Bug 43314 - REGRESSION(r64320): crash in cti_op_get_by_val + 473 : immediately after logging in to gmail.com: (r64246-r64341)
Summary: REGRESSION(r64320): crash in cti_op_get_by_val + 473 : immediately after logg...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh Intel OS X 10.6
: P1 Major
Assignee: Michael Saboff
URL: http://gmail.com
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-01 12:01 PDT by Joe Strzemp
Modified: 2010-08-04 02:09 PDT (History)
4 users (show)

See Also:

Attachments
Patch to fix the number of JSValues to memcpy when unshift'ing (1.71 KB, patch)
2010-08-03 19:33 PDT, Michael Saboff 		barraclough: review+
barraclough: commit-queue-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Strzemp 2010-08-01 12:01:18 PDT 
Running OS 10.6.4  webkit: r64341

Webkit consistently crashes in r64341 immediately after logging in to gmail.com.
No action other than logging in is required to reproduce the problem.

Crashing stack follows:

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000100811fd9 cti_op_get_by_val + 473
1   com.apple.JavaScriptCore      	0x00000001007d79c8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 728
2   com.apple.Safari              	0x0000000100000001 0x100000000 + 1
3   ???                           	0x000000011d97a960 0 + 4791445856
4   com.apple.WebCore             	0x0000000101141b60 WebCore::JSDOMWindowShell::~JSDOMWindowShell() + 0
5   ???                           	0x0000441f0f66ffff 0 + 74900193083391
Comment 1 Joe Strzemp 2010-08-01 12:34:11 PDT 
Looks to me like the most likely suspect for this crash is changeset 64320:
"Changed the handling for removing and adding elements at the front of an array"
as JSC::JIT:: emit_op_put_by_val was changed.

This started failing somewhere in r64246-r64341.
Comment 2 Joe Strzemp 2010-08-01 12:50:11 PDT 
Changing to P1 as this is a reproducible crash.
Comment 3 Gavin Barraclough 2010-08-01 18:34:28 PDT 
Cheers Joe, we'll investigate.
Comment 4 Zoltan Herczeg 2010-08-02 02:20:45 PDT 
Could you check whether this is valid for the latest revision?

As for me, r64451 works with both Qt-debug and Mac-Leopard-release. I entered gmail.com into the url bar (immediately redirects to some login page for Google), set the username and password (of a newly created dummy account), click on "Sign in", and the login is succeded.
Comment 5 Joe Strzemp 2010-08-02 11:22:56 PDT 
Webkit still crashes with the most recent nightly: r64451.

In order to reproduce, it might require more than just a newly created gmail account.
I have lots of gmail messages (more than a "page" full), Buzz, and Chat entries.
Comment 6 Joe Strzemp 2010-08-02 12:00:10 PDT 
Interesting note:   gmail works in 32-bit mode for me, but crashes in 64-bit mode.
Comment 7 Michael Saboff 2010-08-03 19:33:48 PDT 
Created attachment 63404 [details]
Patch to fix the number of JSValues to memcpy when unshift'ing
Comment 8 Gavin Barraclough 2010-08-03 20:05:01 PDT 
Comment on attachment 63404 [details]
Patch to fix the number of JSValues to memcpy when unshift'ing

landing by hand
Comment 9 Gavin Barraclough 2010-08-03 20:06:30 PDT 
Transmitting file data ..
Committed revision 64620.
Comment 10 Alexey Proskuryakov 2010-08-04 00:02:04 PDT 
Could this have a regression test?
Comment 11 Gavin Barraclough 2010-08-04 02:09:31 PDT 
Hey Alexey,

We discussed this, and it may be tricky to trigger with any consistency in an isolated test case since the bug will only occur if malloc returns non-zerofill (used) memory (along with a bunch of other conditions).  As such we thought it better to get the fix landed immediately, but Micheal is going to try to produce a good test case.

cheers,
G.