Bug 222453

Summary: REGRESSION(r273225) [GLIB] imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/evaluation-order-4-tla.html is crashing in release builds
Product: WebKit Reporter: Lauro Moura <lmoura>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: bugs-noreply, keith_miller, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=202484
https://bugs.webkit.org/show_bug.cgi?id=222531
Attachments:
Description Flags
GTK release local crash log none

Lauro Moura
Reported 2021-02-25 19:54:51 PST
Created attachment 421602 [details] GTK release local crash log imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/evaluation-order-4-tla.html Debug builds passing. Trace: Thread 1 (Thread 0x7f9cb2c989c0 (LWP 157)): #0 0x00007f9cb8886558 in JSC::mapProtoFuncSet(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007f9c71fff1d8 in () #2 0x00007ffed90c73a0 in () #3 0x00007f9cb79c2323 in llint_op_call () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x0000000000000000 in () Printf'ing, the crash seems to occur in the map->set(..) call inside mapProtoFuncSet. Full trace attached.
Attachments
GTK release local crash log (14.75 KB, text/plain)
2021-02-25 19:54 PST, Lauro Moura 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2021-02-26 10:25:39 PST
Interesting... this crash doesn't seem to happen on the Mac port. I'm not sure what would be different about the GTK build? Is it possible to figure out what line in mapProtoFuncSet we are crashing on?
Lauro Moura
Comment 2 2021-02-28 20:22:59 PST
(In reply to Keith Miller from comment #1) > Interesting... this crash doesn't seem to happen on the Mac port. I'm not > sure what would be different about the GTK build? Is it possible to figure > out what line in mapProtoFuncSet we are crashing on? I could not get a proper backtrace, but it's consistently crashing accessing the string content in the first iter->key() when rehashing a map right after inserting the key "http://localhost:8800/html/semantics/scripting-1/the-script-element/module/evaluation-order-4.2.mjs". (e.g. asString(iter->key())->length() is enough to crash).
Radar WebKit Bug Importer
Comment 3 2021-03-04 19:55:17 PST
<rdar://problem/75074133>
Lauro Moura
Comment 4 2021-03-22 18:37:34 PDT
Crash is gone after r274239 / bug223039.
Note You need to log in before you can comment on or make changes to this bug.