161115 2016-08-23 16:04:27 -0700 js/regress/put-by-id-transition-with-indexing-header.html and svg/carto.net/window.svg fail in debug after r204854 2016-08-24 09:57:50 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build All All RESOLVED FIXED P2 Normal --- 1 fpizlo fpizlo barraclough benjamin commit-queue ggaren keith_miller mark.lam mhahnenb msaboff oliver saam sam oldest_to_newest 1222486 0 fpizlo 2016-08-23 16:04:27 -0700 Patch forthcoming. 1222495 1 286802 fpizlo 2016-08-23 16:16:44 -0700 Created attachment 286802 skipping patch 1222500 2 fpizlo 2016-08-23 16:24:19 -0700 Skipped in http://trac.webkit.org/changeset/204867 1222563 3 fpizlo 2016-08-23 19:27:32 -0700 I'm pretty sure I know what is going on: if we put a new butterfly with more out-of-line capacity (or more pre-capacity) into an object with an old structure (or with m_indexBias reflecting the old pre-capacity) then we won't quite know how to find the base, since that calculation currently relies on the structure and m_indexBias. This is the code that causes this: char* JIT_OPERATION operationReallocateButterflyToGrowPropertyStorage(ExecState* exec, JSObject* object, size_t newSize) { VM& vm = exec->vm(); NativeCallFrameTracer tracer(&vm, exec); DeferGC deferGC(vm.heap); Butterfly* result = object->growOutOfLineStorage(vm, object->structure()->outOfLineCapacity(), newSize); object->setButterflyWithoutChangingStructure(vm, result); return reinterpret_cast<char*>(result); } Intriguingly, the use of DeferGC is one of the causes. It causes GC to run after we have already set the butterfly, rather than in a state where the object still points to the "right" butterfly for its structure. I'm tempted to say that the solution is to simply remove the DeferGC! If we do that then the GC will happen exactly where we want it to: inside growOutOfLineStorage(). That's a fine place to GC, since the object will still be in a sane state in that method. 1222589 4 fpizlo 2016-08-23 21:32:04 -0700 *** Bug 161114 has been marked as a duplicate of this bug. *** 1222590 5 fpizlo 2016-08-23 21:32:41 -0700 I have fixes for these crashes, I'm testing them now. 1222601 6 286835 fpizlo 2016-08-23 23:21:39 -0700 Created attachment 286835 the patch 1222685 7 286835 keith_miller 2016-08-24 09:55:43 -0700 Comment on attachment 286835 the patch r=me. 1222686 8 fpizlo 2016-08-24 09:57:50 -0700 Landed in https://trac.webkit.org/changeset/204901 286802 2016-08-23 16:16:44 -0700 2016-08-23 23:21:39 -0700 skipping patch blah.patch text/plain 1300 fpizlo SW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9D aGFuZ2VMb2cJKHJldmlzaW9uIDIwNDg2NCkKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29y a2luZyBjb3B5KQpAQCAtMSwzICsxLDExIEBACisyMDE2LTA4LTIzICBGaWxpcCBQaXpsbyAgPGZw aXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAgU2tpcCBzb21lIHRlc3RzOgorICAgICAgICBodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTYxMTE0IHN2Zy9jYXJ0by5uZXQv d2luZG93LnN2ZyBmYWlscyBpbiBkZWJ1ZyBhZnRlciByMjA0ODU0CisgICAgICAgIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNjExMTUganMvcmVncmVzcy9wdXQtYnkt aWQtdHJhbnNpdGlvbi13aXRoLWluZGV4aW5nLWhlYWRlci5odG1sIHNvbWV0aW1lcyBmYWlscyBp biBkZWJ1ZyBhZnRlciByMjA0ODU0CisKKyAgICAgICAgKiBUZXN0RXhwZWN0YXRpb25zOgorCiAy MDE2LTA4LTIzICBaYWxhbiBCdWp0YXMgIDx6YWxhbkBhcHBsZS5jb20+CiAKICAgICAgICAgQVNT RVJUSU9OIEZBSUxFRDogaGFzT3ZlcmZsb3dpbmdDZWxsID09IHRoaXMtPmhhc092ZXJmbG93aW5n Q2VsbCgpIGluIFdlYkNvcmU6OlJlbmRlclRhYmxlU2VjdGlvbjo6Y29tcHV0ZU92ZXJmbG93RnJv bUNlbGxzCkluZGV4OiBMYXlvdXRUZXN0cy9UZXN0RXhwZWN0YXRpb25zCj09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0t IExheW91dFRlc3RzL1Rlc3RFeHBlY3RhdGlvbnMJKHJldmlzaW9uIDIwNDg1NikKKysrIExheW91 dFRlc3RzL1Rlc3RFeHBlY3RhdGlvbnMJKHdvcmtpbmcgY29weSkKQEAgLTEyNDMsMyArMTI0Myw2 IEBAIHdlYmtpdC5vcmcvYi8xNTk3NTUgZmFzdC90ZXh0L2Vtb2ppLWdlbmQKIHdlYmtpdC5vcmcv Yi8xNTk3NTUgZmFzdC90ZXh0L2Vtb2ppLWdlbmRlci5odG1sIFsgSW1hZ2VPbmx5RmFpbHVyZSBd CiAKIHdlYmtpdC5vcmcvYi8xNjAwMTcganMvcmVncmVzcy0xMzk1NDguaHRtbCBbIFNsb3cgXQor CitbRGVidWddIHdlYmtpdC5vcmcvYi8xNjExMTQgc3ZnL2NhcnRvLm5ldC93aW5kb3cuc3ZnIFsg U2tpcCBdCitbRGVidWddIHdlYmtpdC5vcmcvYi8xNjExMTUganMvcmVncmVzcy9wdXQtYnktaWQt dHJhbnNpdGlvbi13aXRoLWluZGV4aW5nLWhlYWRlci5odG1sIFsgU2tpcCBdCg== 286835 2016-08-23 23:21:39 -0700 2016-08-24 09:55:43 -0700 the patch blah.patch text/plain 3852 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjA0ODg1KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBA CisyMDE2LTA4LTIzICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg anMvcmVncmVzcy9wdXQtYnktaWQtdHJhbnNpdGlvbi13aXRoLWluZGV4aW5nLWhlYWRlci5odG1s IGFuZCBzdmcvY2FydG8ubmV0L3dpbmRvdy5zdmcgZmFpbCBpbiBkZWJ1ZyBhZnRlciByMjA0ODU0 CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNjExMTUK KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKyAgICAgICAgCisgICAgICAg IFRoZXJlIHdlcmUgdHdvIHNtYWxsIGdvb2ZzLgorCisgICAgICAgICogYnl0ZWNvZGUvT2JqZWN0 QWxsb2NhdGlvblByb2ZpbGUuaDoKKyAgICAgICAgKEpTQzo6T2JqZWN0QWxsb2NhdGlvblByb2Zp bGU6OmlzTnVsbCk6IFRoZSBuZXcgcG9saWN5IGlzIHRoYXQgdGhlIGFsbG9jYXRvciBjYW4gYmUg bnVsbC4gU28gbm93IHRoZSB3YXkgeW91IHRlbGwgaWYgdGhlIHByb2ZpbGUgaXMgbnVsbCBpcyBi eSBjaGVja2luZyB0aGUgc3RydWN0dXJlLgorICAgICAgICAqIGppdC9KSVRPcGVyYXRpb25zLmNw cDogVGhpcyB3YXMgdXNpbmcgRGVmZXJHQywgd2hpY2ggaXMgbm93IGRlZmluaXRlbHkgd3Jvbmcu IEl0IGZvcmNlcyB0aGUgR0MgdG8gaGFwcGVuIHdoZW4gdGhlIHN0cnVjdHVyZSBhbmQgYnV0dGVy Zmx5IGFyZSBtaXNtYXRjaGVkLiBJdCdzIGJldHRlciBmb3IgdGhlIEdDIHRvIGhhcHBlbiBiZWZv cmUgd2UgcHV0IHRoZSBidXR0ZXJmbHkgaW4gdGhlIG9iamVjdC4KKwogMjAxNi0wOC0yMyAgU2Fh bSBCYXJhdGkgIDxzYmFyYXRpQGFwcGxlLmNvbT4KIAogICAgICAgICBJdCBzaG91bGQgYmUgZWFz eSB0byBydW4gRVM2U2FtcGxlQmVuY2ggZnJvbSB0aGUganNjIHNoZWxsCkluZGV4OiBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvYnl0ZWNvZGUvT2JqZWN0QWxsb2NhdGlvblByb2ZpbGUuaAo9PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYnl0ZWNvZGUvT2JqZWN0QWxsb2NhdGlvblBy b2ZpbGUuaAkocmV2aXNpb24gMjA0ODc3KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2J5dGVj b2RlL09iamVjdEFsbG9jYXRpb25Qcm9maWxlLmgJKHdvcmtpbmcgY29weSkKQEAgLTQ1LDcgKzQ1 LDcgQEAgcHVibGljOgogICAgIHsKICAgICB9CiAKLSAgICBib29sIGlzTnVsbCgpIHsgcmV0dXJu ICFtX2FsbG9jYXRvcjsgfQorICAgIGJvb2wgaXNOdWxsKCkgeyByZXR1cm4gIW1fc3RydWN0dXJl OyB9CiAKICAgICB2b2lkIGluaXRpYWxpemUoVk0mIHZtLCBKU0NlbGwqIG93bmVyLCBKU09iamVj dCogcHJvdG90eXBlLCB1bnNpZ25lZCBpbmZlcnJlZElubGluZUNhcGFjaXR5KQogICAgIHsKSW5k ZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qaXQvSklUT3BlcmF0aW9ucy5jcHAKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9KSVRPcGVyYXRpb25zLmNwcAkocmV2aXNp b24gMjA0ODc3KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9KSVRPcGVyYXRpb25zLmNw cAkod29ya2luZyBjb3B5KQpAQCAtMjExOSw3ICsyMTE5LDYgQEAgY2hhciogSklUX09QRVJBVElP TiBvcGVyYXRpb25SZWFsbG9jYXRlQgogICAgIE5hdGl2ZUNhbGxGcmFtZVRyYWNlciB0cmFjZXIo JnZtLCBleGVjKTsKIAogICAgIEFTU0VSVCghb2JqZWN0LT5zdHJ1Y3R1cmUoKS0+b3V0T2ZMaW5l Q2FwYWNpdHkoKSk7Ci0gICAgRGVmZXJHQyBkZWZlckdDKHZtLmhlYXApOwogICAgIEJ1dHRlcmZs eSogcmVzdWx0ID0gb2JqZWN0LT5ncm93T3V0T2ZMaW5lU3RvcmFnZSh2bSwgMCwgaW5pdGlhbE91 dE9mTGluZUNhcGFjaXR5KTsKICAgICBvYmplY3QtPnNldEJ1dHRlcmZseVdpdGhvdXRDaGFuZ2lu Z1N0cnVjdHVyZSh2bSwgcmVzdWx0KTsKICAgICByZXR1cm4gcmVpbnRlcnByZXRfY2FzdDxjaGFy Kj4ocmVzdWx0KTsKQEAgLTIxMzAsNyArMjEyOSw2IEBAIGNoYXIqIEpJVF9PUEVSQVRJT04gb3Bl cmF0aW9uUmVhbGxvY2F0ZUIKICAgICBWTSYgdm0gPSBleGVjLT52bSgpOwogICAgIE5hdGl2ZUNh bGxGcmFtZVRyYWNlciB0cmFjZXIoJnZtLCBleGVjKTsKIAotICAgIERlZmVyR0MgZGVmZXJHQyh2 bS5oZWFwKTsKICAgICBCdXR0ZXJmbHkqIHJlc3VsdCA9IG9iamVjdC0+Z3Jvd091dE9mTGluZVN0 b3JhZ2Uodm0sIG9iamVjdC0+c3RydWN0dXJlKCktPm91dE9mTGluZUNhcGFjaXR5KCksIG5ld1Np emUpOwogICAgIG9iamVjdC0+c2V0QnV0dGVyZmx5V2l0aG91dENoYW5naW5nU3RydWN0dXJlKHZt LCByZXN1bHQpOwogICAgIHJldHVybiByZWludGVycHJldF9jYXN0PGNoYXIqPihyZXN1bHQpOwpJ bmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0No YW5nZUxvZwkocmV2aXNpb24gMjA0ODg1KQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3Jr aW5nIGNvcHkpCkBAIC0xLDMgKzEsMTIgQEAKKzIwMTYtMDgtMjMgIEZpbGlwIFBpemxvICA8ZnBp emxvQGFwcGxlLmNvbT4KKworICAgICAgICBqcy9yZWdyZXNzL3B1dC1ieS1pZC10cmFuc2l0aW9u LXdpdGgtaW5kZXhpbmctaGVhZGVyLmh0bWwgYW5kIHN2Zy9jYXJ0by5uZXQvd2luZG93LnN2ZyBm YWlsIGluIGRlYnVnIGFmdGVyIHIyMDQ4NTQKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTE2MTExNQorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAo T09QUyEpLgorCisgICAgICAgICogVGVzdEV4cGVjdGF0aW9uczoKKwogMjAxNi0wOC0yMyAgWmFs YW4gQnVqdGFzICA8emFsYW5AYXBwbGUuY29tPgogCiAgICAgICAgIEFTU0VSVElPTiBGQUlMRUQ6 ICF2aWV3KCkubGF5b3V0U3RhdGVFbmFibGVkKCkgfHwgc3R5bGUoKS5zdHlsZVR5cGUoKSA9PSBG SVJTVF9MRVRURVIgaW4gV2ViQ29yZTo6UmVuZGVySW5saW5lOjpjbGlwcGVkT3ZlcmZsb3dSZWN0 Rm9yUmVwYWludApJbmRleDogTGF5b3V0VGVzdHMvVGVzdEV4cGVjdGF0aW9ucwo9PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 Ci0tLSBMYXlvdXRUZXN0cy9UZXN0RXhwZWN0YXRpb25zCShyZXZpc2lvbiAyMDQ4NzcpCisrKyBM YXlvdXRUZXN0cy9UZXN0RXhwZWN0YXRpb25zCSh3b3JraW5nIGNvcHkpCkBAIC0xMjM0LDQgKzEy MzQsMyBAQCB3ZWJraXQub3JnL2IvMTU5NzU1IGZhc3QvdGV4dC9lbW9qaS1nZW5kCiB3ZWJraXQu b3JnL2IvMTU5NzU1IGZhc3QvdGV4dC9lbW9qaS1nZW5kZXItZmUwZi05Lmh0bWwgWyBJbWFnZU9u bHlGYWlsdXJlIF0KIHdlYmtpdC5vcmcvYi8xNTk3NTUgZmFzdC90ZXh0L2Vtb2ppLWdlbmRlci5o dG1sIFsgSW1hZ2VPbmx5RmFpbHVyZSBdCiAKLVtEZWJ1Z10gd2Via2l0Lm9yZy9iLzE2MTExNCBz dmcvY2FydG8ubmV0L3dpbmRvdy5zdmcgWyBTa2lwIF0K