Bug 129271

Summary:	REGRESSION(r164493): DYEBench crash in JSCObject::put
Product:	WebKit	Reporter:	Ryosuke Niwa <rniwa>
Component:	JavaScriptCore	Assignee:	Ryosuke Niwa <rniwa>
Status:	RESOLVED WORKSFORME
Severity:	Normal	CC:	fpizlo, ggaren, mhahnenberg, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	528+ (Nightly build)
Hardware:	Unspecified
OS:	Unspecified
URL:	https://trac.webkit.org/export/162218/trunk/PerformanceTests/DoYouEvenBench/Full.html

Ryosuke Niwa

Reported 2014-02-24 13:28:39 PST

Reproduction steps 1. Go to https://trac.webkit.org/export/162218/trunk/PerformanceTests/DoYouEvenBench/InteractiveRunner.html 2. Uncheck "VanillaJS-TodoMVC" 3. Click "Run". Crash

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2014-02-24 13:29:18 PST

<rdar://problem/16151521>

Mark Hahnenberg

Comment 2 2014-02-24 13:58:32 PST

Is there a symbolicated crash log somewhere to look at?

Mark Hahnenberg

Comment 3 2014-02-24 14:27:45 PST

This still reproduces with JSC_alwaysDoFullCollection=1 which implies it's not caused by the premature deallocation of a live object.

Mark Hahnenberg

Comment 4 2014-02-24 14:32:32 PST

(In reply to comment #3) > This still reproduces with JSC_alwaysDoFullCollection=1 which implies it's not caused by the premature deallocation of a live object. I should say, it's not a premature deallocation of a live object due to generational collection. We could still be blowing away a live object during a full collection.

Mark Hahnenberg

Comment 5 2014-03-25 13:09:55 PDT

Throwing back to Ryosuke to verify that this has been fixed.

Ryosuke Niwa

Comment 6 2014-03-25 18:12:04 PDT

No longer seeing the crash.

Note You need to log in before you can comment on or make changes to this bug.