Bug 153281

Summary: TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.
Product: WebKit Reporter: Keith Miller <keith_miller>
Component: JavaScriptCoreAssignee: Keith Miller <keith_miller>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: annevk, commit-queue, ddkilzer, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 153300    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Keith Miller
Reported 2016-01-20 11:28:05 PST
For example: buffer = new ArrayBuffer(16); array = new Int32Array(buffer); return array.buffer == buffer; will return false.
Attachments
Patch (2.47 KB, patch)
2016-01-20 12:49 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2016-01-20 12:49:33 PST
Created attachment 269374 [details] Patch
Geoffrey Garen
Comment 2 2016-01-20 12:54:43 PST
Comment on attachment 269374 [details] Patch r=me
WebKit Commit Bot
Comment 3 2016-01-20 13:49:20 PST
Comment on attachment 269374 [details] Patch Clearing flags on attachment: 269374 Committed r195375: <http://trac.webkit.org/changeset/195375>
WebKit Commit Bot
Comment 4 2016-01-20 13:49:23 PST
All reviewed patches have been landed. Closing bug.
Alexey Proskuryakov
Comment 5 2016-01-20 20:40:27 PST
I think that this has caused many crashes on GuardMalloc bots. The range is pretty large (r195374-195392), but this patch seems most relevant. Will try rolling out. +fast/canvas/webgl/typed-arrays-in-workers.html crash log sample history +fast/workers/worker-terminate-forever.html crash log sample history +http/tests/websocket/tests/hybi/workers/receive-arraybuffer.html crash log sample history +http/tests/websocket/tests/hybi/workers/receive-blob.html crash log sample history +http/tests/websocket/tests/hybi/workers/send-arraybufferview.html crash log sample history +imported/blink/fast/workers/worker-shared-asm-buffer.html crash log sample history +webgl/1.0.2/conformance/typedarrays/typed-arrays-in-workers.html crash log sample history Thread 23 Crashed:: WebCore: Worker 0 com.apple.JavaScriptCore 0x000000011c5d2a17 JSC::weakClearSlowCase(JSC::WeakImpl*&) + 7 1 com.apple.JavaScriptCore 0x000000011cbcca45 WTF::DeferrableRefCounted<JSC::ArrayBuffer>::setIsDeferred(bool) + 53 2 com.apple.JavaScriptCore 0x000000011cbcc9e5 bool JSC::GCIncomingRefCounted<JSC::ArrayBuffer>::filterIncomingReferences<bool (JSC::JSCell*)>(bool (&)(JSC::JSCell*)) + 293 3 com.apple.JavaScriptCore 0x000000011c766d4f JSC::Heap::~Heap() + 1679 4 com.apple.JavaScriptCore 0x000000011c762fbd JSC::VM::~VM() + 7757 5 com.apple.JavaScriptCore 0x000000011c5ccce2 JSC::JSLockHolder::~JSLockHolder() + 66 6 com.apple.WebCore 0x000000011e310ee4 WebCore::WorkerScriptController::~WorkerScriptController() + 148 7 com.apple.WebCore 0x000000011e3133e5 std::__1::__function::__func<WebCore::WorkerThread::stop()::$_0::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&), std::__1::allocator<WebCore::WorkerThread::stop()::$_0::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&)>, void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) + 37 8 com.apple.WebCore 0x000000011e30fd6f WebCore::WorkerRunLoop::runCleanupTasks(WebCore::WorkerGlobalScope*) + 207
WebKit Commit Bot
Comment 6 2016-01-20 20:42:51 PST
Re-opened since this is blocked by bug 153300
Anne van Kesteren
Comment 7 2023-05-12 07:50:26 PDT
This can't really be broken at this point.
Note You need to log in before you can comment on or make changes to this bug.