Bug 151495

Summary:

REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren().

Product:

WebKit

Reporter:

Andreas Kling <kling>

Component:

JavaScriptCore

Assignee:

Andreas Kling <kling>

Status:

REOPENED

Severity:

Normal

CC:

commit-queue, ddkilzer, keith_miller, kling, mark.lam, msaboff, ossy, saam

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

151561, 151593

Bug Blocks:

Attachments:

Description	Flags
Patch	none
Patch	mark.lam: review+, buildbot: commit-queue-
Archive of layout-test-results from ews116 for mac-yosemite	none
Patch for landing	none
Patch	none

Andreas Kling

Reported 2015-11-20 09:24:12 PST

There's a bug in https://trac.webkit.org/changeset/192536 If the call to tryAllocateStorage() in JSPropertyNameEnumerator::finishCreation() ends up having to do a GC, the JSPropertyNameEnumerator will not be in a good-enough state to handle a visitChildren() callback.

Attachments
Patch (4.10 KB, patch) 2015-11-20 09:34 PST, Andreas Kling	no flags	Details Formatted Diff Diff
Patch (4.66 KB, patch) 2015-11-20 09:36 PST, Andreas Kling	mark.lam: review+ buildbot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews116 for mac-yosemite (766.97 KB, application/zip) 2015-11-20 10:28 PST, Build Bot	no flags	Details
Patch for landing (4.69 KB, patch) 2015-11-20 20:33 PST, Andreas Kling	no flags	Details Formatted Diff Diff
Patch (1.78 KB, patch) 2015-11-21 15:41 PST, Andreas Kling	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Andreas Kling

Comment 1 2015-11-20 09:34:18 PST

Created attachment 265959 [details] Patch

Andreas Kling

Comment 2 2015-11-20 09:36:06 PST

Created attachment 265961 [details] Patch

Mark Lam

Comment 3 2015-11-20 09:39:29 PST

Comment on attachment 265961 [details] Patch r=me

Andreas Kling

Comment 4 2015-11-20 10:09:19 PST

From mac-debug bot: Regressions: Unexpected timeouts (1) js/property-name-enumerator-gc-151495.html [ Timeout ] I wonder if this test is too slow for debug. I'll check locally.

Build Bot

Comment 5 2015-11-20 10:28:20 PST

Comment on attachment 265961 [details] Patch Attachment 265961 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/455095 New failing tests: js/property-name-enumerator-gc-151495.html

Build Bot

Comment 6 2015-11-20 10:28:23 PST

Created attachment 265969 [details] Archive of layout-test-results from ews116 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-yosemite Platform: Mac OS X 10.10.5

Andreas Kling

Comment 7 2015-11-20 20:33:53 PST

Created attachment 266027 [details] Patch for landing Take the number of test iterations down to 2000 (from 10000) so it won't timeout on debug. It's still enough to trip the bug, and finishes in a fraction of the time.

WebKit Commit Bot

Comment 8 2015-11-20 22:07:46 PST

Comment on attachment 266027 [details] Patch for landing Clearing flags on attachment: 266027 Committed r192722: <http://trac.webkit.org/changeset/192722>

WebKit Commit Bot

Comment 9 2015-11-20 22:07:51 PST

All reviewed patches have been landed. Closing bug.

David Kilzer (:ddkilzer)

Comment 10 2015-11-21 02:20:58 PST

<rdar://problem/23626411>

Andreas Kling

Comment 11 2015-11-21 15:41:59 PST

Created attachment 266033 [details] Patch 32-bit testers caught another issue; jsString() can trigger GC, so m_propertyNames must remain null until after all the property names have been stringified.

Mark Lam

Comment 12 2015-11-21 16:44:51 PST

Comment on attachment 266033 [details] Patch r=me

Csaba Osztrogonác

Comment 13 2015-11-23 03:48:25 PST

reopen to let the CQ land the followup fix.

Csaba Osztrogonác

Comment 14 2015-11-23 03:49:11 PST

(In reply to comment #13) > reopen to let the CQ land the followup fix. Next time please file new bug report for followup patches.

WebKit Commit Bot

Comment 15 2015-11-23 04:44:32 PST

Comment on attachment 266033 [details] Patch Clearing flags on attachment: 266033 Committed r192743: <http://trac.webkit.org/changeset/192743>

WebKit Commit Bot

Comment 16 2015-11-23 04:44:35 PST

All reviewed patches have been landed. Closing bug.

WebKit Commit Bot

Comment 17 2015-11-24 13:35:18 PST

Re-opened since this is blocked by bug 151593

Note You need to log in before you can comment on or make changes to this bug.