Bug 222453

Summary: REGRESSION(r273225) [GLIB] imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/evaluation-order-4-tla.html is crashing in release builds
Product: WebKit Reporter: Lauro Moura <lmoura>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: bugs-noreply, keith_miller, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=202484
https://bugs.webkit.org/show_bug.cgi?id=222531
Attachments:
Description Flags
GTK release local crash log none

Description Lauro Moura 2021-02-25 19:54:51 PST 
Created attachment 421602 [details]
GTK release local crash log

imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/evaluation-order-4-tla.html

Debug builds passing.

Trace:

Thread 1 (Thread 0x7f9cb2c989c0 (LWP 157)):
#0  0x00007f9cb8886558 in JSC::mapProtoFuncSet(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#1  0x00007f9c71fff1d8 in  ()
#2  0x00007ffed90c73a0 in  ()
#3  0x00007f9cb79c2323 in llint_op_call () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#4  0x0000000000000000 in  ()

Printf'ing, the crash seems to occur in the map->set(..) call inside mapProtoFuncSet.

Full trace attached.
Comment 1 Keith Miller 2021-02-26 10:25:39 PST 
Interesting... this crash doesn't seem to happen on the Mac port. I'm not sure what would be different about the GTK build? Is it possible to  figure out what line in mapProtoFuncSet we are crashing on?
Comment 2 Lauro Moura 2021-02-28 20:22:59 PST 
(In reply to Keith Miller from comment #1)
> Interesting... this crash doesn't seem to happen on the Mac port. I'm not
> sure what would be different about the GTK build? Is it possible to  figure
> out what line in mapProtoFuncSet we are crashing on?

I could not get a proper backtrace, but it's consistently crashing accessing the string content in the first iter->key() when rehashing a map right after inserting the key "http://localhost:8800/html/semantics/scripting-1/the-script-element/module/evaluation-order-4.2.mjs". (e.g. asString(iter->key())->length() is enough to crash).
Comment 3 Radar WebKit Bug Importer 2021-03-04 19:55:17 PST 
<rdar://problem/75074133>
Comment 4 Lauro Moura 2021-03-22 18:37:34 PDT 
Crash is gone after r274239 / bug223039.