RESOLVED FIXED 127699
CStack Branch: [X86-32] testapi crashes in gatherConservativeRoots() 
https://bugs.webkit.org/show_bug.cgi?id=127699
Summary CStack Branch: [X86-32] testapi crashes in gatherConservativeRoots()
Michael Saboff
Reported 2014-01-27 12:53:28 PST
Release builds of JavaScriptCore on X86-32 fails in testapi in VM::gatherConservativeRoots() due to a null "this". ... PASS: derivedOnlyDescriptor.configurable should be true and is. PASS: derivedOnlyDescriptor.enumerable should be false and is. PASS: undefined instanceof MyObject should be false and is. Process 93256 stopped * thread #1: tid = 0x4e408f, 0x0036d3b6 JavaScriptCore`JSC::VM::gatherConservativeRoots(this=0x00000000, conservativeRoots=0xbfc1dfe8) + 38 at VM.cpp:766, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x82444c7) frame #0: 0x0036d3b6 JavaScriptCore`JSC::VM::gatherConservativeRoots(this=0x00000000, conservativeRoots=0xbfc1dfe8) + 38 at VM.cpp:766 763 void VM::gatherConservativeRoots(ConservativeRoots& conservativeRoots) 764 { 765 for (size_t i = 0; i < scratchBuffers.size(); i++) { -> 766 ScratchBuffer* scratchBuffer = scratchBuffers[i]; 767 if (scratchBuffer->activeLength()) { 768 void* bufferStart = scratchBuffer->dataBuffer(); 769 conservativeRoots.add(bufferStart, static_cast<void*>(static_cast<char*>(bufferStart) + scratchBuffer->activeLength())); (lldb) bt 15 * thread #1: tid = 0x4e408f, 0x0036d3b6 JavaScriptCore`JSC::VM::gatherConservativeRoots(this=0x00000000, conservativeRoots=0xbfc1dfe8) + 38 at VM.cpp:766, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x82444c7) frame #0: 0x0036d3b6 JavaScriptCore`JSC::VM::gatherConservativeRoots(this=0x00000000, conservativeRoots=0xbfc1dfe8) + 38 at VM.cpp:766 frame #1: 0x0018ff82 JavaScriptCore`JSC::Heap::markRoots(this=0x01108000) + 226 at Heap.cpp:480 frame #2: 0x0019124d JavaScriptCore`JSC::Heap::collect(this=0x0110800c) + 493 at Heap.cpp:854 frame #3: 0x0002813c JavaScriptCore`JSC::JSString::create(JSC::VM&, WTF::PassRefPtr<WTF::StringImpl>) [inlined] JSC::Heap::reportExtraMemoryCost(unsigned long) + 316 at Heap.h:417 frame #4: 0x00028115 JavaScriptCore`JSC::JSString::create(JSC::VM&, WTF::PassRefPtr<WTF::StringImpl>) [inlined] JSC::JSString::finishCreation(length=2412439, vm=0x01108000) + 18 at JSString.h:109 frame #5: 0x00028103 JavaScriptCore`JSC::JSString::create(vm=0x01108000, value=<unavailable>) + 259 at JSString.h:129 frame #6: 0x00198ba5 JavaScriptCore`JSC::Interpreter::stackTraceAsString(JSC::ExecState*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow>) [inlined] WTF::StringBuilder::toString(this=0x0024cf97, vm=0x01108000) + 135 at JSString.h:405 frame #7: 0x00198b1e JavaScriptCore`JSC::Interpreter::stackTraceAsString(this=0x011023f0, exec=<unavailable>, stackTrace=<unavailable>) + 318 at Interpreter.cpp:584 frame #8: 0x0036d068 JavaScriptCore`JSC::VM::throwException(this=<unavailable>, exec=<unavailable>, error=JSValue at 0xbfc1e6b8) + 3288 at VM.cpp:711 frame #9: 0x0036d227 JavaScriptCore`JSC::VM::throwException(this=0x01108000, exec=0xbfc1e768, error=0x006fef60) + 55 at VM.cpp:717 frame #10: 0x001c9649 JavaScriptCore`operationThrowStackOverflowError(exec=<unavailable>, codeBlock=0x011dd300) + 89 at JITOperations.cpp:84 frame #11: 0x01203546
Attachments
Patch for landing (1.26 KB, patch)
2014-01-27 12:58 PST, Michael Saboff 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2014-01-27 12:57:22 PST
<rdar://problem/15906077>
Michael Saboff
Comment 2 2014-01-27 12:58:04 PST
Created attachment 222347 [details] Patch for landing Reviewed in person.
Michael Saboff
Comment 3 2014-01-27 12:58:36 PST
Committed r162861: <http://trac.webkit.org/changeset/162861>
Note You need to log in before you can comment on or make changes to this bug.