Bug 19107

Summary: SquirrelFish: Crash marking array
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Critical CC: ap, ggaren, mjs, oliver, zwarich
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
WebArchive of crashing page.
none
Stack trace none

Description Oliver Hunt 2008-05-17 00:43:44 PDT 
Reload the attached webarchive repeatedly and eventually we crash in gc :-/
Comment 1 Oliver Hunt 2008-05-17 00:45:44 PDT 
Created attachment 21211 [details]
WebArchive of crashing page.
Comment 2 Oliver Hunt 2008-05-17 00:46:03 PDT 
(remove autocompleted blocker keyword. again.)
Comment 3 Cameron Zwarich (cpst) 2008-05-17 22:49:59 PDT 
I'll take this one on for the time being.
Comment 4 Geoffrey Garen 2008-05-19 21:27:42 PDT 
Why isn't this a blocker?
Comment 5 Cameron Zwarich (cpst) 2008-05-19 22:02:03 PDT 
Created attachment 21248 [details]
Stack trace

If I set it to collect every allocation, it won't crash on the first load. If I wait to let it finish loading and reload, it will repeatably crash with this stack trace.
Comment 6 Cameron Zwarich (cpst) 2008-06-06 22:26:41 PDT 
This still crashes on reload when set to always GC, but not in JavaScriptCore, so I'm unassigning it.
Comment 7 Alexey Proskuryakov 2008-07-28 03:10:06 PDT 
I cannot reproduce the crash with r35406, even with COLLECT_ON_EVERY_ALLOCATION set to 1. However, I'm getting many errors on the console, some of them not on every reload.

ERROR: called Frame::paint with nil renderer
(/Users/ap/Safari/OpenSource/WebCore/page/Frame.cpp:1369 void WebCore::Frame::paint(WebCore::GraphicsContext*, const WebCore::IntRect&))
http://kona.kontera.com/javascript/lib/KonaLibBaseRM.js?00000000180:1: JS ERROR: TypeError: Result of expression 'E6aPm' [null] is not an object.
http://kona.kontera.com/javascript/lib/KonaLibBaseRM.js?00000000180:1: JS ERROR: TypeError: Result of expression 'E6aPm' [null] is not an object.
http://kona2.kontera.com/KonaGet.js?u=1217239662475&p=16871&k=B.attniIvleshteovteetyeneeeytdsoytlgnhynlecuaoghecitinyqdlvnyooi.sttuvttotuausyt.torrgudletkaMOZILLA&al=1&l=http%3A//www.bspcn.com/2007/10/06/how-to-answer-23-of-the-most-common-interview-questions/&t=How+to+answer+23+of+the+most+common+interview+questions+%7C+The+Best+Article+Every+day&m2=The+Best+Article+Every+day+Bspcn.Com+Home+About+Contact+Archives+Random+Post+Get+Firefox+Download+Pi&rId=16871_1217239662475_032214998826384544&i=14&n=0&dc_aff_id=&cl=0&mp=0&rm=1&mod=451&rt=0&st=1&add=FlashVer_Shockwave%20Flash%209.0%20r124|user_|session_:1: JS ERROR: SyntaxError: Parse error