149480 – Regression(r190134): Crash in JSDOMTokenListOwner::isReachableFromOpaqueRoots()

RESOLVED INVALID 149480

Regression(r190134): Crash in JSDOMTokenListOwner::isReachableFromOpaqueRoots()

https://bugs.webkit.org/show_bug.cgi?id=149480

Summary Regression(r190134): Crash in JSDOMTokenListOwner::isReachableFromOpaqueRoots()

Chris Dumez

Reported 2015-09-22 15:53:15 PDT

Regression(r190134): Crash in JSDOMTokenListOwner::isReachableFromOpaqueRoots(): Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: EXC_I386_GPFLT Application Specific Information: CRASHING TEST: fast/dom/HTMLScriptElement/script-set-src.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000011044b0c7 WebCore::JSDOMTokenListOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void*, JSC::SlotVisitor&) + 39 1 com.apple.JavaScriptCore 0x000000010ee14774 JSC::WeakBlock::visit(JSC::HeapRootVisitor&) + 212 (WeakBlock.cpp:123) 2 com.apple.JavaScriptCore 0x000000010ecb97cb JSC::VisitWeakSet::ReturnType JSC::MarkedSpace::forEachBlock<JSC::VisitWeakSet>(JSC::VisitWeakSet&) + 651 (MarkedSpace.h:242) 3 com.apple.JavaScriptCore 0x000000010ecb8b21 JSC::MarkedSpace::visitWeakSets(JSC::HeapRootVisitor&) + 145 (MarkedSpace.cpp:156) 4 com.apple.JavaScriptCore 0x000000010eacc59a JSC::Heap::visitWeakHandles(JSC::HeapRootVisitor&) + 106 (Heap.cpp:484) 5 com.apple.JavaScriptCore 0x000000010eacbd5a JSC::Heap::markRoots(double, void*, void*, int (&) [37]) + 1018 (Heap.cpp:563) 6 com.apple.JavaScriptCore 0x000000010eacdccd JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [37]) + 733 (Heap.cpp:1011) 7 com.apple.JavaScriptCore 0x000000010eacd9bd JSC::Heap::collect(JSC::HeapOperation) + 237 (Heap.cpp:962) 8 com.apple.JavaScriptCore 0x000000010e82f89d JSC::GCActivityCallback::doWork() + 125 (GCActivityCallback.cpp:81) 9 com.apple.JavaScriptCore 0x000000010ead341a JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*) + 186 (HeapTimer.cpp:101) 10 com.apple.CoreFoundation 0x00007fff87e7c2e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 11 com.apple.CoreFoundation 0x00007fff87e7bf73 __CFRunLoopDoTimer + 1059 12 com.apple.CoreFoundation 0x00007fff87eef53d __CFRunLoopDoTimers + 301 13 com.apple.CoreFoundation 0x00007fff87e37608 __CFRunLoopRun + 2024 14 com.apple.CoreFoundation 0x00007fff87e36bd8 CFRunLoopRunSpecific + 296 15 DumpRenderTree 0x000000010e60846f runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 2144 (DumpRenderTree.mm:2031) 16 DumpRenderTree 0x000000010e6079dc dumpRenderTree(int, char const**) + 3053 (DumpRenderTree.mm:1288) 17 DumpRenderTree 0x000000010e608f9f DumpRenderTreeMain(int, char const**) + 1400 (DumpRenderTree.mm:1424) 18 libdyld.dylib 0x00007fff886f35c9 start + 1

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2015-09-22 16:06:47 PDT

Patch was rolled out.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution INVALID

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component Bindings

Assignee

Chris Dumez

Reported

2015-09-22 15:53 PDT

Modified

2015-09-22 16:06 PDT History

CC List

3 users Show

URL

Keywords

Depends on

Blocks

149418

Dependencies

tree graph