129271 – REGRESSION(r164493): DYEBench crash in JSCObject::put

Bug 129271 - REGRESSION(r164493): DYEBench crash in JSCObject::put

Summary: REGRESSION(r164493): DYEBench crash in JSCObject::put

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:	https://trac.webkit.org/export/162218...
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2014-02-24 13:28 PST by Ryosuke Niwa
Modified:	2014-03-25 18:12 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2014-02-24 13:28:39 PST

Reproduction steps
1. Go to https://trac.webkit.org/export/162218/trunk/PerformanceTests/DoYouEvenBench/InteractiveRunner.html
2. Uncheck "VanillaJS-TodoMVC"
3. Click "Run".

Crash

Comment 1 Radar WebKit Bug Importer 2014-02-24 13:29:18 PST

<rdar://problem/16151521>

Comment 2 Mark Hahnenberg 2014-02-24 13:58:32 PST

Is there a symbolicated crash log somewhere to look at?

Comment 3 Mark Hahnenberg 2014-02-24 14:27:45 PST

This still reproduces with JSC_alwaysDoFullCollection=1 which implies it's not caused by the premature deallocation of a live object.

Comment 4 Mark Hahnenberg 2014-02-24 14:32:32 PST

(In reply to comment #3)
> This still reproduces with JSC_alwaysDoFullCollection=1 which implies it's not caused by the premature deallocation of a live object.

I should say, it's not a premature deallocation of a live object due to generational collection. We could still be blowing away a live object during a full collection.

Comment 5 Mark Hahnenberg 2014-03-25 13:09:55 PDT

Throwing back to Ryosuke to verify that this has been fixed.

Comment 6 Ryosuke Niwa 2014-03-25 18:12:04 PDT

No longer seeing the crash.