Bug 140688

Summary: REGRESSION(178696): Sporadic crashes while garbage collecting
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 312.x   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch ggaren: review+

Michael Saboff
Reported 2015-01-20 11:23:00 PST
After r178696 several build bots are crashing running WebKit tests. As an example: ASSERTION FAILED: heap()->m_storageSpace.contains(block) /Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/heap/SlotVisitorInlines.h(246) : void JSC::SlotVisitor::copyLater(JSC::JSCell *, JSC::CopyToken, void *, size_t) 1 0x109fc0860 WTFCrash 2 0x109675541 JSC::SlotVisitor::copyLater(JSC::JSCell*, JSC::CopyToken, void*, unsigned long) 3 0x109cdd65d JSC::JSObject::visitButterfly(JSC::SlotVisitor&, JSC::Butterfly*, unsigned long) 4 0x109cd015f JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) 5 0x109ef46d8 JSC::visitChildren(JSC::SlotVisitor&, JSC::JSCell const*) 6 0x109ef4539 JSC::SlotVisitor::drain() 7 0x109ef4c1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode) 8 0x109b3bc95 JSC::GCThread::gcThreadMain() 9 0x109b3bd6d JSC::GCThread::gcThreadStartFunc(void*) 10 0x10a0157b9 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const 11 0x10a01578c std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()() 12 0x109f6ce4a std::__1::function<void ()>::operator()() const 13 0x10a01473e WTF::threadEntryPoint(void*) 14 0x10a0160d8 WTF::wtfThreadEntryPoint(void*) 15 0x7fff8e6e7899 _pthread_body 16 0x7fff8e6e772a _pthread_struct_init 17 0x7fff8e6ebfc9 thread_start and CRASHING TEST: imported/w3c/canvas/2d.composite.transparent.destination-out.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010fedd90a WTFCrash + 42 1 com.apple.JavaScriptCore 0x000000010fe9207b JSC::WeakBlock::reap() + 235 2 com.apple.JavaScriptCore 0x000000010fcba017 JSC::WeakSet::reap() + 55 3 com.apple.JavaScriptCore 0x000000010fcb6eac JSC::MarkedBlock::reapWeakSet() + 28 4 com.apple.JavaScriptCore 0x000000010fcb8b19 JSC::ReapWeakSet::operator()(JSC::MarkedBlock*) + 25 5 com.apple.JavaScriptCore 0x000000010fcb8a96 void JSC::MarkedAllocator::forEachBlock<JSC::ReapWeakSet>(JSC::ReapWeakSet&) + 86 6 com.apple.JavaScriptCore 0x000000010fcb897a JSC::ReapWeakSet::ReturnType JSC::MarkedSpace::forEachBlock<JSC::ReapWeakSet>(JSC::ReapWeakSet&) + 586 7 com.apple.JavaScriptCore 0x000000010fcb6ed9 JSC::ReapWeakSet::ReturnType JSC::MarkedSpace::forEachBlock<JSC::ReapWeakSet>() + 25
Attachments
Patch (1.30 KB, patch)
2015-01-20 11:25 PST, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2015-01-20 11:25:13 PST
Created attachment 245004 [details] Patch
Geoffrey Garen
Comment 2 2015-01-20 11:33:50 PST
Comment on attachment 245004 [details] Patch r=me
Michael Saboff
Comment 3 2015-01-20 11:35:26 PST
Committed r178728: <http://trac.webkit.org/changeset/178728>
Note You need to log in before you can comment on or make changes to this bug.