Bug 143645 - Crash in JSC::DFG::SpeculativeJIT::fillSpeculateInt52(JSC::DFG::Edge, JSC::DataFormat)
Summary: Crash in JSC::DFG::SpeculativeJIT::fillSpeculateInt52(JSC::DFG::Edge, JSC::Da...
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.10
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-12 09:30 PDT by Dieter Komendera
Modified: 2017-01-22 15:04 PST (History)
3 users (show)

See Also:

Attachments
crash report (83.74 KB, application/octet-stream)
2015-04-12 09:30 PDT, Dieter Komendera 		no flags Details
crash report 2 (85.03 KB, application/octet-stream)
2015-04-12 09:31 PDT, Dieter Komendera 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dieter Komendera 2015-04-12 09:30:28 PDT 
Created attachment 250607 [details]
crash report

I’ve had Safari’s “DFG Worklist Worker Thread” crash Safari (8.0.5 on 10.10.3) twice. The last time I was typing into a text field (ironically at bugreport.apple.com), loosing my already typed text.


Thread 15 Crashed:: DFG Worklist Worker Thread
0   com.apple.JavaScriptCore      	0x00007fff8e9ed5fe WTFCrash + 62
1   com.apple.JavaScriptCore      	0x00007fff8ead5a08 JSC::DFG::SpeculativeJIT::fillSpeculateInt52(JSC::DFG::Edge, JSC::DataFormat) + 1944
2   com.apple.JavaScriptCore      	0x00007fff8e90ecd0 JSC::DFG::SpeculativeJIT::compileAdd(JSC::DFG::Node*) + 2720
3   com.apple.JavaScriptCore      	0x00007fff8e8ed59e JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) + 3694
4   com.apple.JavaScriptCore      	0x00007fff8eabcdc6 JSC::DFG::SpeculativeJIT::compileCurrentBlock() + 1302
5   com.apple.JavaScriptCore      	0x00007fff8e8ebea2 JSC::DFG::SpeculativeJIT::compile() + 114
6   com.apple.JavaScriptCore      	0x00007fff8ea8f426 JSC::DFG::JITCompiler::compileFunction() + 710
7   com.apple.JavaScriptCore      	0x00007fff8eab7aa5 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 1925
8   com.apple.JavaScriptCore      	0x00007fff8eab70bd JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 493
9   com.apple.JavaScriptCore      	0x00007fff8eaf0a82 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 546
10  com.apple.JavaScriptCore      	0x00007fff8e7eecff WTF::wtfThreadEntryPoint(void*) + 15


Also filed rdar://20512791
Comment 1 Dieter Komendera 2015-04-12 09:31:09 PDT 
Created attachment 250608 [details]
crash report 2
Comment 2 Geoffrey Garen 2015-04-13 14:12:15 PDT 
Can you reproduce this failure @ bugreport.apple.com? 

Are both crash reports from bugreport.apple.com, or is there another URL we should try to reproduce this bug?
Comment 3 Dieter Komendera 2015-04-13 23:07:54 PDT 
No, I can't reproduce this at all and I don't know that if this has anything to do with bugreport.apple.com, though I can't rule it out either. The first crash definitely wasn't while bugreport.apple.com was the active tab, though it could be that it was in some tab in the background.

At the time of the 2 crashes I had somewhat between 10 and 20 tabs open, some of them could be executing js in the background.

I have no idea how I could relate the crash to one of the tabs.
Comment 4 Michael Saboff 2015-04-15 09:23:59 PDT 
I suspect that this is fixed by the change to <https://bugs.webkit.org/show_bug.cgi?id=143727> - "DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format" which was landed in change set r182827: <http://trac.webkit.org/changeset/182827>.

It is hard to prove if we can't reproduce the crash.
Comment 5 Dieter Komendera 2015-04-15 09:33:10 PDT 
Thank you Michael. Should I encounter the crash again, I will note all open URLs so I can try to reproduce, and let you know.

However, the crash seems pretty rare, as I'm having Safari open almost all day long and using it heavily, but encountered it only those 2 times I have the crash logs attached.
Comment 6 Dieter Komendera 2017-01-22 15:04:25 PST 
Haven't come across this since then, marking as resolved.