[Webkit-unassigned] [Bug 105756] New: Crash occurs while using Naver map

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 26 00:01:01 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=105756

           Summary: Crash occurs while using Naver map
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hojong.han at samsung.com


Press +/- several times in a row after loading http://m.map.naver.com then crash occurs as call stack below.

#0  0xb77bcfc1 in JSC::speculationFromValue(JSC::JSValue) ()
#1  0xb79610a3 in JSC::DFG::ByteCodeParser::getPrediction() ()
#2  0xb796b179 in JSC::DFG::ByteCodeParser::handleCall(JSC::Interpreter*, JSC::Instruction*, JSC::DFG::NodeType, JSC::CodeSpecializationKind) ()
#3  0xb796d748 in JSC::DFG::ByteCodeParser::parseBlock(unsigned int) ()
#4  0xb796f5af in JSC::DFG::ByteCodeParser::parseCodeBlock() ()
#5  0xb796a597 in JSC::DFG::ByteCodeParser::handleInlining(bool, int, unsigned int, int, bool, JSC::JSFunction*, int, int, unsigned int, JSC::CodeSpecializationKind) ()
#6  0xb796b031 in JSC::DFG::ByteCodeParser::handleCall(JSC::Interpreter*, JSC::Instruction*, JSC::DFG::NodeType, JSC::CodeSpecializationKind) ()
#7  0xb796d748 in JSC::DFG::ByteCodeParser::parseBlock(unsigned int) ()
#8  0xb796f5af in JSC::DFG::ByteCodeParser::parseCodeBlock() ()
#9  0xb797007d in JSC::DFG::parse(JSC::ExecState*, JSC::DFG::Graph&) ()
#10 0xb77c344f in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) [clone .part.225] ()
#11 0xb76d3ef2 in JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) ()
#12 0xb77a007d in JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) ()
#13 0xb76b58c3 in cti_optimize ()

Problem happens when JS function like below goes through DFG optimization.
mapGetClass:function(elEl,sClassName) {
    var regExp=new RegExp("(^|\\s+)"+sClassName+"(\\(([^)]*)\\))?(\\s+|$)","i");
    var bFlag=regExp.test(elEl.className);
    RegExp.$0=RegExp.$3;
    if(bFlag){
        return(RegExp.$3||"").split(",")
    }
    return null
}

This is because tag is not updated even though "elEl.calssName" (CellTag) and "bFlag" (BooleanTag) use the same virtual register.

At first I wrote a patch changing function operationRegExpTest like operationRegExpExec.
Give me any idea and comment if there're  better and easy ways to correct this bug.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list