Bug 21057

Summary: Crash in RegisterID::deref() running fast/canvas/canvas-putImageData.html
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, oliver, zwarich
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
patch zwarich: review+

Alexey Proskuryakov
Reported 2008-09-24 06:48:02 PDT
Reliably crashes under GuardMalloc: run-webkit-tests -g fast/canvas/canvas-putImageData.html Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x004569c8 JSC::RegisterID::deref() + 16 (RegisterID.h:91) 1 com.apple.JavaScriptCore 0x00459ad9 WTF::RefPtr<JSC::RegisterID>::~RefPtr() + 31 2 com.apple.JavaScriptCore 0x00490b8e JSC::CodeGenerator::~CodeGenerator() + 194 3 com.apple.JavaScriptCore 0x00446098 JSC::ProgramNode::generateCode(JSC::ScopeChainNode*) + 430 (nodes.cpp:1851) 4 com.apple.JavaScriptCore 0x004ca159 JSC::ProgramNode::byteCode(JSC::ScopeChainNode*) + 43 (nodes.h:2205) 5 com.apple.JavaScriptCore 0x004b7a52 JSC::Machine::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue**) + 62 (Machine.cpp:885) 6 com.apple.JavaScriptCore 0x00442927 JSC::Interpreter::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::UString const&, int, WTF::PassRefPtr<JSC::SourceProvider>, JSC::JSValue*) + 427 (interpreter.cpp:83)
Attachments
patch (1.41 KB, patch)
2008-09-24 08:38 PDT, Geoffrey Garen 		zwarich: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-09-24 07:01:04 PDT
This is likely caused by r36821, since that is where the only RefPtr<RegisterID> instance variable for CodeGenerator was defined: http://trac.webkit.org/changeset/36821
Geoffrey Garen
Comment 2 2008-09-24 07:57:36 PDT
Ah, looks like the RefPtr destructor runs after the SegmentedVector destructor. Should be easy to fix.
Geoffrey Garen
Comment 3 2008-09-24 08:38:17 PDT
Created attachment 23750 [details] patch
Geoffrey Garen
Comment 4 2008-09-24 08:39:20 PDT
I haven't been able to verify this patch with the original test case, because DRT with GuardMalloc crashes in LaunchServices on my machine. However, I did verify that this patch fixes the destructor order.
Cameron Zwarich (cpst)
Comment 5 2008-09-24 09:02:43 PDT
Comment on attachment 23750 [details] patch r=me
Geoffrey Garen
Comment 6 2008-09-24 10:54:19 PDT
Committed revision 36853.
Note You need to log in before you can comment on or make changes to this bug.