21057 2008-09-24 06:48:02 -0700 Crash in RegisterID::deref() running fast/canvas/canvas-putImageData.html 2008-09-24 10:54:19 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED P1 Normal --- 1 ap ggaren ggaren oliver zwarich oldest_to_newest 92512 0 ap 2008-09-24 06:48:02 -0700 Reliably crashes under GuardMalloc: run-webkit-tests -g fast/canvas/canvas-putImageData.html Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x004569c8 JSC::RegisterID::deref() + 16 (RegisterID.h:91) 1 com.apple.JavaScriptCore 0x00459ad9 WTF::RefPtr<JSC::RegisterID>::~RefPtr() + 31 2 com.apple.JavaScriptCore 0x00490b8e JSC::CodeGenerator::~CodeGenerator() + 194 3 com.apple.JavaScriptCore 0x00446098 JSC::ProgramNode::generateCode(JSC::ScopeChainNode*) + 430 (nodes.cpp:1851) 4 com.apple.JavaScriptCore 0x004ca159 JSC::ProgramNode::byteCode(JSC::ScopeChainNode*) + 43 (nodes.h:2205) 5 com.apple.JavaScriptCore 0x004b7a52 JSC::Machine::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue**) + 62 (Machine.cpp:885) 6 com.apple.JavaScriptCore 0x00442927 JSC::Interpreter::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::UString const&, int, WTF::PassRefPtr<JSC::SourceProvider>, JSC::JSValue*) + 427 (interpreter.cpp:83) 92514 1 zwarich 2008-09-24 07:01:04 -0700 This is likely caused by r36821, since that is where the only RefPtr<RegisterID> instance variable for CodeGenerator was defined: http://trac.webkit.org/changeset/36821 92518 2 ggaren 2008-09-24 07:57:36 -0700 Ah, looks like the RefPtr destructor runs after the SegmentedVector destructor. Should be easy to fix. 92528 3 23750 ggaren 2008-09-24 08:38:17 -0700 Created attachment 23750 patch 92529 4 ggaren 2008-09-24 08:39:20 -0700 I haven't been able to verify this patch with the original test case, because DRT with GuardMalloc crashes in LaunchServices on my machine. However, I did verify that this patch fixes the destructor order. 92532 5 23750 zwarich 2008-09-24 09:02:43 -0700 Comment on attachment 23750 patch r=me 92553 6 ggaren 2008-09-24 10:54:19 -0700 Committed revision 36853. 23750 2008-09-24 08:38:17 -0700 2008-09-24 09:02:43 -0700 patch ro.txt text/plain 1440 ggaren SW5kZXg6IENoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBDaGFuZ2VMb2cJKHJldmlzaW9uIDM2ODQ4 KQorKysgQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIwMDgtMDkt MjQgIEdlb2ZmcmV5IEdhcmVuICA8Z2dhcmVuQGFwcGxlLmNvbT4KKworICAgICAgICBSZXZpZXdl ZCBieSBOT0JPRFkgKE9PUFMhKS4KKyAgICAgICAgCisgICAgICAgIEZpeGVkIGh0dHBzOi8vYnVn cy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMTA1NworICAgICAgICBDcmFzaCBpbiBSZWdp c3RlcklEOjpkZXJlZigpIHJ1bm5pbmcgZmFzdC9jYW52YXMvY2FudmFzLXB1dEltYWdlRGF0YS5o dG1sCisKKyAgICAgICAgKiBWTS9Db2RlR2VuZXJhdG9yLmg6IENoYW5nZWQgZGVjbGFyYXRpb24g b3JkZXIgdG8gZW5zdXJlIHRoZQorICAgICAgICBtX2xhc3RDb25zdGFudCwgd2hpY2ggaXMgYSBS ZWZQdHIgdGhhdCBwb2ludHMgaW50byBtX2NhbGxlZVJlZ2lzdGVycywKKyAgICAgICAgaGFzIGl0 cyBkZXN0cnVjdG9yIGNhbGxlZCBiZWZvcmUgdGhlIGRlc3RydWN0b3IgZm9yIG1fY2FsbGVlUmVn aXN0ZXJzLgorCiAyMDA4LTA5LTI0ICBNYWNpZWogU3RhY2hvd2lhayAgPG1qc0BhcHBsZS5jb20+ CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgT2xpdmVyIEh1bnQuCkluZGV4OiBWTS9Db2RlR2VuZXJh dG9yLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gVk0vQ29kZUdlbmVyYXRvci5oCShyZXZpc2lvbiAzNjg0MikK KysrIFZNL0NvZGVHZW5lcmF0b3IuaAkod29ya2luZyBjb3B5KQpAQCAtNDE2LDExICs0MTYsMTEg QEAgbmFtZXNwYWNlIEpTQyB7CiAKICAgICAgICAgSGFzaFNldDxSZWZQdHI8VVN0cmluZzo6UmVw PiwgSWRlbnRpZmllclJlcEhhc2g+IG1fZnVuY3Rpb25zOwogICAgICAgICBSZWdpc3RlcklEIG1f dGhpc1JlZ2lzdGVyOwotICAgICAgICBSZWZQdHI8UmVnaXN0ZXJJRD4gbV9sYXN0Q29uc3RhbnQ7 CiAgICAgICAgIFNlZ21lbnRlZFZlY3RvcjxSZWdpc3RlcklELCA1MTI+IG1fY2FsbGVlUmVnaXN0 ZXJzOwogICAgICAgICBTZWdtZW50ZWRWZWN0b3I8UmVnaXN0ZXJJRCwgNTEyPiBtX3BhcmFtZXRl cnM7CiAgICAgICAgIFNlZ21lbnRlZFZlY3RvcjxSZWdpc3RlcklELCA1MTI+IG1fZ2xvYmFsczsK ICAgICAgICAgU2VnbWVudGVkVmVjdG9yPExhYmVsSUQsIDUxMj4gbV9sYWJlbHM7CisgICAgICAg IFJlZlB0cjxSZWdpc3RlcklEPiBtX2xhc3RDb25zdGFudDsKICAgICAgICAgaW50IG1fZmluYWxs eURlcHRoOwogICAgICAgICBpbnQgbV9keW5hbWljU2NvcGVEZXB0aDsKICAgICAgICAgQ29kZVR5 cGUgbV9jb2RlVHlwZTsK