Bug 56115

Summary: REGRESSION (r80598?): Assertion failure in MarkStack::internalAppend when running various regression tests
Product: WebKit Reporter: Adam Roben (:aroben) <aroben>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, oliver
Priority: P2 Keywords: InRadar, LayoutTestFailure, MakingBotsRed
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Description Adam Roben (:aroben) 2011-03-10 09:55:03 PST 
The Windows XP Debug (Tests) bots have been seeing an assertion failure in MarkStack::internalAppend when running various tests since about r80598. Here are some crash logs:

http://build.webkit.org/results/Windows%20XP%20Debug%20(Tests)/r80712%20(26179)/inspector/cookie-parser-crash-log.txt
http://build.webkit.org/results/Windows%20XP%20Debug%20(Tests)/r80652%20(26150)/http/tests/inspector-enabled/console-log-before-frame-navigation-crash-log.txt
Comment 1 Adam Roben (:aroben) 2011-03-10 09:58:12 PST 
Looks like this is happening on Mac, too:

http://build.webkit.org/results/SnowLeopard%20Intel%20Leaks/r80712%20(15465)/inspector/debugger/source-frame-crash-log.txt
Comment 2 Jessie Berlin 2011-03-10 09:59:00 PST 
<rdar://problem/9115252>
Comment 3 Adam Roben (:aroben) 2011-03-10 09:59:54 PST 
This will crash in Release builds.
Comment 4 Adam Roben (:aroben) 2011-03-10 10:02:28 PST 
I wonder if this Release crash is related:

http://build.webkit.org/results/SnowLeopard%20Intel%20Release%20(Tests)/r80729%20(26572)/jquery/effects-crash-log.txt
Comment 5 Adam Roben (:aroben) 2011-03-10 10:03:47 PST 
Here's the failing code from the Windows crash logs:

FAULTING_SOURCE_CODE:  
   343: 
   344:     ALWAYS_INLINE void MarkStack::internalAppend(JSCell* cell)
   345:     {
   346:         ASSERT(!m_isCheckingForDefaultMarkViolation);
>  347:         ASSERT(cell);
   348:         if (Heap::testAndSetMarked(cell))
   349:             return;
   350:         if (cell->structure()->typeInfo().type() >= CompoundType)
   351:             m_values.append(cell);
   352:     }
Comment 6 Adam Roben (:aroben) 2011-03-10 13:19:16 PST 
Oliver thinks r80738 will probably have fixed this.
Comment 7 Adam Roben (:aroben) 2011-03-11 06:45:56 PST 
Looks like Oliver was right!