REOPENED 151495
REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren(). 
https://bugs.webkit.org/show_bug.cgi?id=151495
Summary REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::vi...
Andreas Kling
Reported 2015-11-20 09:24:12 PST
There's a bug in https://trac.webkit.org/changeset/192536 If the call to tryAllocateStorage() in JSPropertyNameEnumerator::finishCreation() ends up having to do a GC, the JSPropertyNameEnumerator will not be in a good-enough state to handle a visitChildren() callback.
Attachments
Patch (4.10 KB, patch)
2015-11-20 09:34 PST, Andreas Kling 		no flags
DetailsFormatted DiffDiff
Patch (4.66 KB, patch)
2015-11-20 09:36 PST, Andreas Kling 		mark.lam: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews116 for mac-yosemite (766.97 KB, application/zip)
2015-11-20 10:28 PST, Build Bot 		no flags
Details
Patch for landing (4.69 KB, patch)
2015-11-20 20:33 PST, Andreas Kling 		no flags
DetailsFormatted DiffDiff
Patch (1.78 KB, patch)
2015-11-21 15:41 PST, Andreas Kling 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Andreas Kling
Comment 1 2015-11-20 09:34:18 PST
Created attachment 265959 [details] Patch
Andreas Kling
Comment 2 2015-11-20 09:36:06 PST
Created attachment 265961 [details] Patch
Mark Lam
Comment 3 2015-11-20 09:39:29 PST
Comment on attachment 265961 [details] Patch r=me
Andreas Kling
Comment 4 2015-11-20 10:09:19 PST
From mac-debug bot: Regressions: Unexpected timeouts (1) js/property-name-enumerator-gc-151495.html [ Timeout ] I wonder if this test is too slow for debug. I'll check locally.
Build Bot
Comment 5 2015-11-20 10:28:20 PST
Comment on attachment 265961 [details] Patch Attachment 265961 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/455095 New failing tests: js/property-name-enumerator-gc-151495.html
Build Bot
Comment 6 2015-11-20 10:28:23 PST
Created attachment 265969 [details] Archive of layout-test-results from ews116 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-yosemite Platform: Mac OS X 10.10.5
Andreas Kling
Comment 7 2015-11-20 20:33:53 PST
Created attachment 266027 [details] Patch for landing Take the number of test iterations down to 2000 (from 10000) so it won't timeout on debug. It's still enough to trip the bug, and finishes in a fraction of the time.
WebKit Commit Bot
Comment 8 2015-11-20 22:07:46 PST
Comment on attachment 266027 [details] Patch for landing Clearing flags on attachment: 266027 Committed r192722: <http://trac.webkit.org/changeset/192722>
WebKit Commit Bot
Comment 9 2015-11-20 22:07:51 PST
All reviewed patches have been landed. Closing bug.
David Kilzer (:ddkilzer)
Comment 10 2015-11-21 02:20:58 PST
<rdar://problem/23626411>
Andreas Kling
Comment 11 2015-11-21 15:41:59 PST
Created attachment 266033 [details] Patch 32-bit testers caught another issue; jsString() can trigger GC, so m_propertyNames must remain null until after all the property names have been stringified.
Mark Lam
Comment 12 2015-11-21 16:44:51 PST
Comment on attachment 266033 [details] Patch r=me
Csaba Osztrogonác
Comment 13 2015-11-23 03:48:25 PST
reopen to let the CQ land the followup fix.
Csaba Osztrogonác
Comment 14 2015-11-23 03:49:11 PST
(In reply to comment #13) > reopen to let the CQ land the followup fix. Next time please file new bug report for followup patches.
WebKit Commit Bot
Comment 15 2015-11-23 04:44:32 PST
Comment on attachment 266033 [details] Patch Clearing flags on attachment: 266033 Committed r192743: <http://trac.webkit.org/changeset/192743>
WebKit Commit Bot
Comment 16 2015-11-23 04:44:35 PST
All reviewed patches have been landed. Closing bug.
WebKit Commit Bot
Comment 17 2015-11-24 13:35:18 PST
Re-opened since this is blocked by bug 151593
Note You need to log in before you can comment on or make changes to this bug.