15846 2007-11-05 08:48:14 -0800 REGRESSION (r27387): Memory corruption when running fast/js/kde/delete.html 2007-11-06 13:40:46 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.4 RESOLVED FIXED Regression P1 Major --- 1 ap darin darin ggaren mjs mrowe oldest_to_newest 60292 0 ap 2007-11-05 08:48:14 -0800 run-webkit-tests fast/js/kde/delete.html fast/js/kde/delete.html fast/js/kde/delete.html fast/js/kde/delete.html fast/js/kde/delete.html fast/js/kde/delete.html fast/js/kde/delete.html fast/js/kde/delete.html fast/js/kde/delete.html fast/js/kde/delete.html This crashes for me reliably, although with different crash logs. When running tests normally, I see many random crashes that presumably have the same cause. Given that buildbot is happy, I suppose that this is easier to reproduce on debug builds. 60305 1 ap 2007-11-05 10:03:08 -0800 Regressed in <http://trac.webkit.org/projects/webkit/changeset/27387> (change property map data structure for less memory use, better speed). 60320 2 mrowe 2007-11-05 11:21:57 -0800 Running the test twice in a row in gdb under GuardMalloc reliably triggers a crash. You can do so as follows: $ gdb --args ./WebKitBuild/Debug/DumpRenderTree LayoutTests/fast/js/kde/delete.html LayoutTests/fast/js/kde/delete.html (gdb) set env DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib (gdb) r This consistently gives me the following crash and backtrace: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xd5925fd8 0x00280bd1 in KJS::UString::Rep::deref (this=0xd5925fd0) at ustring.h:158 158 ALWAYS_INLINE void deref() { ASSERT(JSLock::lockCount() > 0); if (--rc == 0) destroy(); } (gdb) bt #0 0x00280bd1 in KJS::UString::Rep::deref (this=0xd5925fd0) at ustring.h:158 #1 0x00232a91 in KJS::PropertyMap::~PropertyMap (this=0x16da0da4) at property_map.cpp:160 #2 0x00232acb in KJS::PropertyMap::~PropertyMap (this=0x16da0da4) at property_map.cpp:163 #3 0x01eaac67 in KJS::JSObject::~JSObject (this=0x16da0da0) at object.h:99 #4 0x022807aa in KJS::JSGlobalObject::~JSGlobalObject (this=0x16da0da0) at JSGlobalObject.h:29 #5 0x02277b19 in KJS::Window::~Window (this=0x16da0da0) at WebCore/bindings/js/kjs_window.cpp:248 #6 0x01ed0e08 in WebCore::JSDOMWindow::~JSDOMWindow (this=0x16da0da0) at JSDOMWindow.h:31 #7 0x01ed0e39 in WebCore::JSDOMWindow::~JSDOMWindow (this=0x16da0da0) at JSDOMWindow.h:31 #8 0x00269407 in KJS::Collector::sweep<(KJS::Collector::HeapType)0> (currentThreadIsMainThread=true) at collector.cpp:870 #9 0x0023b619 in KJS::Collector::collect () at collector.cpp:960 #10 0x01fbf931 in collect () at WebCore/bridge/JavaScriptStatistics.cpp:44 #11 0x01fbfa0c in WebCore::JavaScriptStatistics::garbageCollect () at WebCore/bridge/JavaScriptStatistics.cpp:75 #12 0x00457d7f in +[WebCoreStatistics garbageCollectJavaScriptObjects] (self=0x540fe0, _cmd=0x14c24) at WebKit/Misc/WebCoreStatistics.mm:78 #13 0x00007512 in main (argc=3, argv=0xbffff610) at WebKitTools/DumpRenderTree/mac/DumpRenderTree.mm:593 (gdb) 60363 3 darin 2007-11-05 18:55:55 -0800 I can probably fix this fast if I turn on hash table consistency checks. 60365 4 17054 darin 2007-11-05 20:35:34 -0800 Created attachment 17054 patch 60429 5 17054 mjs 2007-11-06 11:53:24 -0800 Comment on attachment 17054 patch r=me 60438 6 darin 2007-11-06 13:40:46 -0800 Committed revision 27487. 17054 2007-11-05 20:35:34 -0800 2007-11-06 11:53:24 -0800 patch PropMapDeletePatch.txt text/plain 2670 darin SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDI3NDYxKQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjEgQEAKKzIwMDctMTEtMDUgIERhcmluIEFk bGVyICA8ZGFyaW5AYXBwbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09Q UyEpLgorCisgICAgICAgIC0gaHR0cDovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MTU4NDYKKyAgICAgICAgICBSRUdSRVNTSU9OKHIyNzM4Nyk6IE1lbW9yeSBjb3JydXB0aW9uIHdo ZW4gcnVubmluZyBmYXN0L2pzL2tkZS9kZWxldGUuaHRtbAorCisgICAgICAgIFRoZXJlIHdhcyBh IG1pc3Rha2UgaW4gdGhlIGFsZ29yaXRobSB1c2VkIHRvIGZpbmQgYW4gZW1wdHkgc2xvdCBpbiB0 aGUgcHJvcGVydHkKKyAgICAgICAgbWFwIGVudHJpZXMgdmVjdG9yOyB3aGVuIHdlIHdlcmUgcHV0 dGluZyBpbiBhIG5ldyBwcm9wZXJ0eSB2YWx1ZSBhbmQgbm90IG92ZXJ3cml0aW5nCisgICAgICAg IGFuIGV4aXN0aW5nIGRlbGV0ZWQgc2VudGluZWwsIHdlIHdvdWxkIGVubGFyZ2UgdGhlIGVudHJp ZXMgdmVjdG9yLCBidXQgd291bGQgbm90CisgICAgICAgIG92ZXJ3cml0ZSB0aGUgc3RhbGUgZGF0 YSB0aGF0J3MgaW4gdGhlIG5ldyBwYXJ0LiBJdCB3YXMgZWFzeSB0byBwaW4gdGhpcyBkb3duIGJ5 CisgICAgICAgIHR1cm5pbmcgb24gcHJvcGVydHkgbWFwIGNvbnNpc3RlbmN5IGNoZWNrcyAtLSBJ IG5ldmVyIHdvdWxkIGhhdmUgbGFuZGVkIHdpdGggdGhpcworICAgICAgICBidWcgaWYgSSBoYWQg cnVuIHRoZSByZWdyZXNzaW9uIHRlc3RzIG9uY2Ugd2l0aCBjb25zaXN0ZW5jeSBjaGVja3Mgb24h CisKKyAgICAgICAgKiBranMvcHJvcGVydHlfbWFwLmNwcDogKEtKUzo6UHJvcGVydHlNYXA6OnB1 dCk6IENoYW5nZWQgbG9naWMgZm9yIHRoZSBjYXNlIHdoZXJlCisgICAgICAgIGZvdW5kRGVsZXRl ZEVsZW1lbnQgaXMgZmFsc2UgdG8gYWx3YXlzIHVzZSB0aGUgaXRlbSBhdCB0aGUgZW5kIG9mIHRo ZSBlbnRyaWVzIHZlY3Rvci4KKyAgICAgICAgQWxzbyBhbGxvd2VkIG1lIHRvIG1lcmdlIHdpdGgg dGhlIGxvZ2ljIGZvciB0aGUgIm5vIGRlbGV0ZWQgc2VudGluZWxzIGF0IGFsbCIgY2FzZS4KKwog MjAwNy0xMS0wNSAgTWFyayBSb3dlICA8bXJvd2VAYXBwbGUuY29tPgogCiAgICAgICAgIEd0ayBi dWlsZCBmaXguCkluZGV4OiBKYXZhU2NyaXB0Q29yZS9ranMvcHJvcGVydHlfbWFwLmNwcAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBKYXZhU2NyaXB0Q29yZS9ranMvcHJvcGVydHlfbWFwLmNwcAkocmV2aXNpb24g Mjc0MzApCisrKyBKYXZhU2NyaXB0Q29yZS9ranMvcHJvcGVydHlfbWFwLmNwcAkod29ya2luZyBj b3B5KQpAQCAtNDEzLDE2ICs0MTMsMTYgQEAgdm9pZCBQcm9wZXJ0eU1hcDo6cHV0KGNvbnN0IElk ZW50aWZpZXImIAogICAgIH0KIAogICAgIC8vIEZpZ3VyZSBvdXQgd2hpY2ggZW50cnkgdG8gdXNl LgotICAgIHVuc2lnbmVkIGVudHJ5SW5kZXg7Ci0gICAgaWYgKCFtX3UudGFibGUtPmRlbGV0ZWRT ZW50aW5lbENvdW50KQotICAgICAgICBlbnRyeUluZGV4ID0gbV91LnRhYmxlLT5rZXlDb3VudCAr IDI7Ci0gICAgZWxzZSB7Ci0gICAgICAgIGlmIChmb3VuZERlbGV0ZWRFbGVtZW50KSB7Ci0gICAg ICAgICAgICBpID0gZGVsZXRlZEVsZW1lbnRJbmRleDsKLSAgICAgICAgICAgIC0tbV91LnRhYmxl LT5kZWxldGVkU2VudGluZWxDb3VudDsKLSAgICAgICAgfQotICAgICAgICBmb3IgKGVudHJ5SW5k ZXggPSBtX3UudGFibGUtPmtleUNvdW50ICsgbV91LnRhYmxlLT5kZWxldGVkU2VudGluZWxDb3Vu dCArIDI7Ci0gICAgICAgICAgICAgICAgbV91LnRhYmxlLT5lbnRyaWVzKClbZW50cnlJbmRleCAt IDFdLmtleTsgLS1lbnRyeUluZGV4KQorICAgIHVuc2lnbmVkIGVudHJ5SW5kZXggPSBtX3UudGFi bGUtPmtleUNvdW50ICsgbV91LnRhYmxlLT5kZWxldGVkU2VudGluZWxDb3VudCArIDI7CisgICAg aWYgKGZvdW5kRGVsZXRlZEVsZW1lbnQpIHsKKyAgICAgICAgaSA9IGRlbGV0ZWRFbGVtZW50SW5k ZXg7CisgICAgICAgIC0tbV91LnRhYmxlLT5kZWxldGVkU2VudGluZWxDb3VudDsKKworICAgICAg ICAvLyBTaW5jZSB3ZSdyZSBub3QgbWFraW5nIHRoZSB0YWJsZSBiaWdnZXIsIHdlIGNhbid0IHVz ZSB0aGUgZW50cnkgb25lIHBhc3QKKyAgICAgICAgLy8gdGhlIGVuZCB0aGF0IHdlIHdlcmUgcGxh bm5pbmcgb24gdXNpbmcsIHNvIHNlYXJjaCBiYWNrd2FyZHMgZm9yIHRoZSBlbXB0eQorICAgICAg ICAvLyBzbG90IHRoYXQgd2UgY2FuIHVzZS4gV2Uga25vdyBpdCB3aWxsIGJlIHRoZXJlIGJlY2F1 c2Ugd2UgZGlkIGF0IGxlYXN0IG9uZQorICAgICAgICAvLyBkZWxldGlvbiBpbiB0aGUgcGFzdCB0 aGF0IGxlZnQgYW4gZW50cnkgZW1wdHkuCisgICAgICAgIHdoaWxlIChtX3UudGFibGUtPmVudHJp ZXMoKVstLWVudHJ5SW5kZXhdLmtleSkKICAgICAgICAgICAgIDsKICAgICB9CiAK