Bug 140688

Summary: REGRESSION(178696): Sporadic crashes while garbage collecting
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 312.x   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch ggaren: review+

Description Michael Saboff 2015-01-20 11:23:00 PST 
After r178696 several build bots are crashing running WebKit tests.  As an example:

ASSERTION FAILED: heap()->m_storageSpace.contains(block)
/Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/heap/SlotVisitorInlines.h(246) : void JSC::SlotVisitor::copyLater(JSC::JSCell *, JSC::CopyToken, void *, size_t)
 1   0x109fc0860 WTFCrash
 2   0x109675541 JSC::SlotVisitor::copyLater(JSC::JSCell*, JSC::CopyToken, void*, unsigned long)
 3   0x109cdd65d JSC::JSObject::visitButterfly(JSC::SlotVisitor&, JSC::Butterfly*, unsigned long)
 4   0x109cd015f JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&)
 5   0x109ef46d8 JSC::visitChildren(JSC::SlotVisitor&, JSC::JSCell const*)
 6   0x109ef4539 JSC::SlotVisitor::drain()
 7   0x109ef4c1d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode)
 8   0x109b3bc95 JSC::GCThread::gcThreadMain()
 9   0x109b3bd6d JSC::GCThread::gcThreadStartFunc(void*)
 10  0x10a0157b9 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const
 11  0x10a01578c std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()()
 12  0x109f6ce4a std::__1::function<void ()>::operator()() const
 13  0x10a01473e WTF::threadEntryPoint(void*)
 14  0x10a0160d8 WTF::wtfThreadEntryPoint(void*)
 15  0x7fff8e6e7899 _pthread_body
 16  0x7fff8e6e772a _pthread_struct_init
 17  0x7fff8e6ebfc9 thread_start

and

CRASHING TEST: imported/w3c/canvas/2d.composite.transparent.destination-out.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010fedd90a WTFCrash + 42
1   com.apple.JavaScriptCore      	0x000000010fe9207b JSC::WeakBlock::reap() + 235
2   com.apple.JavaScriptCore      	0x000000010fcba017 JSC::WeakSet::reap() + 55
3   com.apple.JavaScriptCore      	0x000000010fcb6eac JSC::MarkedBlock::reapWeakSet() + 28
4   com.apple.JavaScriptCore      	0x000000010fcb8b19 JSC::ReapWeakSet::operator()(JSC::MarkedBlock*) + 25
5   com.apple.JavaScriptCore      	0x000000010fcb8a96 void JSC::MarkedAllocator::forEachBlock<JSC::ReapWeakSet>(JSC::ReapWeakSet&) + 86
6   com.apple.JavaScriptCore      	0x000000010fcb897a JSC::ReapWeakSet::ReturnType JSC::MarkedSpace::forEachBlock<JSC::ReapWeakSet>(JSC::ReapWeakSet&) + 586
7   com.apple.JavaScriptCore      	0x000000010fcb6ed9 JSC::ReapWeakSet::ReturnType JSC::MarkedSpace::forEachBlock<JSC::ReapWeakSet>() + 25
Comment 1 Michael Saboff 2015-01-20 11:25:13 PST 
Created attachment 245004 [details]
Patch
Comment 2 Geoffrey Garen 2015-01-20 11:33:50 PST 
Comment on attachment 245004 [details]
Patch

r=me
Comment 3 Michael Saboff 2015-01-20 11:35:26 PST 
Committed r178728: <http://trac.webkit.org/changeset/178728>