[Webkit-unassigned] [Bug 112694] Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 19 13:22:16 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=112694


Michael Saboff <msaboff at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |msaboff at apple.com




--- Comment #5 from Michael Saboff <msaboff at apple.com>  2013-03-19 13:24:42 PST ---
Have reduced this down to one function that we are crashing while compiling in the DFG.  The source is:
function (c, u, f) {
    if (c == null || c.visible != true) return [];
    var n = [],
        t = a.fitInRange(c.offset, 0, 1),
        v = c.length,
        e = this.cx,
        g = this.cy,
        x = e,
        r = g - t * this.radius,
        y = e,
        z = r - v;
    if (!Array.prototype.filter) Array.prototype.filter = function (c) {
            "use strict";
            if (this === void 0 || this === null) throw new TypeError;
            var b = Object(this),
                g = b.length >>> 0;
            if (typeof c !== "function") throw new TypeError;
            for (var d = [], f = arguments[1], a = 0; a < g; a++) if (a in b) {
                    var e = b[a];
                    c.call(f, e, a, b) && d.push(e)
                }
            return d
    };
    if (u === false) {
        var s = this._getMarkInterval(c, false),
            l = this._getIntervals(s, c, false);
        if (f.visible === true) {
            var m = this._getMarkInterval(f, true),
                j = this._getIntervals(m, f, true),
                i = [];                      <=====  Appears we are dying after eliminating the NewArray node here
            i = l.filter(function (a) {
                return b.inArray(a, j) === -1
            });
            intrs = i
        } else intrs = l
    } else {
        var m = this._getMarkInterval(c, true),
            j = this._getIntervals(m, c, true);
        intrs = j
    }
    for (var h = 0; h < intrs.length; h++) {
        var w = intrs[h],
            o = this._getAngle(w),
            p = a.rotatePointAt(x, r, o, e, g),
            q = a.rotatePointAt(y, z, o, e, g),
            d = new k(p.x, p.y, q.x, q.y);
        d.strokeStyle = c.strokeStyle;
        d.lineWidth = c.lineWidth;
        d.strokeDashArray = c.strokeDashArray;
        d.zIndex = c.zIndex;
        d.dontRound = true;
        n.push(d)
    }
    return n
}

It looks like we are eliminating at least the NewArray node depicted above.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list