WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
94999
[GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage
https://bugs.webkit.org/show_bug.cgi?id=94999
Summary
[GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertySto...
Priit Laes (IRC: plaes)
Reported
2012-08-25 03:02:41 PDT
I'm getting following crash when playing around (just moving the boxes around) with the demo at
http://jsplumb.org/jquery/demo.html
: #0 0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #1 0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #2 0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #3 0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #4 0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #5 0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #6 0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #7 0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 #8 0x00007fff9c0df9ed in ?? () WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64.
Attachments
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2012-08-27 11:52:15 PDT
I don't get this in ToT. Do you kno (In reply to
comment #0
)
> I'm getting following crash when playing around (just moving the boxes around) with the demo at
http://jsplumb.org/jquery/demo.html
: > > #0 0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #1 0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #2 0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #3 0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #4 0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #5 0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #6 0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #7 0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > #8 0x00007fff9c0df9ed in ?? () > > > > WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64.
Filip Pizlo
Comment 2
2012-08-27 11:52:48 PDT
I don't get this in ToT. Does anyone know what revision WebKitGtk 1.9.90 would have been? Also, if anyone can repro in ToT then I'd love to know! (In reply to
comment #1
)
> I don't get this in ToT. Do you kno > > (In reply to
comment #0
) > > I'm getting following crash when playing around (just moving the boxes around) with the demo at
http://jsplumb.org/jquery/demo.html
: > > > > #0 0x00007ffff0cd6e60 in JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage(JSC::DFG::Node&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #1 0x00007ffff0cb8019 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #2 0x00007ffff0cda9c5 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #3 0x00007ffff0cdb012 in JSC::DFG::SpeculativeJIT::compile() () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #4 0x00007ffff0c849ba in JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #5 0x00007ffff0c7abbb in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.192] () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #6 0x00007ffff0df5e34 in JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::JITCode::JITType, unsigned int) () > > from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #7 0x00007ffff0d3ad90 in cti_optimize () from /usr/lib64/libjavascriptcoregtk-3.0.so.0 > > #8 0x00007fff9c0df9ed in ?? () > > > > > > > > WebKitGtk 1.9.90/Epiphany-3.5.90 on x86-64.
Martin Robinson
Comment 3
2012-08-27 14:20:54 PDT
The 1.9.90 release is branched from
r126422
. The only major change in this branch is that threaded GC is turned off.
Filip Pizlo
Comment 4
2012-08-27 14:45:18 PDT
(In reply to
comment #3
)
> The 1.9.90 release is branched from
r126422
. The only major change in this branch is that threaded GC is turned off.
Thanks! Do you guys still see this issue in ToT? I don't, but then I'm on Mac.
Martin Robinson
Comment 5
2012-08-28 13:31:35 PDT
On ToT, I don't see this crash. Turning parallel GC off doesn't cause it to happen either. Any idea if there's a change after
r126422
that may have fixed this issue?
Priit Laes (IRC: plaes)
Comment 6
2012-09-01 00:51:23 PDT
Cannot produce anymore with ToT. Closing.
Martin Robinson
Comment 7
2012-09-01 06:52:29 PDT
It's actually useful to keep this bug open because we need to find the fix and merge it into the stable branch.
Martin Robinson
Comment 8
2012-09-01 07:03:45 PDT
The stable releases are released from a branch. I've added this changeset to the list of proposed merges at
https://trac.webkit.org/wiki/WebKitGTK/1.8.x
.
Martin Robinson
Comment 9
2012-09-02 16:54:15 PDT
I've bisected this fix to
http://trac.webkit.org/changeset/126715
and added the changeset to the list of proposed merges at
https://trac.webkit.org/wiki/WebKitGTK/1.10.x
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug