RESOLVED WORKSFORME143645
Crash in JSC::DFG::SpeculativeJIT::fillSpeculateInt52(JSC::DFG::Edge, JSC::DataFormat) 
https://bugs.webkit.org/show_bug.cgi?id=143645
Summary Crash in JSC::DFG::SpeculativeJIT::fillSpeculateInt52(JSC::DFG::Edge, JSC::Da...
Dieter Komendera
Reported 2015-04-12 09:30:28 PDT
Created attachment 250607 [details] crash report I’ve had Safari’s “DFG Worklist Worker Thread” crash Safari (8.0.5 on 10.10.3) twice. The last time I was typing into a text field (ironically at bugreport.apple.com), loosing my already typed text. Thread 15 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x00007fff8e9ed5fe WTFCrash + 62 1 com.apple.JavaScriptCore 0x00007fff8ead5a08 JSC::DFG::SpeculativeJIT::fillSpeculateInt52(JSC::DFG::Edge, JSC::DataFormat) + 1944 2 com.apple.JavaScriptCore 0x00007fff8e90ecd0 JSC::DFG::SpeculativeJIT::compileAdd(JSC::DFG::Node*) + 2720 3 com.apple.JavaScriptCore 0x00007fff8e8ed59e JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) + 3694 4 com.apple.JavaScriptCore 0x00007fff8eabcdc6 JSC::DFG::SpeculativeJIT::compileCurrentBlock() + 1302 5 com.apple.JavaScriptCore 0x00007fff8e8ebea2 JSC::DFG::SpeculativeJIT::compile() + 114 6 com.apple.JavaScriptCore 0x00007fff8ea8f426 JSC::DFG::JITCompiler::compileFunction() + 710 7 com.apple.JavaScriptCore 0x00007fff8eab7aa5 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 1925 8 com.apple.JavaScriptCore 0x00007fff8eab70bd JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 493 9 com.apple.JavaScriptCore 0x00007fff8eaf0a82 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 546 10 com.apple.JavaScriptCore 0x00007fff8e7eecff WTF::wtfThreadEntryPoint(void*) + 15 Also filed rdar://20512791
Attachments
crash report (83.74 KB, application/octet-stream)
2015-04-12 09:30 PDT, Dieter Komendera 		no flags
Details
crash report 2 (85.03 KB, application/octet-stream)
2015-04-12 09:31 PDT, Dieter Komendera 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Dieter Komendera
Comment 1 2015-04-12 09:31:09 PDT
Created attachment 250608 [details] crash report 2
Geoffrey Garen
Comment 2 2015-04-13 14:12:15 PDT
Can you reproduce this failure @ bugreport.apple.com? Are both crash reports from bugreport.apple.com, or is there another URL we should try to reproduce this bug?
Dieter Komendera
Comment 3 2015-04-13 23:07:54 PDT
No, I can't reproduce this at all and I don't know that if this has anything to do with bugreport.apple.com, though I can't rule it out either. The first crash definitely wasn't while bugreport.apple.com was the active tab, though it could be that it was in some tab in the background. At the time of the 2 crashes I had somewhat between 10 and 20 tabs open, some of them could be executing js in the background. I have no idea how I could relate the crash to one of the tabs.
Michael Saboff
Comment 4 2015-04-15 09:23:59 PDT
I suspect that this is fixed by the change to <https://bugs.webkit.org/show_bug.cgi?id=143727> - "DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format" which was landed in change set r182827: <http://trac.webkit.org/changeset/182827>. It is hard to prove if we can't reproduce the crash.
Dieter Komendera
Comment 5 2015-04-15 09:33:10 PDT
Thank you Michael. Should I encounter the crash again, I will note all open URLs so I can try to reproduce, and let you know. However, the crash seems pretty rare, as I'm having Safari open almost all day long and using it heavily, but encountered it only those 2 times I have the crash logs attached.
Dieter Komendera
Comment 6 2017-01-22 15:04:25 PST
Haven't come across this since then, marking as resolved.
Note You need to log in before you can comment on or make changes to this bug.