Bug 153281

Summary: TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.
Product: WebKit Reporter: Keith Miller <keith_miller>
Component: JavaScriptCoreAssignee: Keith Miller <keith_miller>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: annevk, commit-queue, ddkilzer, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 153300    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Description Keith Miller 2016-01-20 11:28:05 PST 
For example:

buffer = new ArrayBuffer(16);
array = new Int32Array(buffer);
return array.buffer == buffer;

will return false.
Comment 1 Keith Miller 2016-01-20 12:49:33 PST 
Created attachment 269374 [details]
Patch
Comment 2 Geoffrey Garen 2016-01-20 12:54:43 PST 
Comment on attachment 269374 [details]
Patch

r=me
Comment 3 WebKit Commit Bot 2016-01-20 13:49:20 PST 
Comment on attachment 269374 [details]
Patch

Clearing flags on attachment: 269374

Committed r195375: <http://trac.webkit.org/changeset/195375>
Comment 4 WebKit Commit Bot 2016-01-20 13:49:23 PST 
All reviewed patches have been landed.  Closing bug.
Comment 5 Alexey Proskuryakov 2016-01-20 20:40:27 PST 
I think that this has caused many crashes on GuardMalloc bots. The range is pretty large (r195374-195392), but this patch seems most relevant. Will try rolling out.

+fast/canvas/webgl/typed-arrays-in-workers.html	crash log sample	history
+fast/workers/worker-terminate-forever.html	crash log sample	history
+http/tests/websocket/tests/hybi/workers/receive-arraybuffer.html	crash log sample	history
+http/tests/websocket/tests/hybi/workers/receive-blob.html	crash log sample	history
+http/tests/websocket/tests/hybi/workers/send-arraybufferview.html	crash log sample	history
+imported/blink/fast/workers/worker-shared-asm-buffer.html	crash log sample	history
+webgl/1.0.2/conformance/typedarrays/typed-arrays-in-workers.html	crash log sample	history

Thread 23 Crashed:: WebCore: Worker
0   com.apple.JavaScriptCore      	0x000000011c5d2a17 JSC::weakClearSlowCase(JSC::WeakImpl*&) + 7
1   com.apple.JavaScriptCore      	0x000000011cbcca45 WTF::DeferrableRefCounted<JSC::ArrayBuffer>::setIsDeferred(bool) + 53
2   com.apple.JavaScriptCore      	0x000000011cbcc9e5 bool JSC::GCIncomingRefCounted<JSC::ArrayBuffer>::filterIncomingReferences<bool (JSC::JSCell*)>(bool (&)(JSC::JSCell*)) + 293
3   com.apple.JavaScriptCore      	0x000000011c766d4f JSC::Heap::~Heap() + 1679
4   com.apple.JavaScriptCore      	0x000000011c762fbd JSC::VM::~VM() + 7757
5   com.apple.JavaScriptCore      	0x000000011c5ccce2 JSC::JSLockHolder::~JSLockHolder() + 66
6   com.apple.WebCore             	0x000000011e310ee4 WebCore::WorkerScriptController::~WorkerScriptController() + 148
7   com.apple.WebCore             	0x000000011e3133e5 std::__1::__function::__func<WebCore::WorkerThread::stop()::$_0::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&), std::__1::allocator<WebCore::WorkerThread::stop()::$_0::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&)>, void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) + 37
8   com.apple.WebCore             	0x000000011e30fd6f WebCore::WorkerRunLoop::runCleanupTasks(WebCore::WorkerGlobalScope*) + 207
Comment 6 WebKit Commit Bot 2016-01-20 20:42:51 PST 
Re-opened since this is blocked by bug 153300
Comment 7 Anne van Kesteren 2023-05-12 07:50:26 PDT 
This can't really be broken at this point.