121844 – Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com

Bug 121844 - Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com

Summary: Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2013-09-24 09:50 PDT by Jessie Berlin
Modified:	2013-09-24 16:26 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
the patch (14.07 KB, patch) 2013-09-24 16:21 PDT, Filip Pizlo	mhahnenberg: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jessie Berlin 2013-09-24 09:50:47 PDT

1 com.apple.JavaScriptCore       0x10bb8906c WTFCrash + 0x4c
>  2 com.apple.JavaScriptCore       0x10ba90ab0 JSC::DFG::SpeculativeJIT::spill(JSC::VirtualRegister) + 0x240
   3 com.apple.JavaScriptCore       0x10bc1c237 JSC::DFG::GPRTemporary::GPRTemporary<JSC::DFG::SpeculateInt32Operand, JSC::DFG::SpeculateInt32Operand>(JSC::DFG::SpeculativeJIT*, JSC::DFG::ReuseTag, JSC::DFG::SpeculateInt32Operand&, JSC::DFG::SpeculateInt32Operand&) + 0x197
   4 com.apple.JavaScriptCore       0x10ba7af02 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) + 0x1662
   5 com.apple.JavaScriptCore       0x10bc0ef85 JSC::DFG::SpeculativeJIT::compileCurrentBlock() + 0x945
   6 com.apple.JavaScriptCore       0x10ba788c0 JSC::DFG::SpeculativeJIT::compile() + 0x70
   7 com.apple.JavaScriptCore       0x10bbed40e JSC::DFG::JITCompiler::compileFunction() + 0x22e
   8 com.apple.JavaScriptCore       0x10bc068aa JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 0x48a
   9 com.apple.JavaScriptCore       0x10bc0627f JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) + 0xff
  10 com.apple.JavaScriptCore       0x10bc32b36 JSC::DFG::Worklist::runThread() + 0x106
  11 com.apple.JavaScriptCore       0x10b97a95f WTF::wtfThreadEntryPoint(void*) + 0xf
  12 libsystem_c.dylib              0x7fff936b1772 _pthread_start + 0x147
  13 libsystem_c.dylib              0x7fff9369e1a1 thread_start + 0xd

I am seeing this on ML with the single web process.

<rdar://problem/15066488>

Comment 1 Filip Pizlo 2013-09-24 16:21:23 PDT

Created attachment 212515 [details]
the patch

Comment 2 WebKit Commit Bot 2013-09-24 16:23:14 PDT

Attachment 212515 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/js/dfg-int52-spill-expected.txt', u'LayoutTests/js/dfg-int52-spill-trickier-expected.txt', u'LayoutTests/js/dfg-int52-spill-trickier.html', u'LayoutTests/js/dfg-int52-spill.html', u'LayoutTests/js/script-tests/dfg-int52-spill-trickier.js', u'LayoutTests/js/script-tests/dfg-int52-spill.js', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/bytecode/ValueRecovery.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Tools/ChangeLog', u'Tools/Scripts/run-javascriptcore-tests']" exit_code: 1
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:516:  Weird number of spaces at line-start.  Are you using a 4-space indent?  [whitespace/indent] [3]
Total errors found: 1 in 13 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 3 Mark Hahnenberg 2013-09-24 16:25:17 PDT

Comment on attachment 212515 [details]
the patch

r=me

Comment 4 Filip Pizlo 2013-09-24 16:26:50 PDT

Landed in http://trac.webkit.org/changeset/156371