Bug 72292 - Crash in JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*)
Summary: Crash in JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL: http://thenextweb.com/shareables/2011...
Keywords: InRadar
: 72396 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-11-14 11:29 PST by Dieter Komendera
Modified: 2011-11-18 15:29 PST (History)
5 users (show)

See Also:


Attachments
full crash log (44.81 KB, application/octet-stream)
2011-11-14 11:36 PST, Dieter Komendera
no flags Details
the patch (13.71 KB, patch)
2011-11-15 15:03 PST, Filip Pizlo
ggaren: review+
Details | Formatted Diff | Diff
the patch for 32_64 (3.09 KB, patch)
2011-11-18 14:24 PST, Filip Pizlo
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dieter Komendera 2011-11-14 11:29:44 PST
This crash is related to the YouTube5 Safari extension (http://www.verticalforest.com/youtube5-extension/, version 2.2.7). With that extension disabled, it doesn't crash.


With the extension enabled, the Webkit Nightly Version 5.1.1 (7534.51.22, r100143) Safari Web Content process reproducibly crashes with EXC_BAD_ACCESS on 10.7.2 when visiting this URL:
http://thenextweb.com/shareables/2011/11/09/absolutely-amazing-6th-grade-iphone-app-developer-speaks-at-tedx/

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000000006fd

VM Regions Near 0x6fd:
--> 
    __TEXT                 0000000108ac6000-0000000108ac7000 [    4K] r-x/rwx SM=COW  /Applications/WebKit.app/Contents/Frameworks/10.7/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess

Application Specific Information:
objc[55280]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001090baf85 JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*) + 6101
1   com.apple.JavaScriptCore      	0x00000001090bba43 compileOSRExit + 259
2   ???                           	0x0000502520cfe3b6 0 + 88120394507190
3   com.apple.JavaScriptCore      	0x0000000108f5e118 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 3288
4   com.apple.JavaScriptCore      	0x0000000108f17608 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 328
5   com.apple.WebCore             	0x0000000109aa71e3 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 419
6   com.apple.WebCore             	0x0000000109aa7309 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41
7   com.apple.WebCore             	0x0000000109aae83b WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 155
8   com.apple.WebCore             	0x0000000109aaeba6 WebCore::ScriptElement::execute(WebCore::CachedScript*) + 166
9   com.apple.WebCore             	0x0000000109ab30b6 WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner>*) + 310
Comment 1 Dieter Komendera 2011-11-14 11:36:29 PST
Created attachment 114995 [details]
full crash log
Comment 2 Filip Pizlo 2011-11-15 13:39:36 PST
<rdar://problem/10450443>
Comment 3 Filip Pizlo 2011-11-15 15:03:36 PST
Created attachment 115259 [details]
the patch

This should do it.  I was able to successfully watch that video of that kid with this patch and that extension.
Comment 4 Geoffrey Garen 2011-11-15 15:07:25 PST
Comment on attachment 115259 [details]
the patch

How does the heuristics stuff relate to the bug fix? Seems like it should be a separate patch.
Comment 5 Filip Pizlo 2011-11-15 16:23:42 PST
(In reply to comment #4)
> (From update of attachment 115259 [details])
> How does the heuristics stuff relate to the bug fix? Seems like it should be a separate patch.

You're right!  I'll separate that out.
Comment 6 Filip Pizlo 2011-11-15 16:27:03 PST
Landed in http://trac.webkit.org/changeset/100363
Comment 7 Filip Pizlo 2011-11-16 04:03:45 PST
*** Bug 72396 has been marked as a duplicate of this bug. ***
Comment 8 Patrick R. Gansterer 2011-11-16 16:18:37 PST
Build fix for !ENABLE(JIT) landed in http://trac.webkit.org/changeset/100518
Comment 9 Filip Pizlo 2011-11-18 14:19:59 PST
Ooops!  This "bugfix" forgot about 32_64.
Comment 10 Filip Pizlo 2011-11-18 14:24:20 PST
Created attachment 115873 [details]
the patch for 32_64
Comment 11 Filip Pizlo 2011-11-18 15:29:55 PST
Landed 32_64 fix in http://trac.webkit.org/changeset/100820