Bug 131713 - Crash in RefCountedArray<JSC::UnlinkedInstruction> destructor
Summary: Crash in RefCountedArray<JSC::UnlinkedInstruction> destructor
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-15 15:27 PDT by Alexey Proskuryakov
Modified: 2016-03-22 09:31 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2014-04-15 15:27:58 PDT 
Saw this on regression tests: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r167322%20(17192)/webgl/1.0.2/conformance/ogles/GL/equal/equal_001_to_008-crash-log.txt

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010bbe43d2 WTF::RefCountedArray<JSC::UnlinkedInstruction>::~RefCountedArray() + 50 (RefCountedArray.h:109)
1   com.apple.JavaScriptCore      	0x000000010bbe4395 WTF::RefCountedArray<JSC::UnlinkedInstruction>::~RefCountedArray() + 21 (RefCountedArray.h:113)
2   com.apple.JavaScriptCore      	0x000000010bbe434e JSC::UnlinkedInstructionStream::~UnlinkedInstructionStream() + 46 (UnlinkedInstructionStream.h:35)
3   com.apple.JavaScriptCore      	0x000000010bbe42e5 JSC::UnlinkedInstructionStream::~UnlinkedInstructionStream() + 21 (UnlinkedInstructionStream.h:35)
4   com.apple.JavaScriptCore      	0x000000010c238754 JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock() + 340 (memory:2488)
5   com.apple.JavaScriptCore      	0x000000010c23a1f5 JSC::UnlinkedFunctionCodeBlock::~UnlinkedFunctionCodeBlock() + 21 (UnlinkedCodeBlock.h:698)
6   com.apple.JavaScriptCore      	0x000000010c2392f5 JSC::UnlinkedFunctionCodeBlock::~UnlinkedFunctionCodeBlock() + 21 (UnlinkedCodeBlock.h:698)
7   com.apple.JavaScriptCore      	0x000000010c236a3d JSC::UnlinkedFunctionCodeBlock::destroy(JSC::JSCell*) + 29 (UnlinkedCodeBlock.cpp:437)
8   com.apple.JavaScriptCore      	0x000000010c0c213d JSC::MarkedBlock::callDestructor(JSC::JSCell*) + 61 (MarkedBlock.cpp:64)
9   com.apple.JavaScriptCore      	0x000000010c0c2518 JSC::MarkedBlock::FreeList JSC::MarkedBlock::specializedSweep<(JSC::MarkedBlock::BlockState)3, (JSC::MarkedBlock::SweepMode)0, (JSC::MarkedBlock::DestructorType)1>() + 216 (MarkedBlock.cpp:78)
10  com.apple.JavaScriptCore      	0x000000010c0c0ede JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper<(JSC::MarkedBlock::DestructorType)1>(JSC::MarkedBlock::SweepMode) + 302 (MarkedBlock.cpp:139)

This doesn't happen often - these WebGL tests are quite flaky, but I couldn't find this specific crash happen before.
Comment 1 Brent Fulgham 2016-03-22 09:31:05 PDT 
The test history doesn't seem to show crashes on this test anymore, but it does seem to be slow.