Bug 21057

Summary: Crash in RegisterID::deref() running fast/canvas/canvas-putImageData.html
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, oliver, zwarich
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
patch zwarich: review+

Description Alexey Proskuryakov 2008-09-24 06:48:02 PDT 
Reliably crashes under GuardMalloc:

run-webkit-tests -g fast/canvas/canvas-putImageData.html

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x004569c8 JSC::RegisterID::deref() + 16 (RegisterID.h:91)
1   com.apple.JavaScriptCore      	0x00459ad9 WTF::RefPtr<JSC::RegisterID>::~RefPtr() + 31
2   com.apple.JavaScriptCore      	0x00490b8e JSC::CodeGenerator::~CodeGenerator() + 194
3   com.apple.JavaScriptCore      	0x00446098 JSC::ProgramNode::generateCode(JSC::ScopeChainNode*) + 430 (nodes.cpp:1851)
4   com.apple.JavaScriptCore      	0x004ca159 JSC::ProgramNode::byteCode(JSC::ScopeChainNode*) + 43 (nodes.h:2205)
5   com.apple.JavaScriptCore      	0x004b7a52 JSC::Machine::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue**) + 62 (Machine.cpp:885)
6   com.apple.JavaScriptCore      	0x00442927 JSC::Interpreter::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::UString const&, int, WTF::PassRefPtr<JSC::SourceProvider>, JSC::JSValue*) + 427 (interpreter.cpp:83)
Comment 1 Cameron Zwarich (cpst) 2008-09-24 07:01:04 PDT 
This is likely caused by r36821, since that is where the only RefPtr<RegisterID> instance variable for CodeGenerator was defined:

http://trac.webkit.org/changeset/36821
Comment 2 Geoffrey Garen 2008-09-24 07:57:36 PDT 
Ah, looks like the RefPtr destructor runs after the SegmentedVector destructor. Should be easy to fix.
Comment 3 Geoffrey Garen 2008-09-24 08:38:17 PDT 
Created attachment 23750 [details]
patch
Comment 4 Geoffrey Garen 2008-09-24 08:39:20 PDT 
I haven't been able to verify this patch with the original test case, because DRT with GuardMalloc crashes in LaunchServices on my machine. However, I did verify that this patch fixes the destructor order.
Comment 5 Cameron Zwarich (cpst) 2008-09-24 09:02:43 PDT 
Comment on attachment 23750 [details]
patch

r=me
Comment 6 Geoffrey Garen 2008-09-24 10:54:19 PDT 
Committed revision 36853.