135822 – REGRESSION: Web Inspector crashes in JSC::repatchCall under requestAnimationFrame when capturing an execution

Bug 135822 - REGRESSION: Web Inspector crashes in JSC::repatchCall under requestAnimationFrame when capturing an execution

Summary: REGRESSION: Web Inspector crashes in JSC::repatchCall under requestAnimationF...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:	http://www.nihilogic.dk/labs/tetris/
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2014-08-11 17:30 PDT by Brian Burg
Modified:	2014-08-21 11:54 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Burg 2014-08-11 17:30:29 PDT

Steps to reproduce:

1. Use an engineering build which has WEB_REPLAY enabled.
2. Navigate to the page
3. Open the web inspector
4. Open the timelines sidebar panel
5. Right-click on the navigation bar and select "Show Replay Controls"
6. Press the recording button (centered)

After recording for a few (5-10) seconds, the inspector crashes.

This is very reproducible on this page. I am currently trying to narrow down the reproduction steps, as it is probably triggered by the timelines overview, not anything specific to WEB_REPLAY. I will update this bug if a debug build/lldb hits any useful asserts.

Stack trace:

1   0x1119bba6a JSC::repatchCall(JSC::RepatchBuffer&, JSC::CodeLocationCall, JSC::FunctionPtr)
2   0x1119ba7e8 JSC::repatchIn(JSC::ExecState*, JSC::JSCell*, JSC::Identifier const&, bool, JSC::PropertySlot const&, JSC::StructureStubInfo&)
3   0x11181efa9 operationInOptimize
4   0x3b491b3df194
5   0x1118f64f9 callToJavaScript
6   0x111803093 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
7   0x1117e86ea JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
8   0x1115cc55e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
9   0x1117b1f39 JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue)
10  0x11181ddcd operationGetById
11  0x3b491b416934
12  0x3b491b45ae57
13  0x3b491b492882
14  0x3b491b48e66e
15  0x3b491b36a8c7
16  0x1118f64f9 callToJavaScript
17  0x111803093 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
18  0x1117e86ea JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
19  0x1115cc55e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
20  0x11184c33b JSC::boundFunctionCall(JSC::ExecState*)
21  0x1118f6697 callToNativeFunction
22  0x1117e8730 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
23  0x1115cc5af JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*)
24  0x11235ab14 WebCore::JSCallbackData::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, bool*)
25  0x1125491cf WebCore::JSRequestAnimationFrameCallback::handleEvent(double)
26  0x11292e387 WebCore::ScriptedAnimationController::serviceScriptedAnimations(double)
27  0x111fda27b WebCore::DisplayRefreshMonitor::displayDidRefresh()
28  0x111a50b94 WTF::dispatchFunctionsFromMainThread()
29  0x7fff9390d13e __NSThreadPerformPerform
30  0x7fff96b0e5b1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
31  0x7fff96affc62 __CFRunLoopDoSources0

Comment 1 Radar WebKit Bug Importer 2014-08-12 03:02:03 PDT

<rdar://problem/17988544>

Comment 2 Brian Burg 2014-08-21 11:54:43 PDT

Seems to not reproduce anymore. It may have been related to msaboff's fix yesterday.