135822 – REGRESSION: Web Inspector crashes in JSC::repatchCall under requestAnimationFrame when capturing an execution

RESOLVED WORKSFORME135822

REGRESSION: Web Inspector crashes in JSC::repatchCall under requestAnimationFrame when capturing an execution

https://bugs.webkit.org/show_bug.cgi?id=135822

Summary REGRESSION: Web Inspector crashes in JSC::repatchCall under requestAnimationF...

Brian Burg

Reported 2014-08-11 17:30:29 PDT

Steps to reproduce: 1. Use an engineering build which has WEB_REPLAY enabled. 2. Navigate to the page 3. Open the web inspector 4. Open the timelines sidebar panel 5. Right-click on the navigation bar and select "Show Replay Controls" 6. Press the recording button (centered) After recording for a few (5-10) seconds, the inspector crashes. This is very reproducible on this page. I am currently trying to narrow down the reproduction steps, as it is probably triggered by the timelines overview, not anything specific to WEB_REPLAY. I will update this bug if a debug build/lldb hits any useful asserts. Stack trace: 1 0x1119bba6a JSC::repatchCall(JSC::RepatchBuffer&, JSC::CodeLocationCall, JSC::FunctionPtr) 2 0x1119ba7e8 JSC::repatchIn(JSC::ExecState*, JSC::JSCell*, JSC::Identifier const&, bool, JSC::PropertySlot const&, JSC::StructureStubInfo&) 3 0x11181efa9 operationInOptimize 4 0x3b491b3df194 5 0x1118f64f9 callToJavaScript 6 0x111803093 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 7 0x1117e86ea JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 8 0x1115cc55e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 9 0x1117b1f39 JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue) 10 0x11181ddcd operationGetById 11 0x3b491b416934 12 0x3b491b45ae57 13 0x3b491b492882 14 0x3b491b48e66e 15 0x3b491b36a8c7 16 0x1118f64f9 callToJavaScript 17 0x111803093 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 18 0x1117e86ea JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 19 0x1115cc55e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 20 0x11184c33b JSC::boundFunctionCall(JSC::ExecState*) 21 0x1118f6697 callToNativeFunction 22 0x1117e8730 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 23 0x1115cc5af JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) 24 0x11235ab14 WebCore::JSCallbackData::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, bool*) 25 0x1125491cf WebCore::JSRequestAnimationFrameCallback::handleEvent(double) 26 0x11292e387 WebCore::ScriptedAnimationController::serviceScriptedAnimations(double) 27 0x111fda27b WebCore::DisplayRefreshMonitor::displayDidRefresh() 28 0x111a50b94 WTF::dispatchFunctionsFromMainThread() 29 0x7fff9390d13e __NSThreadPerformPerform 30 0x7fff96b0e5b1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 31 0x7fff96affc62 __CFRunLoopDoSources0

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2014-08-12 03:02:03 PDT

<rdar://problem/17988544>

Brian Burg

Comment 2 2014-08-21 11:54:43 PDT

Seems to not reproduce anymore. It may have been related to msaboff's fix yesterday.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WORKSFORME

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Mark Lam

Reported

2014-08-11 17:30 PDT

Modified

2014-08-21 11:54 PDT History

CC List

7 users Show

URL

http://www.nihilogic.dk/labs/tetris/

Keywords InRadar

Depends on

Blocks