Crash in array instance I ran into this while trying to make Safari run out of GDI objects. :) See test case. Process: Safari [18170] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: com.apple.Safari Version: 3.1 (5525.13) Build Info: WebBrowser-55251300~1 Code Type: X86 (Native) Parent Process: launchd [341] Date/Time: 2008-04-01 16:54:35.691 -0700 OS Version: Mac OS X 10.5.2 (9C31) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_PROTECTION_FAILURE at 0x00000000bf7ffffc Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x00340cb2 KJS::ArrayInstance::mark() + 114 1 com.apple.JavaScriptCore 0x0033fd6d KJS::PropertyMap::mark() const + 221 2 com.apple.JavaScriptCore 0x0033fd6d KJS::PropertyMap::mark() const + 221 3 com.apple.JavaScriptCore 0x0033fd6d KJS::PropertyMap::mark() const + 221 4 com.apple.JavaScriptCore 0x0033fd6d KJS::PropertyMap::mark() const + 221 5 com.apple.JavaScriptCore 0x0033fd6d KJS::PropertyMap::mark() const + 221 6 com.apple.JavaScriptCore 0x0033fd6d KJS::PropertyMap::mark() const + 221 . . .
Created attachment 20277 [details] test case (crashes Safari)
I don't think this is a JSC bug any more - I don't see a crash in ToT. Looks like this test takes an unreasonably long time to run, so might still be worth looking at the performance at some point.
Is that worth tracking as a bug? Two million spans is a large amount.
Hey Alexey, Sam suggested that this test may be exposing some n^2 behaviour in adding sibling spans, so could be worth profiling. It may be worth nothing that this also thrashes on font rendering, since the contents of no two spans are the same. I'll bow out of the conversation to leave the decision to someone more expert in the field - if you don't think this is a useful test then please do close. G.