134912 – [GTK] [Stable] [Debug] Asserts in cnn.com, nytimes.com, sfgate.com and others

Bug 134912 - [GTK] [Stable] [Debug] Asserts in cnn.com, nytimes.com, sfgate.com and others

Summary: [GTK] [Stable] [Debug] Asserts in cnn.com, nytimes.com, sfgate.com and others

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:	http://cnn.com
Keywords:

Depends on:
Blocks:

Reported:	2014-07-14 16:46 PDT by Gary Kratkin
Modified:	2017-03-11 10:56 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gary Kratkin 2014-07-14 16:46:04 PDT

When loading any of cnn.com, nytimes.com, sfgate.com, debug builds of WebKitGtk 2.4.4 assert at DFGSpeculativeJIT.cpp.113:
    ASSERT(m_isCheckingArgumentTypes || m_canExit);

The stack is always the same:
0 WTFCrash Assertions.cpp 333 0x7ffff0f441db
1 JSC::DFG::SpeculativeJIT::speculationCheck DFGSpeculativeJIT.cpp 113 0x7ffff0c1377c
2 JSC::DFG::SpeculativeJIT::compileMakeRope DFGSpeculativeJIT.cpp 2753 0x7ffff0c1fa62
3 JSC::DFG::SpeculativeJIT::compile DFGSpeculativeJIT64.cpp 2427 0x7ffff0be9a82
4 JSC::DFG::SpeculativeJIT::compileCurrentBlock DFGSpeculativeJIT.cpp 1431 0x7ffff0c193d3
5 JSC::DFG::SpeculativeJIT::compile DFGSpeculativeJIT.cpp 1543 0x7ffff0c1998c
6 JSC::DFG::JITCompiler::compileBody DFGJITCompiler.cpp 111 0x7ffff0b87adc
7 JSC::DFG::JITCompiler::compileFunction DFGJITCompiler.cpp 336 0x7ffff0b8930c
8 JSC::DFG::Plan::compileInThreadImpl DFGPlan.cpp 251 0x7ffff0bda49c
9 JSC::DFG::Plan::compileInThread DFGPlan.cpp 125 0x7ffff0bd9d6a
10 JSC::DFG::compileImpl DFGDriver.cpp 108 0x7ffff0b5e7d0
11 JSC::DFG::compile DFGDriver.cpp 127 0x7ffff0b5e86b
12 JSC::operationOptimize JITOperations.cpp 1148 0x7ffff0d05c44
13 ?? 0x7fffa832d701
14 ?? 0x7fffa82e68e0
15 ?? 0x5628b0
16 ?? 0x1afd880
17 ?? 0x1b25fd0
18 ?? 0x1cf4dc0
19 WebCore::JSDOMWindowBase::supportsProfiling JSDOMWindowBase.cpp 121 0x7ffff3b2f74c
20 ?? 0x7fffffffcad0
21 JSC::JITCode::execute JITCode.cpp 48 0x7ffff0cf2164

Alberto Garcia (berto@iglalia.org) bisected the problem and says it looks like a regression caused by http://trac.webkit.org/changeset/168295 (itself a merge of http://trac.webkit.org/changeset/167336).

Comment 1 Alberto Garcia 2014-07-15 00:48:35 PDT

Interestingly, the revision immediately before that one (r168285) also
asserts. This happens when browsing nytimes.com:

ASSERTION FAILED: !currBox->needsLayout()
../../Source/WebCore/rendering/RenderBlock.cpp(5506) : void WebCore::RenderBlock::checkPositionedObjectsNeedLayout()
1   0x7ffe343f5422 WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(WTFCrash+0x1e) [0x7ffe343f5422]
2   0x7ffe36e1ccf8 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore11RenderBlock32checkPositionedObjectsNeedLayoutEv+0xaa) [0x7ffe36e1ccf8]
3   0x7ffe36f6db1c WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore12RenderObject37checkBlockPositionedObjectsNeedLayoutEv+0x64) [0x7ffe36f6db1c]
4   0x7ffe36f6d67f WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore12RenderObject16clearNeedsLayoutEv+0xab) [0x7ffe36f6d67f]
5   0x7ffe36e393a1 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore15RenderBlockFlow11layoutBlockEbNS_10LayoutUnitE+0xd6f) [0x7ffe36e393a1]
6   0x7ffe36e083d5 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore11RenderBlock6layoutEv+0x77) [0x7ffe36e083d5]
7   0x7ffe36fd07d9 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore10RenderView13layoutContentERKNS_11LayoutStateE+0x53) [0x7ffe36fd07d9]
8   0x7ffe36fd1457 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore10RenderView6layoutEv+0x485) [0x7ffe36fd1457]
9   0x7ffe36d39a57 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore9FrameView6layoutEb+0xc63) [0x7ffe36d39a57]
10  0x7ffe36757a66 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore8Document12updateLayoutEv+0x15c) [0x7ffe36757a66]
11  0x7ffe36757b4f WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore8Document36updateLayoutIgnorePendingStylesheetsEv+0xcf) [0x7ffe36757b4f]
12  0x7ffe367afbe3 WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore7Element11offsetWidthEv+0x21) [0x7ffe367afbe3]
13  0x7ffe3723e99b WebKitBuild/Debug/.libs/libwebkitgtk-3.0.so.0(_ZN7WebCore20jsElementOffsetWidthEPN3JSC9ExecStateEllNS0_12PropertyNameE+0x61) [0x7ffe3723e99b]
14  0x7ffe33eaecf2 WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZNK3JSC12PropertySlot8getValueEPNS_9ExecStateENS_12PropertyNameE+0x12e) [0x7ffe33eaecf2]
15  0x7ffe3405ace8 WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZNK3JSC7JSValue3getEPNS_9ExecStateENS_12PropertyNameERNS_12PropertySlotE+0xf8) [0x7ffe3405ace8]
16  0x7ffe341dfac8 WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(+0xb6eac8) [0x7ffe341dfac8]
17  0x7ffe341e9c2d WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(+0xb78c2d) [0x7ffe341e9c2d]

Comment 2 ChangSeok Oh 2014-10-15 01:06:45 PDT

Same here. The crash on cnn.com happens on webkitgtk-2.4.5 as well

Comment 3 ChangSeok Oh 2014-10-15 01:07:37 PDT

(In reply to comment #2)
> Same here. The crash on cnn.com happens on webkitgtk-2.4.5 as well

Program received signal SIGSEGV, Segmentation fault.
0x00007f3044532c8b in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007f3044532c8b in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333
#1  0x00007f304421364d in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x1845890, 
    kind=JSC::Uncountable, jsValueSource=..., node=0x0, jumpToFail=...)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:113
#2  0x00007f304421f8ef in JSC::DFG::SpeculativeJIT::compileMakeRope (this=0x1845890, 
    node=0x7f2fd8231f00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2753
#3  0x00007f30441e9b72 in JSC::DFG::SpeculativeJIT::compile (this=0x1845890, 
    node=0x7f2fd8231f00)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2427
#4  0x00007f3044219222 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (
    this=0x1845890) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1431
#5  0x00007f30442197d2 in JSC::DFG::SpeculativeJIT::compile (this=0x1845890)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1543
#6  0x00007f3044188250 in JSC::DFG::JITCompiler::compileBody (this=0x7fff7894b060)
    at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:111
#7  0x00007f3044189a9b in JSC::DFG::JITCompiler::compileFunction (this=0x7fff7894b060)
    at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:336
#8  0x00007f30441da5f4 in JSC::DFG::Plan::compileInThreadImpl (this=0x18413a0, 
    longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:251
#9  0x00007f30441d9ec0 in JSC::DFG::Plan::compileInThread (this=0x18413a0, 
    longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:125
#10 0x00007f304415f398 in JSC::DFG::compileImpl (vm=..., codeBlock=0x18337a0, 
    mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., 
    callback=..., worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108
#11 0x00007f304415f430 in JSC::DFG::compile (vm=..., codeBlock=0x18337a0, 
    mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., 
    passedCallback=..., worklist=0x0)
    at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:127
#12 0x00007f3044303f84 in JSC::operationOptimize (exec=0x7f2fda7fcc90, 
    bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1148
#13 0x00007f2ff4239700 in ?? ()
#14 0x00007f2ff41f8920 in ?? ()
#15 0x0000000000d99b70 in ?? ()
#16 0x0000000001376f10 in ?? ()
#17 0x00000000017aeb30 in ?? ()
#18 0x00000000007d00b0 in ?? ()
#19 0x0000000000000000 in ?? ()