No subject


Mon Sep 28 12:00:37 PDT 2015 

When we are reifying the inlined frames looking for the jump target, we incorrectly have the call type from _restoreFromCookie#AsCLr2 to cookie#C5Hkj7 as InlineCallFrame::TailCall and try to find the CallLinkInfo for bc#52, but there isn't one.  Instead this call should be processed as a InlineCallFrame::GetterCall.

-- 
You are receiving this mail because:
You are the assignee for the bug.
--1446254753.AEcf0.5916
Date: Fri, 30 Oct 2015 18:25:53 -0700
MIME-Version: 1.0
Content-Type: text/html

<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading"
   href="https://bugs.webkit.org/show_bug.cgi?id=150745">150745</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Nightly Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>JavaScriptCore
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>msaboff&#64;apple.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>* STEPS TO REPRODUCE
1. Inspect cnn.com
2. Show Timeline tab
3. Reload
4. Repeat

We get a crash like this:
    frame #0: 0x000000010c25767e JavaScriptCore`::WTFCrash() + 62 at Assertions.cpp:321
    frame #1: 0x000000010bd50e8a JavaScriptCore`JSC::DFG::reifyInlinedCallFrames(jit=&lt;unavailable&gt;, exit=&lt;unavailable&gt;) + 1546 at DFGOSRExitCompilerCommon.cpp:193
    frame #2: 0x000000010bd4ee0b JavaScriptCore`JSC::DFG::OSRExitCompiler::compileExit(this=0x00007fff5b42b410, exit=0x0000000143288380, operands=&lt;unavailable&gt;, recovery=&lt;unavailable&gt;) + 4667 at DFGOSRExitCompiler64.cpp:387
    frame #3: 0x000000010bd4cc95 JavaScriptCore`::compileOSRExit(exec=&lt;unavailable&gt;) + 1493 at DFGOSRExitCompiler.cpp:162
    frame #4: 0x000036bd736098a1 prepareToShow#DyZ1GU [DFG](Cell[Object ID: 18687]: 0x14000ea80, True)
    frame #5: 0x000036bd7406e4df _showEntry#Dp5saP [Baseline](Cell[Object ID: 15664]: 0x1435c9900, Cell[Object ID: 18687]: 0x14000ea80, True)
    frame #6: 0x000036bd741638d2 showBackForwardEntryForIndex#ETQFoG [Baseline](Cell[Object ID: 15664]: 0x1435c9900, 0)
    frame #7: 0x000036bd73f00045 showContentView#BhrqjJ [Baseline](Cell[Object ID: 15664]: 0x1435c9900, Cell[Object ID: 18505]: 0x1435c97c0)
...

Looks like we don't have correct location information for an OSR exit.

We are OSR exiting from prepareToShow#DyZ1GU-&gt;_restoreFromCookie#AsCLr2-&gt;cookie#C5Hkj7-&gt;value#ApQL0d.

More information about the webkit-unassigned mailing list