128054 – Crash in JSC::ArrayProfile::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*)

CLOSED FIXED 128054

Crash in JSC::ArrayProfile::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*)

https://bugs.webkit.org/show_bug.cgi?id=128054

Summary Crash in JSC::ArrayProfile::computeUpdatedPrediction(JSC::ConcurrentJITLocker...

Dimitris Apostolou

Reported 2014-02-01 18:34:22 PST

Created attachment 222896 [details] Crash log r163227 Reproducibility: always Steps: 1. http://www.jorgexolalpa.com/ 2. Hover mouse on any of the link titles on the top left. What happened: 2. Crash. Thread 8 Crashed:: JSC Compilation Thread 0 com.apple.JavaScriptCore 0x00000001054eb5d4 JSC::ArrayProfile::computeUpdatedPrediction(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*) + 4 1 com.apple.JavaScriptCore 0x00000001055564c7 JSC::DFG::ByteCodeParser::handleIntrinsic(int, JSC::Intrinsic, int, int, unsigned int) + 535 2 com.apple.JavaScriptCore 0x0000000105555bc1 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CodeSpecializationKind, unsigned int, int, int, int) + 657 3 com.apple.JavaScriptCore 0x000000010555dd93 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 19107 4 com.apple.JavaScriptCore 0x000000010555846b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1867 5 com.apple.JavaScriptCore 0x00000001055577bc JSC::DFG::ByteCodeParser::handleInlining(JSC::DFG::Node*, int, JSC::CallLinkStatus const&, int, int, unsigned int, JSC::CodeSpecializationKind) + 1276 6 com.apple.JavaScriptCore 0x0000000105555c98 JSC::DFG::ByteCodeParser::handleCall(int, JSC::DFG::NodeType, JSC::CodeSpecializationKind, unsigned int, int, int, int) + 872 7 com.apple.JavaScriptCore 0x000000010555c206 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 12054 8 com.apple.JavaScriptCore 0x000000010555846b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1867 9 com.apple.JavaScriptCore 0x00000001055628e4 JSC::DFG::ByteCodeParser::parse() + 628 10 com.apple.JavaScriptCore 0x00000001055629f9 JSC::DFG::parse(JSC::DFG::Graph&) + 41 11 com.apple.JavaScriptCore 0x00000001055cd993 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 211 12 com.apple.JavaScriptCore 0x00000001055cd6dd JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) + 269 13 com.apple.JavaScriptCore 0x00000001056449db JSC::DFG::Worklist::runThread() + 539 14 com.apple.JavaScriptCore 0x00000001058ea57f WTF::wtfThreadEntryPoint(void*) + 15 15 libsystem_pthread.dylib 0x00007fff972bf899 _pthread_body + 138 16 libsystem_pthread.dylib 0x00007fff972bf72a _pthread_start + 137 17 libsystem_pthread.dylib 0x00007fff972c3fc9 thread_start + 13 Expected result: Webkit does not crash.

Attachments
Crash log (56.41 KB, application/octet-stream) 2014-02-01 18:34 PST, Dimitris Apostolou	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Dimitris Apostolou

Comment 1 2014-02-05 23:55:01 PST

Fixed with r163498

Note You need to log in before you can comment on or make changes to this bug.

Status CLOSED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Mac (Intel)

OS OS X 10.9

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2014-02-01 18:34 PST

Modified

2014-02-05 23:55 PST History

CC List

0 users

URL

http://www.jorgexolalpa.com/

Keywords

Depends on

Blocks