We have to do the same as the EFL guys did in https://bugs.webkit.org/show_bug.cgi?id=131010
Created attachment 228266 [details] Patch
Comment on attachment 228266 [details] Patch Let's try it!
Comment on attachment 228266 [details] Patch Clearing flags on attachment: 228266 Committed r166583: <http://trac.webkit.org/changeset/166583>
All reviewed patches have been landed. Closing bug.
I'm experiencing very frequent crashes in the WebProcess since this landed.
Can you post a stack trace?
(In reply to comment #6) > Can you post a stack trace? Program received signal SIGSEGV, Segmentation fault. 0x00007fd97800877f in ?? () (gdb) bt #0 0x00007fd97800877f in ?? () #1 0x00007fd9d2550110 in ?? () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #2 0x00007fd9d254ddb0 in ?? () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #3 0x00007fd9d254e350 in ?? () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #4 0x00007fd95d0b9930 in ?? () #5 0x0000000000000005 in ?? () #6 0x00007fd95d0b9900 in ?? () #7 0x00007fd95d142b40 in ?? () #8 0x00007fd9d051432e in WebCore::ElementRuleCollector::collectMatchingRulesForList(WTF::Vector<WebCore::RuleData, 0ul, WTF::CrashOnOverflow> const*, WebCore::MatchRequest const&, WebCore::StyleResolver::RuleRange&) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #9 0x00007fd9d0514d6b in WebCore::ElementRuleCollector::collectMatchingRules(WebCore::MatchRequest const&, WebCore::StyleResolver::RuleRange&) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #10 0x00007fd9d05152c0 in WebCore::ElementRuleCollector::matchUARules(WebCore::RuleSet*) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #11 0x00007fd9d0515326 in WebCore::ElementRuleCollector::matchUARules() () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #12 0x00007fd9d051538d in WebCore::ElementRuleCollector::matchAllRules(bool, bool) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #13 0x00007fd9d055615d in WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion*) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #14 0x00007fd9d0dac4f0 in WebCore::Style::styleForElement(WebCore::Element&, WebCore::ContainerNode&) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #15 0x00007fd9d0dace18 in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #16 0x00007fd9d0dacf49 in WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #17 0x00007fd9d0dac99c in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #18 0x00007fd9d0dacf49 in WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #19 0x00007fd9d0dac99c in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #20 0x00007fd9d0dacf49 in WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #21 0x00007fd9d0dac99c in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #22 0x00007fd9d0dacf49 in WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #23 0x00007fd9d0dac99c in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #24 0x00007fd9d0dacf49 in WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #25 0x00007fd9d0dac99c in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #26 0x00007fd9d0dad657 in WebCore::Style::resolveTree(WebCore::Element&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #27 0x00007fd9d0dad44a in WebCore::Style::resolveTree(WebCore::Element&, WebCore::ContainerNode&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #28 0x00007fd9d0dae6f0 in WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #29 0x00007fd9d0599168 in WebCore::Document::recalcStyle(WebCore::Style::Change) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #30 0x00007fd9d05996c7 in WebCore::Document::updateStyleIfNeeded() () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #31 0x00007fd9d05997cb in WebCore::Document::updateLayout() () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #32 0x00007fd9d059a523 in WebCore::Document::updateLayoutIgnorePendingStylesheets() () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #33 0x00007fd9d05bc039 in WebCore::Element::offsetHeight() () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #34 0x00007fd9d11f7f54 in WebCore::jsElementOffsetHeight(JSC::ExecState*, JSC::JSObject*, long, JSC::PropertyName) () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #35 0x00007fd9d283aedb in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-3.0.so.0 #36 0x00007fd9d2ba6769 in llint_slow_path_get_by_id () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-3.0.so.0 #37 0x00007fd9d2bb16bc in llint_op_get_by_id () from /opt/checkout/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-3.0.so.0
Bots are also reporting crashes when running layout tests
Re-opened since this is blocked by bug 131040
Damn, that is odd. Can you find which libraries are at the missing addresses? The backtrace does not make much sense to me, the compiled code should only ever reenter WebKit. Could you please set CSS_SELECTOR_JIT_DEBUGGING to 1 in SelectorCompiler.cpp, run the test again, and attach the output here?
A couple of backtraces got with a release build (Debug builds do not crash) Program received signal SIGSEGV, Segmentation fault. WebCore::SelectorCompiler::attributeValueMatchHyphenRule<(WebCore::SelectorCompiler::CaseSensitivity)0> (attribute=0x7ffff7e29a88, expectedString=0xf7e29a88) at ../../Source/WebCore/cssjit/SelectorCompiler.cpp:1247 1247 if (valueImpl.length() < expectedString->length()) (gdb) bt #0 WebCore::SelectorCompiler::attributeValueMatchHyphenRule<(WebCore::SelectorCompiler::CaseSensitivity)0> (attribute=0x7ffff7e29a88, expectedString=0xf7e29a88) at ../../Source/WebCore/cssjit/SelectorCompiler.cpp:1247 #1 0x00007fff9bfff34e in ?? () #2 0x0000000000bdcdd8 in ?? () #3 0x00007ffff740e670 in ?? () from /home/sergio/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #4 0x00007ffff74099d0 in ?? () from /home/sergio/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff9b7fc700 (LWP 25709)] 0x00007ffff54256b1 in attributeValueMatchHyphenRule<(WebCore::SelectorCompiler::CaseSensitivity)0> () from /home/sergio/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 (gdb) bt #0 0x00007ffff54256b1 in attributeValueMatchHyphenRule<(WebCore::SelectorCompiler::CaseSensitivity)0> () from /home/sergio/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #1 0x00007fff9bfff34e in ?? () #2 0x0000000000d49678 in ?? () #3 0x00007ffff740e670 in ?? () from /home/sergio/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25 #4 0x00007ffff74099d0 in ?? () from /home/sergio/checkout/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-3.0.so.25
Created attachment 228378 [details] CSS JIT output
(In reply to comment #12) > Created an attachment (id=228378) [details] > CSS JIT output Thanks for the debugging infos. From the generated code you attached, it looks like the code generation for function calls has a bug. I believe https://bugs.webkit.org/show_bug.cgi?id=131129 should address the issue (if not, it should at least crash at compile time and provide us more information). Can you please try again with r166666 applied?
Created attachment 228490 [details] Patch
Comment on attachment 228490 [details] Patch Go go go
Comment on attachment 228490 [details] Patch Clearing flags on attachment: 228490 Committed r166708: <http://trac.webkit.org/changeset/166708>