Bug 19107

Summary: SquirrelFish: Crash marking array
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Critical CC: ap, ggaren, mjs, oliver, zwarich
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
WebArchive of crashing page.
none
Stack trace none

Oliver Hunt
Reported 2008-05-17 00:43:44 PDT
Reload the attached webarchive repeatedly and eventually we crash in gc :-/
Attachments
WebArchive of crashing page. (877.83 KB, application/octet-stream)
2008-05-17 00:45 PDT, Oliver Hunt 		no flags
Details
Stack trace (14.89 KB, text/plain)
2008-05-19 22:02 PDT, Cameron Zwarich (cpst) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2008-05-17 00:45:44 PDT
Created attachment 21211 [details] WebArchive of crashing page.
Oliver Hunt
Comment 2 2008-05-17 00:46:03 PDT
(remove autocompleted blocker keyword. again.)
Cameron Zwarich (cpst)
Comment 3 2008-05-17 22:49:59 PDT
I'll take this one on for the time being.
Geoffrey Garen
Comment 4 2008-05-19 21:27:42 PDT
Why isn't this a blocker?
Cameron Zwarich (cpst)
Comment 5 2008-05-19 22:02:03 PDT
Created attachment 21248 [details] Stack trace If I set it to collect every allocation, it won't crash on the first load. If I wait to let it finish loading and reload, it will repeatably crash with this stack trace.
Cameron Zwarich (cpst)
Comment 6 2008-06-06 22:26:41 PDT
This still crashes on reload when set to always GC, but not in JavaScriptCore, so I'm unassigning it.
Alexey Proskuryakov
Comment 7 2008-07-28 03:10:06 PDT
I cannot reproduce the crash with r35406, even with COLLECT_ON_EVERY_ALLOCATION set to 1. However, I'm getting many errors on the console, some of them not on every reload. ERROR: called Frame::paint with nil renderer (/Users/ap/Safari/OpenSource/WebCore/page/Frame.cpp:1369 void WebCore::Frame::paint(WebCore::GraphicsContext*, const WebCore::IntRect&)) http://kona.kontera.com/javascript/lib/KonaLibBaseRM.js?00000000180:1: JS ERROR: TypeError: Result of expression 'E6aPm' [null] is not an object. http://kona.kontera.com/javascript/lib/KonaLibBaseRM.js?00000000180:1: JS ERROR: TypeError: Result of expression 'E6aPm' [null] is not an object. http://kona2.kontera.com/KonaGet.js?u=1217239662475&p=16871&k=B.attniIvleshteovteetyeneeeytdsoytlgnhynlecuaoghecitinyqdlvnyooi.sttuvttotuausyt.torrgudletkaMOZILLA&al=1&l=http%3A//www.bspcn.com/2007/10/06/how-to-answer-23-of-the-most-common-interview-questions/&t=How+to+answer+23+of+the+most+common+interview+questions+%7C+The+Best+Article+Every+day&m2=The+Best+Article+Every+day+Bspcn.Com+Home+About+Contact+Archives+Random+Post+Get+Firefox+Download+Pi&rId=16871_1217239662475_032214998826384544&i=14&n=0&dc_aff_id=&cl=0&mp=0&rm=1&mod=451&rt=0&st=1&add=FlashVer_Shockwave%20Flash%209.0%20r124|user_|session_:1: JS ERROR: SyntaxError: Parse error
Note You need to log in before you can comment on or make changes to this bug.