149480 – Regression(r190134): Crash in JSDOMTokenListOwner::isReachableFromOpaqueRoots()

Bug 149480 - Regression(r190134): Crash in JSDOMTokenListOwner::isReachableFromOpaqueRoots()

Summary: Regression(r190134): Crash in JSDOMTokenListOwner::isReachableFromOpaqueRoots()

Status:	RESOLVED INVALID

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Bindings (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:

Depends on:
Blocks:	149418
	Show dependency tree / graph

Reported:	2015-09-22 15:53 PDT by Chris Dumez
Modified:	2015-09-22 16:06 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2015-09-22 15:53:15 PDT

Regression(r190134): Crash in JSDOMTokenListOwner::isReachableFromOpaqueRoots():

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       EXC_I386_GPFLT

Application Specific Information:
CRASHING TEST: fast/dom/HTMLScriptElement/script-set-src.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000011044b0c7 WebCore::JSDOMTokenListOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void*, JSC::SlotVisitor&) + 39
1   com.apple.JavaScriptCore      	0x000000010ee14774 JSC::WeakBlock::visit(JSC::HeapRootVisitor&) + 212 (WeakBlock.cpp:123)
2   com.apple.JavaScriptCore      	0x000000010ecb97cb JSC::VisitWeakSet::ReturnType JSC::MarkedSpace::forEachBlock<JSC::VisitWeakSet>(JSC::VisitWeakSet&) + 651 (MarkedSpace.h:242)
3   com.apple.JavaScriptCore      	0x000000010ecb8b21 JSC::MarkedSpace::visitWeakSets(JSC::HeapRootVisitor&) + 145 (MarkedSpace.cpp:156)
4   com.apple.JavaScriptCore      	0x000000010eacc59a JSC::Heap::visitWeakHandles(JSC::HeapRootVisitor&) + 106 (Heap.cpp:484)
5   com.apple.JavaScriptCore      	0x000000010eacbd5a JSC::Heap::markRoots(double, void*, void*, int (&) [37]) + 1018 (Heap.cpp:563)
6   com.apple.JavaScriptCore      	0x000000010eacdccd JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [37]) + 733 (Heap.cpp:1011)
7   com.apple.JavaScriptCore      	0x000000010eacd9bd JSC::Heap::collect(JSC::HeapOperation) + 237 (Heap.cpp:962)
8   com.apple.JavaScriptCore      	0x000000010e82f89d JSC::GCActivityCallback::doWork() + 125 (GCActivityCallback.cpp:81)
9   com.apple.JavaScriptCore      	0x000000010ead341a JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*) + 186 (HeapTimer.cpp:101)
10  com.apple.CoreFoundation      	0x00007fff87e7c2e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
11  com.apple.CoreFoundation      	0x00007fff87e7bf73 __CFRunLoopDoTimer + 1059
12  com.apple.CoreFoundation      	0x00007fff87eef53d __CFRunLoopDoTimers + 301
13  com.apple.CoreFoundation      	0x00007fff87e37608 __CFRunLoopRun + 2024
14  com.apple.CoreFoundation      	0x00007fff87e36bd8 CFRunLoopRunSpecific + 296
15  DumpRenderTree                	0x000000010e60846f runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 2144 (DumpRenderTree.mm:2031)
16  DumpRenderTree                	0x000000010e6079dc dumpRenderTree(int, char const**) + 3053 (DumpRenderTree.mm:1288)
17  DumpRenderTree                	0x000000010e608f9f DumpRenderTreeMain(int, char const**) + 1400 (DumpRenderTree.mm:1424)
18  libdyld.dylib                 	0x00007fff886f35c9 start + 1

Comment 1 Chris Dumez 2015-09-22 16:06:47 PDT

Patch was rolled out.