Bug 111059

Summary: Crash in JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: arkr17997, benjamin, cmarcelo, fpizlo, ggaren, msaboff, ojan.autocc, oliver, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch rniwa: review+

Ryosuke Niwa
Reported 2013-02-28 02:18:57 PST
CRASHING TEST: fast/js/regress/int-or-other-add-then-get-by-val.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010422be86 WTF::TCMalloc_ThreadCache_FreeList::Validate(WTF::HardenedSLL, unsigned long) + 70 (FastMalloc.cpp:2626) 1 com.apple.JavaScriptCore 0x000000010422bd11 WTF::TCMalloc_ThreadCache::Deallocate(WTF::HardenedSLL, unsigned long) + 209 (FastMalloc.cpp:3247) 2 com.apple.JavaScriptCore 0x0000000104147345 JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper<(JSC::MarkedBlock::DestructorType)2>(JSC::MarkedBlock::SweepMode) + 309 (JSCell.h:117) 3 com.apple.JavaScriptCore 0x0000000104146f57 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 71 (MarkedBlock.cpp:118) 4 com.apple.JavaScriptCore 0x000000010406864c JSC::IncrementalSweeper::doSweep(double) + 108 (IncrementalSweeper.cpp:130) 5 com.apple.JavaScriptCore 0x0000000104066c03 JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*) + 179 (TimeoutChecker.h:57) 6 com.apple.CoreFoundation 0x00007fff92ac7da4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 7 com.apple.CoreFoundation 0x00007fff92ac78bd __CFRunLoopDoTimer + 557 8 com.apple.CoreFoundation 0x00007fff92aad099 __CFRunLoopRun + 1513 9 com.apple.CoreFoundation 0x00007fff92aac6b2 CFRunLoopRunSpecific + 290 10 com.apple.Foundation 0x00007fff87a8089e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 11 DumpRenderTree 0x0000000103e33e12 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 1639 (DumpRenderTree.mm:1375) 12 DumpRenderTree 0x0000000103e335a6 dumpRenderTree(int, char const**) + 1727 (DumpRenderTree.mm:832) 13 DumpRenderTree 0x0000000103e3417b main + 86 (DumpRenderTree.mm:925) 14 libdyld.dylib 0x00007fff895837e1 start + 1 e.g. http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK1%20(Tests)/r144275%20(7359)/results.html
Attachments
Patch (1.45 KB, patch)
2013-02-28 12:10 PST, Oliver Hunt 		rniwa: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2013-02-28 11:54:36 PST
So with some fiddling i can make this die fairly easily, implying a validation logic bug. Can't work out of course, and lldb is trying hard to beat gdb for the prize of "least good at debugging optimized code" so seeing if i can make it repro in a debug build
Oliver Hunt
Comment 2 2013-02-28 12:10:31 PST
Created attachment 190776 [details] Patch
Filip Pizlo
Comment 3 2013-02-28 12:13:22 PST
r=me too
Oliver Hunt
Comment 4 2013-02-28 12:15:06 PST
Committed r144346: <http://trac.webkit.org/changeset/144346>
Benjamin Poulain
Comment 5 2013-02-28 12:20:27 PST
Was it doing implicit conversion to bool prior to the operator?
Ryosuke Niwa
Comment 6 2013-02-28 12:21:24 PST
(In reply to comment #5) > Was it doing implicit conversion to bool prior to the operator? Yup :(
Note You need to log in before you can comment on or make changes to this bug.