NEW 134912
[GTK] [Stable] [Debug] Asserts in cnn.com, nytimes.com, sfgate.com and others 
https://bugs.webkit.org/show_bug.cgi?id=134912
Summary [GTK] [Stable] [Debug] Asserts in cnn.com, nytimes.com, sfgate.com and others
Gary Kratkin
Reported 2014-07-14 16:46:04 PDT
When loading any of cnn.com, nytimes.com, sfgate.com, debug builds of WebKitGtk 2.4.4 assert at DFGSpeculativeJIT.cpp.113: ASSERT(m_isCheckingArgumentTypes || m_canExit); The stack is always the same: 0 WTFCrash Assertions.cpp 333 0x7ffff0f441db 1 JSC::DFG::SpeculativeJIT::speculationCheck DFGSpeculativeJIT.cpp 113 0x7ffff0c1377c 2 JSC::DFG::SpeculativeJIT::compileMakeRope DFGSpeculativeJIT.cpp 2753 0x7ffff0c1fa62 3 JSC::DFG::SpeculativeJIT::compile DFGSpeculativeJIT64.cpp 2427 0x7ffff0be9a82 4 JSC::DFG::SpeculativeJIT::compileCurrentBlock DFGSpeculativeJIT.cpp 1431 0x7ffff0c193d3 5 JSC::DFG::SpeculativeJIT::compile DFGSpeculativeJIT.cpp 1543 0x7ffff0c1998c 6 JSC::DFG::JITCompiler::compileBody DFGJITCompiler.cpp 111 0x7ffff0b87adc 7 JSC::DFG::JITCompiler::compileFunction DFGJITCompiler.cpp 336 0x7ffff0b8930c 8 JSC::DFG::Plan::compileInThreadImpl DFGPlan.cpp 251 0x7ffff0bda49c 9 JSC::DFG::Plan::compileInThread DFGPlan.cpp 125 0x7ffff0bd9d6a 10 JSC::DFG::compileImpl DFGDriver.cpp 108 0x7ffff0b5e7d0 11 JSC::DFG::compile DFGDriver.cpp 127 0x7ffff0b5e86b 12 JSC::operationOptimize JITOperations.cpp 1148 0x7ffff0d05c44 13 ?? 0x7fffa832d701 14 ?? 0x7fffa82e68e0 15 ?? 0x5628b0 16 ?? 0x1afd880 17 ?? 0x1b25fd0 18 ?? 0x1cf4dc0 19 WebCore::JSDOMWindowBase::supportsProfiling JSDOMWindowBase.cpp 121 0x7ffff3b2f74c 20 ?? 0x7fffffffcad0 21 JSC::JITCode::execute JITCode.cpp 48 0x7ffff0cf2164 Alberto Garcia (berto@iglalia.org) bisected the problem and says it looks like a regression caused by http://trac.webkit.org/changeset/168295 (itself a merge of http://trac.webkit.org/changeset/167336).
Attachments
Add attachment proposed patch, testcase, etc.
Alberto Garcia
Comment 1 2014-07-15 00:48:35 PDT
Interestingly, the revision immediately before that one (r168285) also asserts. This happens when browsing nytimes.com: ASSERTION FAILED: !currBox->needsLayout() ../../Source/WebCore/rendering/RenderBlock.cpp(5506) : void WebCore::RenderBlock::checkPositionedObjectsNeedLayout() 1 0x7ffe343f5422 WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(WTFCrash+0x1e) [0x7ffe343f5422] 2 0x7ffe36e1ccf8 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore11RenderBlock32checkPositionedObjectsNeedLayoutEv+0xaa) [0x7ffe36e1ccf8] 3 0x7ffe36f6db1c WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore12RenderObject37checkBlockPositionedObjectsNeedLayoutEv+0x64) [0x7ffe36f6db1c] 4 0x7ffe36f6d67f WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore12RenderObject16clearNeedsLayoutEv+0xab) [0x7ffe36f6d67f] 5 0x7ffe36e393a1 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore15RenderBlockFlow11layoutBlockEbNS_10LayoutUnitE+0xd6f) [0x7ffe36e393a1] 6 0x7ffe36e083d5 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore11RenderBlock6layoutEv+0x77) [0x7ffe36e083d5] 7 0x7ffe36fd07d9 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore10RenderView13layoutContentERKNS_11LayoutStateE+0x53) [0x7ffe36fd07d9] 8 0x7ffe36fd1457 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore10RenderView6layoutEv+0x485) [0x7ffe36fd1457] 9 0x7ffe36d39a57 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore9FrameView6layoutEb+0xc63) [0x7ffe36d39a57] 10 0x7ffe36757a66 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore8Document12updateLayoutEv+0x15c) [0x7ffe36757a66] 11 0x7ffe36757b4f WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore8Document36updateLayoutIgnorePendingStylesheetsEv+0xcf) [0x7ffe36757b4f] 12 0x7ffe367afbe3 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore7Element11offsetWidthEv+0x21) [0x7ffe367afbe3] 13 0x7ffe3723e99b WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore20jsElementOffsetWidthEPN3JSC9ExecStateEllNS0_12PropertyNameE+0x61) [0x7ffe3723e99b] 14 0x7ffe33eaecf2 WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZNK3JSC12PropertySlot8getValueEPNS_9ExecStateENS_12PropertyNameE+0x12e) [0x7ffe33eaecf2] 15 0x7ffe3405ace8 WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZNK3JSC7JSValue3getEPNS_9ExecStateENS_12PropertyNameERNS_12PropertySlotE+0xf8) [0x7ffe3405ace8] 16 0x7ffe341dfac8 WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(+0xb6eac8) [0x7ffe341dfac8] 17 0x7ffe341e9c2d WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(+0xb78c2d) [0x7ffe341e9c2d]
ChangSeok Oh
Comment 2 2014-10-15 01:06:45 PDT
Same here. The crash on cnn.com happens on webkitgtk-2.4.5 as well
ChangSeok Oh
Comment 3 2014-10-15 01:07:37 PDT
(In reply to comment #2) > Same here. The crash on cnn.com happens on webkitgtk-2.4.5 as well Program received signal SIGSEGV, Segmentation fault. 0x00007f3044532c8b in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007f3044532c8b in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333 #1 0x00007f304421364d in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x1845890, kind=JSC::Uncountable, jsValueSource=..., node=0x0, jumpToFail=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:113 #2 0x00007f304421f8ef in JSC::DFG::SpeculativeJIT::compileMakeRope (this=0x1845890, node=0x7f2fd8231f00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2753 #3 0x00007f30441e9b72 in JSC::DFG::SpeculativeJIT::compile (this=0x1845890, node=0x7f2fd8231f00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2427 #4 0x00007f3044219222 in JSC::DFG::SpeculativeJIT::compileCurrentBlock ( this=0x1845890) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1431 #5 0x00007f30442197d2 in JSC::DFG::SpeculativeJIT::compile (this=0x1845890) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1543 #6 0x00007f3044188250 in JSC::DFG::JITCompiler::compileBody (this=0x7fff7894b060) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:111 #7 0x00007f3044189a9b in JSC::DFG::JITCompiler::compileFunction (this=0x7fff7894b060) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:336 #8 0x00007f30441da5f4 in JSC::DFG::Plan::compileInThreadImpl (this=0x18413a0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:251 #9 0x00007f30441d9ec0 in JSC::DFG::Plan::compileInThread (this=0x18413a0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:125 #10 0x00007f304415f398 in JSC::DFG::compileImpl (vm=..., codeBlock=0x18337a0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=..., worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108 #11 0x00007f304415f430 in JSC::DFG::compile (vm=..., codeBlock=0x18337a0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=..., worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:127 #12 0x00007f3044303f84 in JSC::operationOptimize (exec=0x7f2fda7fcc90, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1148 #13 0x00007f2ff4239700 in ?? () #14 0x00007f2ff41f8920 in ?? () #15 0x0000000000d99b70 in ?? () #16 0x0000000001376f10 in ?? () #17 0x00000000017aeb30 in ?? () #18 0x00000000007d00b0 in ?? () #19 0x0000000000000000 in ?? ()
Note You need to log in before you can comment on or make changes to this bug.