Bug 149392 - Regression(r190023): fast/dom/navigation-with-sideeffects-crash.html is crashing
Summary: Regression(r190023): fast/dom/navigation-with-sideeffects-crash.html is crashing
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Bindings (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords:
Depends on:
Blocks: 149376
  Show dependency treegraph
 
Reported: 2015-09-20 14:59 PDT by Chris Dumez
Modified: 2015-09-20 16:24 PDT (History)
5 users (show)

See Also:


Attachments
Patch (4.47 KB, patch)
2015-09-20 15:20 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2015-09-20 14:59:24 PDT
fast/dom/navigation-with-sideeffects-crash.html is crashing after r190023:
    #0 0x1108df096 in WebCore::Location::setHref(WebCore::DOMWindow&, WebCore::DOMWindow&, WTF::String const&) (/Volumes/Data/slave/yosemite-asan-production-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x19e7096)
    #1 0x1101e0acb in WebCore::setJSDocumentLocation(JSC::ExecState*, JSC::JSObject*, long long, long long) (/Volumes/Data/slave/yosemite-asan-production-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x12e8acb)
    #2 0x10e0b5ce7 in JSC::putEntry(JSC::ExecState*, JSC::HashTableValue const*, JSC::JSObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Volumes/Data/slave/yosemite-asan-production-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa86ce7)
    #3 0x10d65401f in JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Volumes/Data/slave/yosemite-asan-production-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2501f)
    #4 0x10d8b5215 in llint_slow_path_put_by_id (/Volumes/Data/slave/yosemite-asan-production-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x286215)
Comment 1 Chris Dumez 2015-09-20 15:09:23 PDT
I know that is happening and I have a speculative patch. I just need to confirm it works before uploading it. The good news is that I can reproduce the crash locally.
Comment 2 Chris Dumez 2015-09-20 15:20:36 PDT
Created attachment 261616 [details]
Patch
Comment 3 Chris Dumez 2015-09-20 16:24:40 PDT
Comment on attachment 261616 [details]
Patch

Clearing flags on attachment: 261616

Committed r190034: <http://trac.webkit.org/changeset/190034>
Comment 4 Chris Dumez 2015-09-20 16:24:45 PDT
All reviewed patches have been landed.  Closing bug.