Saw this crash on fast/canvas/webgl/array-message-passing.html: Thread 9 Crashed:: JavaScriptCore::Marking 0 com.apple.JavaScriptCore 0x000000010658986a WTFCrash + 42 (Assertions.cpp:342) 1 com.apple.JavaScriptCore 0x00000001061b68f5 JSC::SlotVisitor::copyLater(JSC::JSCell*, JSC::CopyToken, void*, unsigned long) + 85 (SlotVisitorInlines.h:213) 2 com.apple.JavaScriptCore 0x00000001063cb624 JSC::JSObject::visitButterfly(JSC::SlotVisitor&, JSC::Butterfly*, unsigned long) + 356 (JSObject.cpp:193) 3 com.apple.JavaScriptCore 0x00000001063bf6e9 JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 409 (JSObject.cpp:223) 4 com.apple.JavaScriptCore 0x00000001064fe5a8 JSC::visitChildren(JSC::SlotVisitor&, JSC::JSCell const*) + 264 (SlotVisitor.cpp:96) 5 com.apple.JavaScriptCore 0x00000001064fe40d JSC::SlotVisitor::drain() + 237 (SlotVisitor.cpp:136) 6 com.apple.JavaScriptCore 0x00000001064fea18 JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode) + 1128 (SlotVisitor.cpp:226) 7 com.apple.JavaScriptCore 0x00000001062e568d JSC::GCThread::gcThreadMain() + 189 (GCThread.cpp:109) 8 com.apple.JavaScriptCore 0x00000001062e576d JSC::GCThread::gcThreadStartFunc(void*) + 29 (GCThread.cpp:136) 9 com.apple.JavaScriptCore 0x00000001065cf8b0 WTF::threadEntryPoint(void*) + 144 (Threading.cpp:70) 10 com.apple.JavaScriptCore 0x00000001065d0258 WTF::wtfThreadEntryPoint(void*) + 104 (ThreadingPthreads.cpp:195) 11 libsystem_c.dylib 0x00007fff96a7b7a2 _pthread_start + 327 12 libsystem_c.dylib 0x00007fff96a681e1 thread_start + 13 http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154377%20(11827)/fast/canvas/webgl/array-message-passing-crash-log.txt
This ASSERT is meant to catch cases where we would have corrupted to the state of CopiedSpace which may or may not have caused a crash later. I'll see if I can track down the particular object that's causing this issue.
It appears that this particular crash is happening on ML Debug WK2 test builder quite frequently: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154383%20(11831)/fast/canvas/webgl/array-message-passing-crash-log.txt http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154383%20(11831)/fast/canvas/webgl/array-message-passing-crash-log.txt
I haven't seen this particular crash on WK1 bots so maybe it's more or only reproducible on WK2.
This one is crashing on the main thread: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154384%20(11832)/security/crypto-random-values-crash-log.txt
I can repro very easily with WKTR by running fast/canvas/webgl/array-message-passing.html repeatedly.
Looks like the offending object is a DataView.
(In reply to comment #6) > Looks like the offending object is a DataView. A JSDataView, to be more precise.
Temporarily marked as a debug crash in http://trac.webkit.org/changeset/154402
Created attachment 209295 [details] the patch
Comment on attachment 209295 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=209295&action=review r=me > Source/JavaScriptCore/runtime/JSArrayBufferView.h:74 > + // A data view. B is unusewd, V points to a vector allocated using who- unused > Source/JavaScriptCore/runtime/JSArrayBufferView.h:75 > + // knows-what, and M = DataViewMode. The view does not own the vector vector.
(In reply to comment #8) > Temporarily marked as a debug crash in http://trac.webkit.org/changeset/154402 Please revert this too, in your patch (or after it).
Comment on attachment 209295 [details] the patch Attachment 209295 [details] did not pass qt-wk2-ews (qt-wk2): Output: http://webkit-queues.appspot.com/results/1529149
Comment on attachment 209295 [details] the patch Attachment 209295 [details] did not pass efl-wk2-ews (efl-wk2): Output: http://webkit-queues.appspot.com/results/1512963
Comment on attachment 209295 [details] the patch Attachment 209295 [details] did not pass efl-ews (efl): Output: http://webkit-queues.appspot.com/results/1516849
Landed in http://trac.webkit.org/changeset/154408