120099 – Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView

RESOLVED FIXED120099

Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView

https://bugs.webkit.org/show_bug.cgi?id=120099

Summary Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView

Ryosuke Niwa

Reported 2013-08-20 20:19:57 PDT

Saw this crash on fast/canvas/webgl/array-message-passing.html: Thread 9 Crashed:: JavaScriptCore::Marking 0 com.apple.JavaScriptCore 0x000000010658986a WTFCrash + 42 (Assertions.cpp:342) 1 com.apple.JavaScriptCore 0x00000001061b68f5 JSC::SlotVisitor::copyLater(JSC::JSCell*, JSC::CopyToken, void*, unsigned long) + 85 (SlotVisitorInlines.h:213) 2 com.apple.JavaScriptCore 0x00000001063cb624 JSC::JSObject::visitButterfly(JSC::SlotVisitor&, JSC::Butterfly*, unsigned long) + 356 (JSObject.cpp:193) 3 com.apple.JavaScriptCore 0x00000001063bf6e9 JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 409 (JSObject.cpp:223) 4 com.apple.JavaScriptCore 0x00000001064fe5a8 JSC::visitChildren(JSC::SlotVisitor&, JSC::JSCell const*) + 264 (SlotVisitor.cpp:96) 5 com.apple.JavaScriptCore 0x00000001064fe40d JSC::SlotVisitor::drain() + 237 (SlotVisitor.cpp:136) 6 com.apple.JavaScriptCore 0x00000001064fea18 JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode) + 1128 (SlotVisitor.cpp:226) 7 com.apple.JavaScriptCore 0x00000001062e568d JSC::GCThread::gcThreadMain() + 189 (GCThread.cpp:109) 8 com.apple.JavaScriptCore 0x00000001062e576d JSC::GCThread::gcThreadStartFunc(void*) + 29 (GCThread.cpp:136) 9 com.apple.JavaScriptCore 0x00000001065cf8b0 WTF::threadEntryPoint(void*) + 144 (Threading.cpp:70) 10 com.apple.JavaScriptCore 0x00000001065d0258 WTF::wtfThreadEntryPoint(void*) + 104 (ThreadingPthreads.cpp:195) 11 libsystem_c.dylib 0x00007fff96a7b7a2 _pthread_start + 327 12 libsystem_c.dylib 0x00007fff96a681e1 thread_start + 13 http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154377%20(11827)/fast/canvas/webgl/array-message-passing-crash-log.txt

Attachments
the patch (21.39 KB, patch) 2013-08-21 13:01 PDT, Filip Pizlo	mhahnenberg: review+ webkit-ews: commit-queue-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Hahnenberg

Comment 1 2013-08-21 08:36:50 PDT

This ASSERT is meant to catch cases where we would have corrupted to the state of CopiedSpace which may or may not have caused a crash later. I'll see if I can track down the particular object that's causing this issue.

Ryosuke Niwa

Comment 2 2013-08-21 08:43:42 PDT

It appears that this particular crash is happening on ML Debug WK2 test builder quite frequently: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154383%20(11831)/fast/canvas/webgl/array-message-passing-crash-log.txt http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154383%20(11831)/fast/canvas/webgl/array-message-passing-crash-log.txt

Ryosuke Niwa

Comment 3 2013-08-21 08:49:13 PDT

I haven't seen this particular crash on WK1 bots so maybe it's more or only reproducible on WK2.

Ryosuke Niwa

Comment 4 2013-08-21 08:55:09 PDT

This one is crashing on the main thread: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154384%20(11832)/security/crypto-random-values-crash-log.txt

Mark Hahnenberg

Comment 5 2013-08-21 09:29:41 PDT

I can repro very easily with WKTR by running fast/canvas/webgl/array-message-passing.html repeatedly.

Mark Hahnenberg

Comment 6 2013-08-21 09:40:15 PDT

Looks like the offending object is a DataView.

Mark Hahnenberg

Comment 7 2013-08-21 09:41:18 PDT

(In reply to comment #6) > Looks like the offending object is a DataView. A JSDataView, to be more precise.

Tim Horton

Comment 8 2013-08-21 12:02:10 PDT

Temporarily marked as a debug crash in http://trac.webkit.org/changeset/154402

Filip Pizlo

Comment 9 2013-08-21 13:01:10 PDT

Created attachment 209295 [details] the patch

Mark Hahnenberg

Comment 10 2013-08-21 13:06:54 PDT

Comment on attachment 209295 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=209295&action=review r=me > Source/JavaScriptCore/runtime/JSArrayBufferView.h:74 > + // A data view. B is unusewd, V points to a vector allocated using who- unused > Source/JavaScriptCore/runtime/JSArrayBufferView.h:75 > + // knows-what, and M = DataViewMode. The view does not own the vector vector.

Tim Horton

Comment 11 2013-08-21 13:07:33 PDT

(In reply to comment #8) > Temporarily marked as a debug crash in http://trac.webkit.org/changeset/154402 Please revert this too, in your patch (or after it).

Early Warning System Bot

Comment 12 2013-08-21 13:11:55 PDT

Comment on attachment 209295 [details] the patch Attachment 209295 [details] did not pass qt-wk2-ews (qt-wk2): Output: http://webkit-queues.appspot.com/results/1529149

EFL EWS Bot

Comment 13 2013-08-21 13:23:22 PDT

Comment on attachment 209295 [details] the patch Attachment 209295 [details] did not pass efl-wk2-ews (efl-wk2): Output: http://webkit-queues.appspot.com/results/1512963

EFL EWS Bot

Comment 14 2013-08-21 13:35:07 PDT

Comment on attachment 209295 [details] the patch Attachment 209295 [details] did not pass efl-ews (efl): Output: http://webkit-queues.appspot.com/results/1516849

Filip Pizlo

Comment 15 2013-08-21 13:53:08 PDT

Landed in http://trac.webkit.org/changeset/154408

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2013-08-20 20:19 PDT

Modified

2013-08-21 13:53 PDT History

CC List

8 users Show

URL

Keywords

Depends on

Blocks