Bug 98175

Summary: REGRESSION(r128400): ASSERT (crash in release) @ app.asana.com
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, ggaren, oliver, sam
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch oliver: review+

Eric Seidel (no email)
Reported 2012-10-02 10:49:12 PDT
Reproduces every time, when clicking between projects in my task list. I'm currently using r130184. ASSERTION FAILED: value /Users/eseidel/Projects/WebKit/Source/JavaScriptCore/runtime/PropertySlot.h(110) : void JSC::PropertySlot::setValue(JSC::JSValue, JSC::JSValue, PropertyOffset) 1 0x1022d4057 JSC::PropertySlot::setValue(JSC::JSValue, JSC::JSValue, int) 2 0x1022d3e2d JSC::JSObject::inlineGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 3 0x1022d5225 JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 4 0x1022d5020 JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 5 0x1025224c5 JSC::JSObject::hasProperty(JSC::ExecState*, JSC::PropertyName) const 6 0x1024cb7de cti_has_property 7 0x1024cdf70 jscGeneratedNativeCode 8 0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 9 0x10249273c JSC::Interpreter::execute(JSC::CallFrameClosure&) 10 0x1022e0983 JSC::CachedCall::call() 11 0x1022dc696 JSC::arrayProtoFuncForEach(JSC::ExecState*) 12 0x3e09b4601265 13 0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 14 0x10249273c JSC::Interpreter::execute(JSC::CallFrameClosure&) 15 0x1022e0983 JSC::CachedCall::call() 16 0x1022dc696 JSC::arrayProtoFuncForEach(JSC::ExecState*) 17 0x3e09b4601265 18 0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 19 0x10249273c JSC::Interpreter::execute(JSC::CallFrameClosure&) 20 0x1022e0983 JSC::CachedCall::call() 21 0x1022dc696 JSC::arrayProtoFuncForEach(JSC::ExecState*) 22 0x3e09b4601265 23 0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 24 0x10249273c JSC::Interpreter::execute(JSC::CallFrameClosure&) 25 0x1022e0983 JSC::CachedCall::call() 26 0x1022dc696 JSC::arrayProtoFuncForEach(JSC::ExecState*) 27 0x3e09b4601265 28 0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 29 0x1024912f2 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 30 0x10233ca22 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 31 0x103bd1462 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) LEAK: 2 WebPageProxy LEAK: 2 WebContext
Attachments
the patch (1.48 KB, patch)
2012-10-02 16:16 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2012-10-02 10:51:04 PDT
I've sent you all asana invites in case those are still needed.
Geoffrey Garen
Comment 2 2012-10-02 10:55:13 PDT
I can reproduce this with r130184.
Geoffrey Garen
Comment 3 2012-10-02 11:10:44 PDT
Regressed in <http://trac.webkit.org/changeset/128400> (property butterflies).
Geoffrey Garen
Comment 4 2012-10-02 11:11:06 PDT
<rdar://problem/12414251>
Eric Seidel (no email)
Comment 5 2012-10-02 11:21:48 PDT
Thanks Geoff.
Filip Pizlo
Comment 6 2012-10-02 16:16:24 PDT
Created attachment 166771 [details] the patch
Filip Pizlo
Comment 7 2012-10-02 16:19:22 PDT
Structure::nonPropertyTransition was forgetting to set m_offset. In other regards, what it's doing is right - it doesn't need to pin the property table since the property table is rematerializable; but in case someone steals our property table then a bunch of methods (including GC methods) need to be able to use the m_offset to get the property size. Since they had a bogus m_offset, properties weren't being copied by GC, and hence the crash.
Filip Pizlo
Comment 8 2012-10-02 16:28:05 PDT
Landed in http://trac.webkit.org/changeset/130228
Note You need to log in before you can comment on or make changes to this bug.