Bug 129271

Summary: REGRESSION(r164493): DYEBench crash in JSCObject::put
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: JavaScriptCoreAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: fpizlo, ggaren, mhahnenberg, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://trac.webkit.org/export/162218/trunk/PerformanceTests/DoYouEvenBench/Full.html

Description Ryosuke Niwa 2014-02-24 13:28:39 PST 
Reproduction steps
1. Go to https://trac.webkit.org/export/162218/trunk/PerformanceTests/DoYouEvenBench/InteractiveRunner.html
2. Uncheck "VanillaJS-TodoMVC"
3. Click "Run".

Crash
Comment 1 Radar WebKit Bug Importer 2014-02-24 13:29:18 PST 
<rdar://problem/16151521>
Comment 2 Mark Hahnenberg 2014-02-24 13:58:32 PST 
Is there a symbolicated crash log somewhere to look at?
Comment 3 Mark Hahnenberg 2014-02-24 14:27:45 PST 
This still reproduces with JSC_alwaysDoFullCollection=1 which implies it's not caused by the premature deallocation of a live object.
Comment 4 Mark Hahnenberg 2014-02-24 14:32:32 PST 
(In reply to comment #3)
> This still reproduces with JSC_alwaysDoFullCollection=1 which implies it's not caused by the premature deallocation of a live object.

I should say, it's not a premature deallocation of a live object due to generational collection. We could still be blowing away a live object during a full collection.
Comment 5 Mark Hahnenberg 2014-03-25 13:09:55 PDT 
Throwing back to Ryosuke to verify that this has been fixed.
Comment 6 Ryosuke Niwa 2014-03-25 18:12:04 PDT 
No longer seeing the crash.