Summary: | REGRESSION(r128400): ASSERT (crash in release) @ app.asana.com | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Eric Seidel (no email) <eric> | ||||
Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | barraclough, fpizlo, ggaren, oliver, sam | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Eric Seidel (no email)
2012-10-02 10:49:12 PDT
I've sent you all asana invites in case those are still needed. Regressed in <http://trac.webkit.org/changeset/128400> (property butterflies). Thanks Geoff. Created attachment 166771 [details]
the patch
Structure::nonPropertyTransition was forgetting to set m_offset. In other regards, what it's doing is right - it doesn't need to pin the property table since the property table is rematerializable; but in case someone steals our property table then a bunch of methods (including GC methods) need to be able to use the m_offset to get the property size. Since they had a bogus m_offset, properties weren't being copied by GC, and hence the crash. Landed in http://trac.webkit.org/changeset/130228 |