RESOLVED FIXED 72292
Crash in JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*) 
https://bugs.webkit.org/show_bug.cgi?id=72292
Summary Crash in JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC...
Dieter Komendera
Reported 2011-11-14 11:29:44 PST
This crash is related to the YouTube5 Safari extension (http://www.verticalforest.com/youtube5-extension/, version 2.2.7). With that extension disabled, it doesn't crash. With the extension enabled, the Webkit Nightly Version 5.1.1 (7534.51.22, r100143) Safari Web Content process reproducibly crashes with EXC_BAD_ACCESS on 10.7.2 when visiting this URL: http://thenextweb.com/shareables/2011/11/09/absolutely-amazing-6th-grade-iphone-app-developer-speaks-at-tedx/ Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000000006fd VM Regions Near 0x6fd: --> __TEXT 0000000108ac6000-0000000108ac7000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.7/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: objc[55280]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001090baf85 JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*) + 6101 1 com.apple.JavaScriptCore 0x00000001090bba43 compileOSRExit + 259 2 ??? 0x0000502520cfe3b6 0 + 88120394507190 3 com.apple.JavaScriptCore 0x0000000108f5e118 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 3288 4 com.apple.JavaScriptCore 0x0000000108f17608 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 328 5 com.apple.WebCore 0x0000000109aa71e3 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 419 6 com.apple.WebCore 0x0000000109aa7309 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 7 com.apple.WebCore 0x0000000109aae83b WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 155 8 com.apple.WebCore 0x0000000109aaeba6 WebCore::ScriptElement::execute(WebCore::CachedScript*) + 166 9 com.apple.WebCore 0x0000000109ab30b6 WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner>*) + 310
Attachments
full crash log (44.81 KB, application/octet-stream)
2011-11-14 11:36 PST, Dieter Komendera 		no flags
Details
the patch (13.71 KB, patch)
2011-11-15 15:03 PST, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
the patch for 32_64 (3.09 KB, patch)
2011-11-18 14:24 PST, Filip Pizlo 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dieter Komendera
Comment 1 2011-11-14 11:36:29 PST
Created attachment 114995 [details] full crash log
Filip Pizlo
Comment 2 2011-11-15 13:39:36 PST
<rdar://problem/10450443>
Filip Pizlo
Comment 3 2011-11-15 15:03:36 PST
Created attachment 115259 [details] the patch This should do it. I was able to successfully watch that video of that kid with this patch and that extension.
Geoffrey Garen
Comment 4 2011-11-15 15:07:25 PST
Comment on attachment 115259 [details] the patch How does the heuristics stuff relate to the bug fix? Seems like it should be a separate patch.
Filip Pizlo
Comment 5 2011-11-15 16:23:42 PST
(In reply to comment #4) > (From update of attachment 115259 [details]) > How does the heuristics stuff relate to the bug fix? Seems like it should be a separate patch. You're right! I'll separate that out.
Filip Pizlo
Comment 6 2011-11-15 16:27:03 PST
Landed in http://trac.webkit.org/changeset/100363
Filip Pizlo
Comment 7 2011-11-16 04:03:45 PST
*** Bug 72396 has been marked as a duplicate of this bug. ***
Patrick R. Gansterer
Comment 8 2011-11-16 16:18:37 PST
Build fix for !ENABLE(JIT) landed in http://trac.webkit.org/changeset/100518
Filip Pizlo
Comment 9 2011-11-18 14:19:59 PST
Ooops! This "bugfix" forgot about 32_64.
Filip Pizlo
Comment 10 2011-11-18 14:24:20 PST
Created attachment 115873 [details] the patch for 32_64
Filip Pizlo
Comment 11 2011-11-18 15:29:55 PST
Landed 32_64 fix in http://trac.webkit.org/changeset/100820
Note You need to log in before you can comment on or make changes to this bug.