RESOLVED FIXED 132146
Crash in platform/mac/accessibility/table-visible-rows.html 
https://bugs.webkit.org/show_bug.cgi?id=132146
Summary Crash in platform/mac/accessibility/table-visible-rows.html
Mark Lam
Reported 2014-04-24 15:03:30 PDT
Build a debug build of ToT (any revision after r167772), and run the following: $ JSC_slowPathAllocsBetweenGCs=1 DumpRenderTree LayoutTests/platform/mac/accessibility/table-visible-rows.html You will see the following crash: (lldb) r LayoutTests/platform/mac/accessibility/table-visible-rows.html Process 60125 launched: '/Volumes/Data/ws4/OpenSource/WebKitBuild/Debug/DumpRenderTree' (x86_64) Process 60125 stopped * thread #1: tid = 0xe97def, 0x000000010033c81c JavaScriptCore`JSC::JSCell::structure(this=0x0000000000000000, vm=0x000000010b842c00) const + 44 at JSCellInlines.h:104, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) frame #0: 0x000000010033c81c JavaScriptCore`JSC::JSCell::structure(this=0x0000000000000000, vm=0x000000010b842c00) const + 44 at JSCellInlines.h:104 101 102 inline Structure* JSCell::structure(VM& vm) const 103 { -> 104 return vm.heap.structureIDTable().get(m_structureID); 105 } 106 107 inline void JSCell::visitChildren(JSCell* cell, SlotVisitor& visitor) (lldb) bt * thread #1: tid = 0xe97def, 0x000000010033c81c JavaScriptCore`JSC::JSCell::structure(this=0x0000000000000000, vm=0x000000010b842c00) const + 44 at JSCellInlines.h:104, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010033c81c JavaScriptCore`JSC::JSCell::structure(this=0x0000000000000000, vm=0x000000010b842c00) const + 44 at JSCellInlines.h:104 frame #1: 0x0000000100359f76 JavaScriptCore`JSC::JSCell::methodTable(this=0x000000011951f8b0) const + 70 at JSCellInlines.h:192 frame #2: 0x000000010073bdde JavaScriptCore`toJS(exec=0x00007fff5fbfb920, v=0x000000011951f8b0) + 158 at APICast.h:81 frame #3: 0x00000001007cfc2d JavaScriptCore`JSObjectMakeArray(ctx=0x00007fff5fbfb920, argumentCount=3, arguments=0x0000000114814b60, exception=0x00007fff5fbfb4d0) + 189 at JSObjectRef.cpp:177 frame #4: 0x000000010000a1a6 DumpRenderTree`convertElementsToObjectArray(context=0x00007fff5fbfb920, elements=0x00007fff5fbfb3e0, exception=0x00007fff5fbfb4d0) + 566 at AccessibilityUIElement.cpp:526 frame #5: 0x0000000100007f6e DumpRenderTree`uiElementArrayAttributeValueCallback(context=0x00007fff5fbfb920, function=0x000000011951f930, thisObject=0x000000011951f990, argumentCount=1, arguments=0x00007fff5fbfb500, exception=0x00007fff5fbfb4d0) + 190 at AccessibilityUIElement.cpp:552 frame #6: 0x000000010075acb7 JavaScriptCore`long long JSC::APICallbackFunction::call<JSC::JSCallbackFunction>(exec=0x00007fff5fbfb920) + 455 at APICallbackFunction.h:61 frame #7: 0x000000010086dd62 JavaScriptCore`JSC::LLInt::handleHostCall(execCallee=0x00007fff5fbfb920, pc=0x000000010f8064f8, callee=JSValue at 0x00007fff5fbfb718, kind=CodeForCall) + 306 at LLIntSlowPaths.cpp:1035 frame #8: 0x000000010086ebdc JavaScriptCore`JSC::LLInt::setUpCall(execCallee=0x00007fff5fbfb920, pc=0x000000010f8064f8, kind=CodeForCall, calleeAsValue=JSValue at 0x00007fff5fbfb840, callLinkInfo=0x0000000110612fa0) + 92 at LLIntSlowPaths.cpp:1079 frame #9: 0x000000010086eb6c JavaScriptCore`JSC::LLInt::genericCall(exec=0x00007fff5fbfb980, pc=0x000000010f8064f8, kind=CodeForCall) + 236 at LLIntSlowPaths.cpp:1145 frame #10: 0x000000010086b26c JavaScriptCore`llint_slow_path_call(exec=0x00007fff5fbfb980, pc=0x000000010f8064f8) + 60 at LLIntSlowPaths.cpp:1151 frame #11: 0x00000001008784d9 JavaScriptCore`llint_entry + 26147 frame #12: 0x0000000100871c44 JavaScriptCore`callToJavaScript + 356 frame #13: 0x00007fff70a2e850 Foundation`__block_descriptor_tmp234 + 32 (lldb) up frame #1: 0x0000000100359f76 JavaScriptCore`JSC::JSCell::methodTable(this=0x000000011951f8b0) const + 70 at JSCellInlines.h:192 189 { 190 VM& vm = *Heap::heap(this)->vm(); 191 Structure* structure = this->structure(vm); -> 192 if (Structure* rootStructure = structure->structure(vm)) 193 RELEASE_ASSERT(rootStructure == rootStructure->structure(vm)); 194 195 return &structure->classInfo()->methodTable;
Attachments
Patch (4.41 KB, patch)
2014-04-25 13:00 PDT, Michael Saboff 		mark.lam: review+
DetailsFormatted DiffDiff
Updated patch with speculative Windows fix (7.22 KB, patch)
2014-04-28 16:44 PDT, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2014-04-24 15:05:06 PDT
<rdar://problem/16718045>
Michael Saboff
Comment 2 2014-04-25 13:00:11 PDT
Created attachment 230192 [details] Patch
Mark Lam
Comment 3 2014-04-25 13:16:20 PDT
Comment on attachment 230192 [details] Patch r=me. But can you do a quick grep for JSObjectMakeArray to see if anyone in our system is doing the wrong thing, but happens to be uncaught by tests?
Michael Saboff
Comment 4 2014-04-25 13:17:16 PDT
(In reply to comment #3) > (From update of attachment 230192 [details]) > r=me. But can you do a quick grep for JSObjectMakeArray to see if anyone in our system is doing the wrong thing, but happens to be uncaught by tests? I already did and the patch contains the other instances.
Michael Saboff
Comment 5 2014-04-25 13:35:20 PDT
Committed r167819: <http://trac.webkit.org/changeset/167819>
Csaba Osztrogonác
Comment 6 2014-04-27 03:26:51 PDT
Comment on attachment 230192 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=230192&action=review > Tools/DumpRenderTree/AccessibilityUIElement.cpp:522 > - auto valueElements = std::make_unique<JSValueRef[]>(elementCount); > + JSValueRef valueElements[elementCount]; It broke the Apple Windows build: 1>..\..\AccessibilityUIElement.cpp(522): error C2057: expected constant expression 1>..\..\AccessibilityUIElement.cpp(522): error C2466: cannot allocate an array of constant size 0 1>..\..\AccessibilityUIElement.cpp(522): error C2133: 'valueElements' : unknown size Unfortunately you weren't able to catch this build failure, because others broke the Windows build previously and didn't care about the buildfix at all.
Brent Fulgham
Comment 7 2014-04-28 14:38:43 PDT
Unfortunately, Visual Studio isn't smart about this logic: size_t elementCount = elements.size(); JSValueRef valueElements[elementCount]; ... giving the following errors: AccessibilityUIElement.cpp TestRunner.cpp 1>..\..\AccessibilityUIElement.cpp(522): error C2057: expected constant expression 1>..\..\AccessibilityUIElement.cpp(522): error C2466: cannot allocate an array of constant size 0 1>..\..\AccessibilityUIElement.cpp(522): error C2133: 'valueElements' : unknown size 1>Done Building Project "C:\cygwin\home\buildbot\slave\win-debug\build\Tools\DumpRenderTree\DumpRenderTree.vcxproj\DumpRenderTree\DumpRenderTree.vcxproj" (Build target(s)) -- FAILED.
Michael Saboff
Comment 8 2014-04-28 16:28:25 PDT
Will post an updated fix that should work for windows.
Michael Saboff
Comment 9 2014-04-28 16:44:07 PDT
Created attachment 230336 [details] Updated patch with speculative Windows fix
Michael Saboff
Comment 10 2014-04-28 17:32:17 PDT
Committed r167913: <http://trac.webkit.org/changeset/167913>
Note You need to log in before you can comment on or make changes to this bug.