153281 – TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.

RESOLVED CONFIGURATION CHANGED 153281

TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.

https://bugs.webkit.org/show_bug.cgi?id=153281

Summary TypedArray's .buffer does not return the JSArrayBuffer that was passed to it ...

Keith Miller

Reported 2016-01-20 11:28:05 PST

For example: buffer = new ArrayBuffer(16); array = new Int32Array(buffer); return array.buffer == buffer; will return false.

Attachments
Patch (2.47 KB, patch) 2016-01-20 12:49 PST, Keith Miller	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Keith Miller

Comment 1 2016-01-20 12:49:33 PST

Created attachment 269374 [details] Patch

Geoffrey Garen

Comment 2 2016-01-20 12:54:43 PST

Comment on attachment 269374 [details] Patch r=me

WebKit Commit Bot

Comment 3 2016-01-20 13:49:20 PST

Comment on attachment 269374 [details] Patch Clearing flags on attachment: 269374 Committed r195375: <http://trac.webkit.org/changeset/195375>

WebKit Commit Bot

Comment 4 2016-01-20 13:49:23 PST

All reviewed patches have been landed. Closing bug.

Alexey Proskuryakov

Comment 5 2016-01-20 20:40:27 PST

I think that this has caused many crashes on GuardMalloc bots. The range is pretty large (r195374-195392), but this patch seems most relevant. Will try rolling out. +fast/canvas/webgl/typed-arrays-in-workers.html crash log sample history +fast/workers/worker-terminate-forever.html crash log sample history +http/tests/websocket/tests/hybi/workers/receive-arraybuffer.html crash log sample history +http/tests/websocket/tests/hybi/workers/receive-blob.html crash log sample history +http/tests/websocket/tests/hybi/workers/send-arraybufferview.html crash log sample history +imported/blink/fast/workers/worker-shared-asm-buffer.html crash log sample history +webgl/1.0.2/conformance/typedarrays/typed-arrays-in-workers.html crash log sample history Thread 23 Crashed:: WebCore: Worker 0 com.apple.JavaScriptCore 0x000000011c5d2a17 JSC::weakClearSlowCase(JSC::WeakImpl*&) + 7 1 com.apple.JavaScriptCore 0x000000011cbcca45 WTF::DeferrableRefCounted<JSC::ArrayBuffer>::setIsDeferred(bool) + 53 2 com.apple.JavaScriptCore 0x000000011cbcc9e5 bool JSC::GCIncomingRefCounted<JSC::ArrayBuffer>::filterIncomingReferences<bool (JSC::JSCell*)>(bool (&)(JSC::JSCell*)) + 293 3 com.apple.JavaScriptCore 0x000000011c766d4f JSC::Heap::~Heap() + 1679 4 com.apple.JavaScriptCore 0x000000011c762fbd JSC::VM::~VM() + 7757 5 com.apple.JavaScriptCore 0x000000011c5ccce2 JSC::JSLockHolder::~JSLockHolder() + 66 6 com.apple.WebCore 0x000000011e310ee4 WebCore::WorkerScriptController::~WorkerScriptController() + 148 7 com.apple.WebCore 0x000000011e3133e5 std::__1::__function::__func<WebCore::WorkerThread::stop()::$_0::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&), std::__1::allocator<WebCore::WorkerThread::stop()::$_0::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&)>, void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) + 37 8 com.apple.WebCore 0x000000011e30fd6f WebCore::WorkerRunLoop::runCleanupTasks(WebCore::WorkerGlobalScope*) + 207

WebKit Commit Bot

Comment 6 2016-01-20 20:42:51 PST

Re-opened since this is blocked by bug 153300

Anne van Kesteren

Comment 7 2023-05-12 07:50:26 PDT

This can't really be broken at this point.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution CONFIGURATION CHANGED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Keith Miller

Reported

2016-01-20 11:28 PST

Modified

2023-05-12 07:50 PDT History

CC List

6 users Show

URL

Keywords

Depends on

153300

Blocks

Dependencies

tree graph