No subject
Mon Sep 28 12:00:37 PDT 2015
When we are reifying the inlined frames looking for the jump target, we incorrectly have the call type from _restoreFromCookie#AsCLr2 to cookie#C5Hkj7 as InlineCallFrame::TailCall and try to find the CallLinkInfo for bc#52, but there isn't one. Instead this call should be processed as a InlineCallFrame::GetterCall.
--
You are receiving this mail because:
You are the assignee for the bug.
--1446254753.AEcf0.5916
Date: Fri, 30 Oct 2015 18:25:53 -0700
MIME-Version: 1.0
Content-Type: text/html
<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading"
href="https://bugs.webkit.org/show_bug.cgi?id=150745">150745</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>msaboff@apple.com
</td>
</tr></table>
<p>
<div>
<pre>* STEPS TO REPRODUCE
1. Inspect cnn.com
2. Show Timeline tab
3. Reload
4. Repeat
We get a crash like this:
frame #0: 0x000000010c25767e JavaScriptCore`::WTFCrash() + 62 at Assertions.cpp:321
frame #1: 0x000000010bd50e8a JavaScriptCore`JSC::DFG::reifyInlinedCallFrames(jit=<unavailable>, exit=<unavailable>) + 1546 at DFGOSRExitCompilerCommon.cpp:193
frame #2: 0x000000010bd4ee0b JavaScriptCore`JSC::DFG::OSRExitCompiler::compileExit(this=0x00007fff5b42b410, exit=0x0000000143288380, operands=<unavailable>, recovery=<unavailable>) + 4667 at DFGOSRExitCompiler64.cpp:387
frame #3: 0x000000010bd4cc95 JavaScriptCore`::compileOSRExit(exec=<unavailable>) + 1493 at DFGOSRExitCompiler.cpp:162
frame #4: 0x000036bd736098a1 prepareToShow#DyZ1GU [DFG](Cell[Object ID: 18687]: 0x14000ea80, True)
frame #5: 0x000036bd7406e4df _showEntry#Dp5saP [Baseline](Cell[Object ID: 15664]: 0x1435c9900, Cell[Object ID: 18687]: 0x14000ea80, True)
frame #6: 0x000036bd741638d2 showBackForwardEntryForIndex#ETQFoG [Baseline](Cell[Object ID: 15664]: 0x1435c9900, 0)
frame #7: 0x000036bd73f00045 showContentView#BhrqjJ [Baseline](Cell[Object ID: 15664]: 0x1435c9900, Cell[Object ID: 18505]: 0x1435c97c0)
...
Looks like we don't have correct location information for an OSR exit.
We are OSR exiting from prepareToShow#DyZ1GU->_restoreFromCookie#AsCLr2->cookie#C5Hkj7->value#ApQL0d.
More information about the webkit-unassigned
mailing list