple.JavaScriptCore      	0x0000000101075dc6 operationGetByIdBuildListWithReturnAddress + 294
2   ???                           	0x00005b1d083a8dca 0 + 100180250234314
3   com.apple.JavaScriptCore      	0x000000010112fe81 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49
4   com.apple.JavaScriptCore      	0x00000001011152aa JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 650
5   com.apple.JavaScriptCore      	0x0000000100ffbbd5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69
6   com.apple.WebCore             	0x0000000101a7666c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 908
7   com.apple.WebCore             	0x0000000101741afc WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 364
8   com.apple.WebCore             	0x0000000101741816 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 390
9   com.apple.WebCore             	0x0000000101d3bf13 WebCore::Node::handleLocalEvents(WebCore::Event*) + 67
10  com.apple.WebCore             	0x0000000101729ef7 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 87
11  com.apple.WebCore             	0x000000010172ae18 WebCore::EventDispatcher::dispatchEventAtBubbling(WebCore::WindowEventContext&) + 56
12  com.apple.WebCore             	0x000000010172ad07 WebCore::EventDispatcher::dispatch() + 759
13  com.apple.WebCore             	0x0000000101d2915f WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 159
14  com.apple.WebCore             	0x000000010172a10c WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 124
15  com.apple.WebCore             	0x0000000101d3c615 WebCore::Node::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Node*) + 133
16  com.apple.WebCore             	0x000000010173189b WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 107
17  com.apple.WebCore             	0x000000010173333e WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 1198
18  com.apple.WebKit2             	0x0000000100c5f9cc WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) + 419
19  com.apple.WebKit2             	0x0000000100c5f7ed WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) + 221
20  com.apple.WebKit2             	0x0000000100c72cc8 void CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(CoreIPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) + 83
21  com.apple.WebKit2             	0x0000000100ba581f CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 137
22  com.apple.WebKit2             	0x0000000100cadf72 WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 34
23  com.apple.WebKit2             	0x0000000100b7958d CoreIPC::Connection::dispatchMessage(WTF::PassOwnPtr<CoreIPC::MessageDecoder>) + 105
24  com.apple.WebKit2             	0x0000000100b7b0c8 CoreIPC::Connection::dispatchOneMessage() + 106
25  com.apple.WebCore             	0x0000000101f15a91 WebCore::RunLoop::performWork() + 129
26  com.apple.WebCore             	0x0000000101f16052 WebCore::RunLoop::performWork(void*) + 34
27  com.apple.CoreFoundation      	0x00007fff8bd07b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
28  com.apple.CoreFoundation      	0x00007fff8bd07455 __CFRunLoopDoSources0 + 245
29  com.apple.CoreFoundation      	0x00007fff8bd2a7f5 __CFRunLoopRun + 789
30  com.apple.CoreFoundation      	0x00007fff8bd2a0e2 CFRunLoopRunSpecific + 290
31  com.apple.HIToolbox           	0x00007fff869f3eb4 RunCurrentEventLoopInMode + 209
32  com.apple.HIToolbox           	0x00007fff869f3c52 ReceiveNextEventCommon + 356
33  com.apple.HIToolbox           	0x00007fff869f3ae3 BlockUntilNextEventMatchingListInMode + 62
34  com.apple.AppKit              	0x00007fff8abc9533 _DPSNextEvent + 685
35  com.apple.AppKit              	0x00007fff8abc8df2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
36  com.apple.AppKit              	0x00007fff8abc01a3 -[NSApplication run] + 517
37  com.apple.WebCore             	0x0000000101f166d2 WebCore::RunLoop::run() + 82
38  com.apple.WebKit2             	0x0000000100c1e167 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 579
39  com.apple.WebProcess          	0x0000000100b2ee23 main + 337
40  libdyld.dylib                 	0x00007fff8aa727e1 start + 1
Comment 7 Mark Hahnenberg 2013-07-26 14:05:27 PDT 
Comment on attachment 207550 [details]
the patch

Looks good to me too, fwiw.
Comment 8 Filip Pizlo 2013-07-26 14:12:59 PDT 
Landed in http://trac.webkit.org/changeset/153381
Comment 9 Alexey Proskuryakov 2013-07-30 15:42:31 PDT 
Landed missing test results in <http://trac.webkit.org/r153501>.