94999 – [GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage

Bug 94999 - [GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage

Summary: [GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertySto...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Critical
Assignee:	Filip Pizlo

URL:	http://jsplumb.org/jquery/demo.html
Keywords:

Depends on:
Blocks:

Reported:	2012-08-25 03:02 PDT by Priit Laes (IRC: plaes)
Modified:	2012-09-02 16:54 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Priit Laes (IRC: plaes) 2012-08-25 03:02:41 PDT

I'm getting following crash when playing around (just moving the boxes around) with the demo at http://jsplumb.org/jquery/demo.html:

#0  0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
#1  0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) ()
   from /usr/lib64/libjavascriptcoregtk-3.0.so.0
#2  0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) ()
   from /usr/lib64/libjavascriptcoregtk-3.0.so.0
#3  0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() ()
   from /usr/lib64/libjavascriptcoregtk-3.0.so.0
#4  0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
#5  0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] ()
   from /usr/lib64/libjavascriptcoregtk-3.0.so.0
#6  0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) ()
   from /usr/lib64/libjavascriptcoregtk-3.0.so.0
#7  0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
#8  0x00007fff9c0df9ed in ?? ()



WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64.

Comment 1 Filip Pizlo 2012-08-27 11:52:15 PDT

I don't get this in ToT.  Do you kno

(In reply to comment #0)
> I'm getting following crash when playing around (just moving the boxes around) with the demo at http://jsplumb.org/jquery/demo.html:
> 
> #0  0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> #1  0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) ()
>    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> #2  0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) ()
>    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> #3  0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() ()
>    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> #4  0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> #5  0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] ()
>    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> #6  0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) ()
>    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> #7  0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> #8  0x00007fff9c0df9ed in ?? ()
> 
> 
> 
> WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64.

Comment 2 Filip Pizlo 2012-08-27 11:52:48 PDT

I don't get this in ToT.  Does anyone know what revision WebKitGtk 1.9.90 would have been?  Also, if anyone can repro in ToT then I'd love to know!

(In reply to comment #1)
> I don't get this in ToT.  Do you kno
> 
> (In reply to comment #0)
> > I'm getting following crash when playing around (just moving the boxes around) with the demo at http://jsplumb.org/jquery/demo.html:
> > 
> > #0  0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> > #1  0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) ()
> >    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> > #2  0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) ()
> >    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> > #3  0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() ()
> >    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> > #4  0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> > #5  0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] ()
> >    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> > #6  0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) ()
> >    from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> > #7  0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0
> > #8  0x00007fff9c0df9ed in ?? ()
> > 
> > 
> > 
> > WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64.

Comment 3 Martin Robinson 2012-08-27 14:20:54 PDT

The 1.9.90 release is branched from r126422. The only major change in this branch is that threaded GC is turned off.

Comment 4 Filip Pizlo 2012-08-27 14:45:18 PDT

(In reply to comment #3)
> The 1.9.90 release is branched from r126422. The only major change in this branch is that threaded GC is turned off.

Thanks!

Do you guys still see this issue in ToT?  I don't, but then I'm on Mac.

Comment 5 Martin Robinson 2012-08-28 13:31:35 PDT

On ToT, I don't see this crash. Turning parallel GC off doesn't cause it to happen either. Any idea if there's a change after r126422 that may have fixed this issue?

Comment 6 Priit Laes (IRC: plaes) 2012-09-01 00:51:23 PDT

Cannot produce anymore with ToT. Closing.

Comment 7 Martin Robinson 2012-09-01 06:52:29 PDT

It's actually useful to keep this bug open because we need to find the fix and merge it into the stable branch.

Comment 8 Martin Robinson 2012-09-01 07:03:45 PDT

The stable releases are released from a branch. I've added this changeset to the list of proposed merges at https://trac.webkit.org/wiki/WebKitGTK/1.8.x .

Comment 9 Martin Robinson 2012-09-02 16:54:15 PDT

I've bisected this fix to http://trac.webkit.org/changeset/126715 and added the changeset to the list of proposed merges at https://trac.webkit.org/wiki/WebKitGTK/1.10.x.