Summary: | Crash inside garbage collector with simple code | ||
---|---|---|---|
Product: | WebKit | Reporter: | Cameron McCormack (:heycam) <heycam> |
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED WORKSFORME | ||
Severity: | Normal | CC: | barraclough, mrowe |
Priority: | P2 | Keywords: | InRadar |
Version: | 528+ (Nightly build) | ||
Hardware: | PC | ||
OS: | Windows Vista |
Description
Cameron McCormack (:heycam)
2008-01-17 22:36:47 PST
Backtrack from bdash:
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000b0812fd0
Crashed Thread: 0
Thread 0 Crashed:
0 com.apple.JavaScriptCore 0x002d7df3 KJS::JSCallbackObject<KJS::JSGlobalObject>::~JSCallbackObject() + 57 (JSCallbackObjectFunctions.h:86)
1 com.apple.JavaScriptCore 0x002d7e63 KJS::JSCallbackObject<KJS::JSGlobalObject>::~JSCallbackObject() + 17 (JSCallbackObjectFunctions.h:90)
2 com.apple.JavaScriptCore 0x002a6f70 unsigned long KJS::Collector::sweep<(KJS::Collector::HeapType)0>(bool) + 760 (collector.cpp:883)
3 com.apple.JavaScriptCore 0x00277dee KJS::Collector::collect() + 382 (collector.cpp:963)
4 com.apple.JavaScriptCore 0x002d17b8 JSGarbageCollect + 34 (JSBase.cpp:83)
5 test 0x00001fba doIt + 192
6 test 0x00001fe2 main + 20
7 test 0x00001ece start + 54
And one from me, on Windows:
> myapp.exe!KJS::JSCallbackObject<KJS::JSGlobalObject>::~JSCallbackObject<KJS::JSGlobalObject>() Line 105 + 0x7 bytes C++
myapp.exe!KJS::JSCallbackObject<KJS::JSGlobalObject>::`scalar deleting destructor'() + 0xf bytes C++
myapp.exe!KJS::Collector::sweep<0>(bool currentThreadIsMainThread=false) Line 883 C++
myapp.exe!KJS::Collector::collect() Line 963 + 0x9 bytes C++
myapp.exe!JSGarbageCollect(const OpaqueJSContext * __formal=0x00000000) Line 87 C++
myapp.exe!myfunction(void * pUserData=0x020d734c, void * pDocument=0x020cfdf8, void * * ppDocumentUserData=0x020d16e4) Line 271 + 0x7 bytes C
A workaround is to do an additional JSGarbageCollect() just before the JSGlobalContextRelease() call. I wonder whether making OpaqueJSClass retain its parentClass would solve the problem. Works for me in ToT, looks like this has been fixed. Please reopen if you can still repro the problem. cheers, G. |