RESOLVED WORKSFORME 129271
REGRESSION(r164493): DYEBench crash in JSCObject::put 
https://bugs.webkit.org/show_bug.cgi?id=129271
Summary REGRESSION(r164493): DYEBench crash in JSCObject::put
Ryosuke Niwa
Reported 2014-02-24 13:28:39 PST
Reproduction steps 1. Go to https://trac.webkit.org/export/162218/trunk/PerformanceTests/DoYouEvenBench/InteractiveRunner.html 2. Uncheck "VanillaJS-TodoMVC" 3. Click "Run". Crash
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2014-02-24 13:29:18 PST
<rdar://problem/16151521>
Mark Hahnenberg
Comment 2 2014-02-24 13:58:32 PST
Is there a symbolicated crash log somewhere to look at?
Mark Hahnenberg
Comment 3 2014-02-24 14:27:45 PST
This still reproduces with JSC_alwaysDoFullCollection=1 which implies it's not caused by the premature deallocation of a live object.
Mark Hahnenberg
Comment 4 2014-02-24 14:32:32 PST
(In reply to comment #3) > This still reproduces with JSC_alwaysDoFullCollection=1 which implies it's not caused by the premature deallocation of a live object. I should say, it's not a premature deallocation of a live object due to generational collection. We could still be blowing away a live object during a full collection.
Mark Hahnenberg
Comment 5 2014-03-25 13:09:55 PDT
Throwing back to Ryosuke to verify that this has been fixed.
Ryosuke Niwa
Comment 6 2014-03-25 18:12:04 PDT
No longer seeing the crash.
Note You need to log in before you can comment on or make changes to this bug.