141042 – BUILD REGRESSION: Release 180391; EXC_BAD_ACCESS Crash at JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq when page is redrawn.

Bug 141042 - BUILD REGRESSION: Release 180391; EXC_BAD_ACCESS Crash at JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq when page is redrawn.

Summary: BUILD REGRESSION: Release 180391; EXC_BAD_ACCESS Crash at JSC::FTL::LowerDFGT...

Status:	RESOLVED DUPLICATE of bug 139398

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac (Intel) OS X 10.10

Importance:	P1 Critical
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-29 11:56 PST by Cody A. Taylor
Modified:	2015-04-27 11:02 PDT (History)
CC List:	0 users

See Also:

Attachments
Four Stack Traces (27.41 KB, application/octet-stream) 2015-01-29 11:56 PST, Cody A. Taylor	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cody A. Taylor 2015-01-29 11:56:37 PST

Created attachment 245637 [details]
Four Stack Traces

Occurs on Safari version (at least) 8.0 to 8.0.2.

The crash is happening on a proprietary website, so I am unable to share the URL.

I am able to state that this is an Angular search/filter application. There are div boxes being 'hidden' or 'shown' as result of the filtering. Form types include input boxes, checkboxs, radio buttons, sliders, and select controls.

The application is being updated on any input with `lodash.throttle` every 500 ms. Increasing the time does not seem to make any difference.

Being multi-threaded I'm not sure how to track down the exact point of origin. However, this does appear on every stacktrace as the "Crashed Thread":

```
0   com.apple.JavaScriptCore      	0x00000001092e9f6e WTFCrash + 62
1   com.apple.JavaScriptCore      	0x000000010941f94d JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq() + 3485
2   com.apple.JavaScriptCore      	0x0000000109407dcd JSC::FTL::LowerDFGToLLVM::compileNode(unsigned int) + 3453
3   com.apple.JavaScriptCore      	0x0000000109406fe8 JSC::FTL::LowerDFGToLLVM::compileBlock(JSC::DFG::BasicBlock*) + 808
4   com.apple.JavaScriptCore      	0x0000000109406475 JSC::FTL::LowerDFGToLLVM::lower() + 3509
5   com.apple.JavaScriptCore      	0x00000001094056a9 JSC::FTL::lowerDFGToLLVM(JSC::FTL::State&) + 41
6   com.apple.JavaScriptCore      	0x00000001093b3ff6 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 1398
7   com.apple.JavaScriptCore      	0x00000001093b381d JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 493
8   com.apple.JavaScriptCore      	0x00000001093ed062 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 546
9   com.apple.JavaScriptCore      	0x00000001090eaa9f WTF::wtfThreadEntryPoint(void*) + 15
10  libsystem_pthread.dylib       	0x00007fff8d82b2fc _pthread_body + 131
11  libsystem_pthread.dylib       	0x00007fff8d82b279 _pthread_start + 176
12  libsystem_pthread.dylib       	0x00007fff8d8294b1 thread_start + 13
```

Any pointers are appreciated.

Comment 1 Cody A. Taylor 2015-01-29 12:29:42 PST

Note that the same thing is occurring with the latest nightly build: 'WebKit-SVN-r179336.dmg'.

Comment 2 Cody A. Taylor 2015-02-11 06:31:23 PST

Changeset http://trac.webkit.org/changeset/179882 fixes this problem, Closing.

*** This bug has been marked as a duplicate of bug 139398 ***

Comment 3 Cody A. Taylor 2015-03-26 20:02:43 PDT

I closed with a test of a nightly build at http://trac.webkit.org/changeset/179912 and there was no crashes.

I tested again when https://support.apple.com/en-us/HT204560 (Safari 8.0.4, http://trac.webkit.org/changeset/180391) and the application again crashes. The following is the crashing thread.

Thread 11 Crashed:: FTL Worklist Worker Thread
0   com.apple.JavaScriptCore      	0x0000000100de04be WTFCrash + 62
1   com.apple.JavaScriptCore      	0x0000000100f1610d JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq() + 3485
2   com.apple.JavaScriptCore      	0x0000000100efe58d JSC::FTL::LowerDFGToLLVM::compileNode(unsigned int) + 3453
3   com.apple.JavaScriptCore      	0x0000000100efd7a8 JSC::FTL::LowerDFGToLLVM::compileBlock(JSC::DFG::BasicBlock*) + 808
4   com.apple.JavaScriptCore      	0x0000000100efcc35 JSC::FTL::LowerDFGToLLVM::lower() + 3509
5   com.apple.JavaScriptCore      	0x0000000100efbe69 JSC::FTL::lowerDFGToLLVM(JSC::FTL::State&) + 41
6   com.apple.JavaScriptCore      	0x0000000100eaa736 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 1398
7   com.apple.JavaScriptCore      	0x0000000100ea9f5d JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 493
8   com.apple.JavaScriptCore      	0x0000000100ee3822 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 546
9   com.apple.JavaScriptCore      	0x0000000100be0c0f WTF::wtfThreadEntryPoint(void*) + 15
10  libsystem_pthread.dylib       	0x00007fff90832268 _pthread_body + 131
11  libsystem_pthread.dylib       	0x00007fff908321e5 _pthread_start + 176
12  libsystem_pthread.dylib       	0x00007fff9083041d thread_start + 13

Please provide some direction to help describe this issue better.

Comment 4 Cody A. Taylor 2015-03-27 07:37:27 PDT

Further, I have tested the nightly builds just before (http://trac.webkit.org/changeset/180379) and just after (http://trac.webkit.org/changeset/180413) the changeset for release 600.4.10 (http://trac.webkit.org/changeset/180391).

My manual tests pass with nightly builds at 180379 & 180413, but still experience a crash with Safari 8.0.4.

There is not any code changes that I suspect would cause this issue in this range, therefore I suspect this is a build-settings bug.

Lastly, the most recent nightly at changeset http://trac.webkit.org/changeset/182008 also seems to pass my manual tests.

Comment 5 Cody A. Taylor 2015-04-27 11:02:23 PDT

This should not have been re-opened. This was a failure of my understanding in SVN branching.

*** This bug has been marked as a duplicate of bug 139398 ***