Bug 29599 - REGRESSION (r48582): Crash in StructureStubInfo::initPutByIdTransition when reloading trac.webkit.org
Summary: REGRESSION (r48582): Crash in StructureStubInfo::initPutByIdTransition when r...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL: http://trac.webkit.org/
Keywords: InRadar, Regression
Depends on:
Blocks:
 
Reported: 2009-09-21 09:29 PDT by Adam Roben (:aroben)
Modified: 2009-09-21 12:00 PDT (History)
3 users (show)

See Also:


Attachments
Patch v1 (4.98 KB, patch)
2009-09-21 11:49 PDT, Oliver Hunt
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Roben (:aroben) 2009-09-21 09:29:09 PDT
To reproduce:

1. Go to http://trac.webkit.org/
2. Reload

You'll crash. Here's the backtrace:

 	JavaScriptCore_debug.dll!WTF::RefCountedBase::ref()  Line 36 + 0x3 bytes	C++
>	JavaScriptCore_debug.dll!JSC::StructureStubInfo::initPutByIdTransition(JSC::Structure * previousStructure=0x00000000, JSC::Structure * structure=0x0ead7fe8, JSC::StructureChain * chain=0x08ae4818)  Line 116	C++
 	JavaScriptCore_debug.dll!JSC::JITThunks::tryCachePutByID(JSC::ExecState * callFrame=0x08d603b0, JSC::CodeBlock * codeBlock=0x0e77f210, JSC::ReturnAddressPtr returnAddress={...}, JSC::JSValue baseValue={...}, const JSC::PutPropertySlot & slot={...}, JSC::StructureStubInfo * stubInfo=0x0e780fc8)  Line 703	C++
 	JavaScriptCore_debug.dll!cti_op_put_by_id(void * * args=0x0012e4d4)  Line 1089 + 0x2f bytes	C++
 	JavaScriptCore_debug.dll!@cti_op_convert_this@4()  + 0x10f bytes	C++
 	JavaScriptCore_debug.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x086a7330, JSC::ExecState * callFrame=0x08d60058, JSC::JSGlobalData * globalData=0x0867a500, JSC::JSValue * exception=0x0867b058)  Line 79 + 0x24 bytes	C++
 	JavaScriptCore_debug.dll!JSC::Interpreter::execute(JSC::FunctionExecutable * functionExecutable=0x08baeb40, JSC::ExecState * callFrame=0x0868f480, JSC::JSFunction * function=0x07c529c0, JSC::JSObject * thisObj=0x07c53440, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x0e1f3840, JSC::JSValue * exception=0x0867b058)  Line 721 + 0x34 bytes	C++
 	JavaScriptCore_debug.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0868f480, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...})  Line 120 + 0x4e bytes	C++
 	JavaScriptCore_debug.dll!JSC::call(JSC::ExecState * exec=0x0868f480, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...})  Line 39 + 0x2b bytes	C++
 	WebKit_debug.dll!WebCore::JSEventListener::handleEvent(WebCore::Event * event=, bool isWindowEvent=)  Line 120 + 0x4d bytes	C++
 	WebKit_debug.dll!WebCore::DOMWindow::handleEvent(WebCore::Event * event=0x0ea09168, bool useCapture=false, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>,0> * alternateListeners=[...]())  Line 1260 + 0x20 bytes	C++
 	WebKit_debug.dll!WebCore::DOMWindow::dispatchEventWithDocumentAsTarget(WTF::PassRefPtr<WebCore::Event> e={...}, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>,0> * alternateEventListeners=[...]())  Line 1341	C++
 	WebKit_debug.dll!WebCore::DOMWindow::dispatchUnloadEvent(WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>,0> * alternateEventListeners=[...]())  Line 1361	C++
 	WebKit_debug.dll!WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy unloadEventPolicy=UnloadEventPolicyUnloadAndPageHide, WebCore::DatabasePolicy databasePolicy=DatabasePolicyStop)  Line 588	C++
 	WebKit_debug.dll!WebCore::FrameLoader::closeURL()  Line 650	C++
 	WebKit_debug.dll!WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage> cachedPage={...})  Line 2952	C++
 	WebKit_debug.dll!WebCore::FrameLoader::commitProvisionalLoad(WTF::PassRefPtr<WebCore::CachedPage> prpCachedPage={...})  Line 2883	C++
 	WebKit_debug.dll!WebCore::DocumentLoader::commitIfReady()  Line 322	C++
 	WebKit_debug.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x0eb48aa8, int length=1971)  Line 341	C++
 	WebKit_debug.dll!WebCore::DocumentLoader::receivedData(const char * data=0x0eb48aa8, int length=1971)  Line 355	C++
 	WebKit_debug.dll!WebCore::FrameLoader::receivedData(const char * data=0x0eb48aa8, int length=1971)  Line 2524	C++
 	WebKit_debug.dll!WebCore::MainResourceLoader::addData(const char * data=0x0eb48aa8, int length=1971, bool allAtOnce=false)  Line 144	C++
 	WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x0eb48aa8, int length=1971, __int64 lengthReceived=1971, bool allAtOnce=false)  Line 248 + 0x1b bytes	C++
 	WebKit_debug.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x0eb48aa8, int length=1971, __int64 lengthReceived=1971, bool allAtOnce=false)  Line 357	C++
 	WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x0eaa0ad0, const char * data=0x0eb48aa8, int length=1971, int lengthReceived=1971)  Line 398 + 0x1f bytes	C++
 	WebKit_debug.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x08d035d8, const __CFData * data=0x0e784d10, long originalLength=1971, const void * clientInfo=0x0eaa0ad0)  Line 176 + 0x2a bytes	C++
Comment 1 Adam Roben (:aroben) 2009-09-21 09:30:17 PDT
<rdar://problem/7239395>
Comment 2 Oliver Hunt 2009-09-21 11:49:42 PDT
Created attachment 39861 [details]
Patch v1
Comment 3 Geoffrey Garen 2009-09-21 11:57:26 PDT
Comment on attachment 39861 [details]
Patch v1

r=me
Comment 4 Oliver Hunt 2009-09-21 12:00:28 PDT
Committed r48590