111059 2013-02-28 02:18:57 -0800 Crash in JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper 2019-05-02 16:18:09 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 rniwa oliver arkr17997 benjamin cmarcelo fpizlo ggaren msaboff ojan.autocc oliver webkit.review.bot oldest_to_newest 843909 0 rniwa 2013-02-28 02:18:57 -0800 CRASHING TEST: fast/js/regress/int-or-other-add-then-get-by-val.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010422be86 WTF::TCMalloc_ThreadCache_FreeList::Validate(WTF::HardenedSLL, unsigned long) + 70 (FastMalloc.cpp:2626) 1 com.apple.JavaScriptCore 0x000000010422bd11 WTF::TCMalloc_ThreadCache::Deallocate(WTF::HardenedSLL, unsigned long) + 209 (FastMalloc.cpp:3247) 2 com.apple.JavaScriptCore 0x0000000104147345 JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper<(JSC::MarkedBlock::DestructorType)2>(JSC::MarkedBlock::SweepMode) + 309 (JSCell.h:117) 3 com.apple.JavaScriptCore 0x0000000104146f57 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 71 (MarkedBlock.cpp:118) 4 com.apple.JavaScriptCore 0x000000010406864c JSC::IncrementalSweeper::doSweep(double) + 108 (IncrementalSweeper.cpp:130) 5 com.apple.JavaScriptCore 0x0000000104066c03 JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*) + 179 (TimeoutChecker.h:57) 6 com.apple.CoreFoundation 0x00007fff92ac7da4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 7 com.apple.CoreFoundation 0x00007fff92ac78bd __CFRunLoopDoTimer + 557 8 com.apple.CoreFoundation 0x00007fff92aad099 __CFRunLoopRun + 1513 9 com.apple.CoreFoundation 0x00007fff92aac6b2 CFRunLoopRunSpecific + 290 10 com.apple.Foundation 0x00007fff87a8089e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 11 DumpRenderTree 0x0000000103e33e12 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 1639 (DumpRenderTree.mm:1375) 12 DumpRenderTree 0x0000000103e335a6 dumpRenderTree(int, char const**) + 1727 (DumpRenderTree.mm:832) 13 DumpRenderTree 0x0000000103e3417b main + 86 (DumpRenderTree.mm:925) 14 libdyld.dylib 0x00007fff895837e1 start + 1 e.g. http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK1%20(Tests)/r144275%20(7359)/results.html 844315 1 oliver 2013-02-28 11:54:36 -0800 So with some fiddling i can make this die fairly easily, implying a validation logic bug. Can't work out of course, and lldb is trying hard to beat gdb for the prize of "least good at debugging optimized code" so seeing if i can make it repro in a debug build 844334 2 190776 oliver 2013-02-28 12:10:31 -0800 Created attachment 190776 Patch 844337 3 fpizlo 2013-02-28 12:13:22 -0800 r=me too 844339 4 oliver 2013-02-28 12:15:06 -0800 Committed r144346: <http://trac.webkit.org/changeset/144346> 844346 5 benjamin 2013-02-28 12:20:27 -0800 Was it doing implicit conversion to bool prior to the operator? 844349 6 rniwa 2013-02-28 12:21:24 -0800 (In reply to comment #5) > Was it doing implicit conversion to bool prior to the operator? Yup :( 190776 2013-02-28 12:10:31 -0800 2013-02-28 12:12:37 -0800 Patch bug-111059-20130228120644.patch text/plain 1484 oliver U3VidmVyc2lvbiBSZXZpc2lvbjogMTQ0MzMzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV1RGL0NoYW5n ZUxvZyBiL1NvdXJjZS9XVEYvQ2hhbmdlTG9nCmluZGV4IGViM2RjNjc0ZjAxYzFlZjFiNDdiMGY4 MzFjNTEzZjhkMDFjOWQ5NWQuLjJhY2RhNjhlNmNlMzI3N2IxYjUyNzI2MjkwZTUzYWFhYzBmNzU3 MGQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XVEYvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XVEYvQ2hh bmdlTG9nCkBAIC0xLDMgKzEsMTggQEAKKzIwMTMtMDItMjggIE9saXZlciBIdW50ICA8b2xpdmVy QGFwcGxlLmNvbT4KKworICAgICAgICBDcmFzaCBpbiBKU0M6Ok1hcmtlZEJsb2NrOjpGcmVlTGlz dCBKU0M6Ok1hcmtlZEJsb2NrOjpzd2VlcEhlbHBlcgorICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTExMDU5CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9C T0RZIChPT1BTISkuCisKKyAgICAgICAgU29tZXRpbWVzIEMrKydzIGltcGxpY2l0IG9wZXJhdG9y IGNvbnZlcnNpb24gcnVsZXMgc3Vjay4KKyAgICAgICAgQWRkIGV4cGxpY2l0IG9wZXJhdG9yPT0g YW5kICE9LgorCisgICAgICAgICogd3RmL0Zhc3RNYWxsb2MuY3BwOgorICAgICAgICAoV1RGOjpI YXJkZW5lZFNMTDo6b3BlcmF0b3IhPSk6CisgICAgICAgIChXVEY6OkhhcmRlbmVkU0xMOjpvcGVy YXRvcj09KToKKyAgICAgICAgKEhhcmRlbmVkU0xMKToKKwogMjAxMy0wMi0yNyAgQmFsYXpzIEtp bHZhZHkgIDxraWx2YWR5YkBob21lamlubmkuY29tPgogCiAgICAgICAgIEJ1ZyBpbiBhdG9taWNJ bmNyZW1lbnQgaW1wbGVtZW50YXRpb24gZm9yIE1JUFMgR0NDCmRpZmYgLS1naXQgYS9Tb3VyY2Uv V1RGL3d0Zi9GYXN0TWFsbG9jLmNwcCBiL1NvdXJjZS9XVEYvd3RmL0Zhc3RNYWxsb2MuY3BwCmlu ZGV4IGRjOTI0NGZiYmJjZjU4NjFhODFlMzdlZGM1MmEyOWM5MmY0MGM1ZWEuLjJhMTE1ZjM0YzVj MmIxNDFmYTYyZTA0MzY4ODhmZmFhYmEzMmU2MzYgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XVEYvd3Rm L0Zhc3RNYWxsb2MuY3BwCisrKyBiL1NvdXJjZS9XVEYvd3RmL0Zhc3RNYWxsb2MuY3BwCkBAIC03 NzQsNiArNzc0LDkgQEAgcHVibGljOgogICAgIHR5cGVkZWYgdm9pZCogKEhhcmRlbmVkU0xMOjoq VW5zcGVjaWZpZWRCb29sVHlwZSk7CiAgICAgQUxXQVlTX0lOTElORSBvcGVyYXRvciBVbnNwZWNp ZmllZEJvb2xUeXBlKCkgY29uc3QgeyByZXR1cm4gbV92YWx1ZSA/ICZIYXJkZW5lZFNMTDo6bV92 YWx1ZSA6IDA7IH0KIAorICAgIGJvb2wgb3BlcmF0b3IhPShjb25zdCBIYXJkZW5lZFNMTCYgb3Ro ZXIpIGNvbnN0IHsgcmV0dXJuIG1fdmFsdWUgIT0gb3RoZXIubV92YWx1ZTsgfQorICAgIGJvb2wg b3BlcmF0b3I9PShjb25zdCBIYXJkZW5lZFNMTCYgb3RoZXIpIGNvbnN0IHsgcmV0dXJuIG1fdmFs dWUgPT0gb3RoZXIubV92YWx1ZTsgfQorCiBwcml2YXRlOgogICAgIHZvaWQqIG1fdmFsdWU7CiB9 Owo=