Bug 151495

Summary: REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren().
Product: WebKit Reporter: Andreas Kling <kling>
Component: JavaScriptCoreAssignee: Andreas Kling <kling>
Status: REOPENED ---    
Severity: Normal CC: commit-queue, ddkilzer, keith_miller, kling, mark.lam, msaboff, ossy, saam
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 151561, 151593    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch
mark.lam: review+, buildbot: commit-queue-
Archive of layout-test-results from ews116 for mac-yosemite
none
Patch for landing
none
Patch none

Description Andreas Kling 2015-11-20 09:24:12 PST 
There's a bug in https://trac.webkit.org/changeset/192536
If the call to tryAllocateStorage() in JSPropertyNameEnumerator::finishCreation() ends up having to do a GC, the JSPropertyNameEnumerator will not be in a good-enough state to handle a visitChildren() callback.
Comment 1 Andreas Kling 2015-11-20 09:34:18 PST 
Created attachment 265959 [details]
Patch
Comment 2 Andreas Kling 2015-11-20 09:36:06 PST 
Created attachment 265961 [details]
Patch
Comment 3 Mark Lam 2015-11-20 09:39:29 PST 
Comment on attachment 265961 [details]
Patch

r=me
Comment 4 Andreas Kling 2015-11-20 10:09:19 PST 
From mac-debug bot:

Regressions: Unexpected timeouts (1)
  js/property-name-enumerator-gc-151495.html [ Timeout ]

I wonder if this test is too slow for debug. I'll check locally.
Comment 5 Build Bot 2015-11-20 10:28:20 PST 
Comment on attachment 265961 [details]
Patch

Attachment 265961 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/455095

New failing tests:
js/property-name-enumerator-gc-151495.html
Comment 6 Build Bot 2015-11-20 10:28:23 PST 
Created attachment 265969 [details]
Archive of layout-test-results from ews116 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews116  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 7 Andreas Kling 2015-11-20 20:33:53 PST 
Created attachment 266027 [details]
Patch for landing

Take the number of test iterations down to 2000 (from 10000) so it won't timeout on debug.
It's still enough to trip the bug, and finishes in a fraction of the time.
Comment 8 WebKit Commit Bot 2015-11-20 22:07:46 PST 
Comment on attachment 266027 [details]
Patch for landing

Clearing flags on attachment: 266027

Committed r192722: <http://trac.webkit.org/changeset/192722>
Comment 9 WebKit Commit Bot 2015-11-20 22:07:51 PST 
All reviewed patches have been landed.  Closing bug.
Comment 10 David Kilzer (:ddkilzer) 2015-11-21 02:20:58 PST 
<rdar://problem/23626411>
Comment 11 Andreas Kling 2015-11-21 15:41:59 PST 
Created attachment 266033 [details]
Patch

32-bit testers caught another issue; jsString() can trigger GC, so m_propertyNames must remain null until after all the property names have been stringified.
Comment 12 Mark Lam 2015-11-21 16:44:51 PST 
Comment on attachment 266033 [details]
Patch

r=me
Comment 13 Csaba Osztrogonác 2015-11-23 03:48:25 PST 
reopen to let the CQ land the followup fix.
Comment 14 Csaba Osztrogonác 2015-11-23 03:49:11 PST 
(In reply to comment #13)
> reopen to let the CQ land the followup fix.

Next time please file new bug report for followup patches.
Comment 15 WebKit Commit Bot 2015-11-23 04:44:32 PST 
Comment on attachment 266033 [details]
Patch

Clearing flags on attachment: 266033

Committed r192743: <http://trac.webkit.org/changeset/192743>
Comment 16 WebKit Commit Bot 2015-11-23 04:44:35 PST 
All reviewed patches have been landed.  Closing bug.
Comment 17 WebKit Commit Bot 2015-11-24 13:35:18 PST 
Re-opened since this is blocked by bug 151593