Bug 162986 - [mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
Summary: [mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar
: 141253 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-10-05 14:24 PDT by Ryan Haddad
Modified: 2016-11-15 15:32 PST (History)
10 users (show)

See Also:

Attachments
the patch (3.01 KB, patch)
2016-11-15 12:25 PST, Filip Pizlo 		saam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Haddad 2016-10-05 14:24:44 PDT 
LayoutTest inspector/formatting/formatting-javascript.html is a flaky crash

https://build.webkit.org/builders/Apple%20Sierra%20Debug%20WK1%20(Tests)/builds/314

https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=inspector%2Fformatting%2Fformatting-javascript.html

ASSERTION FAILED: thisObject->m_propertyTableUnsafe
/Volumes/Data/slave/sierra-debug/build/Source/JavaScriptCore/runtime/Structure.cpp(1127) : static void JSC::Structure::visitChildren(JSC::JSCell *, JSC::SlotVisitor &)
1   0x10ef71acd WTFCrash
2   0x10eda6bb2 JSC::Structure::visitChildren(JSC::JSCell*, JSC::SlotVisitor&)
3   0x10ed84496 JSC::SlotVisitor::visitChildren(JSC::JSCell const*)
4   0x10ed84280 JSC::SlotVisitor::drain()
5   0x10ed85172 JSC::SlotVisitor::donateAndDrain()
6   0x10e7dfc8a JSC::Heap::visitConservativeRoots(JSC::ConservativeRoots&)
7   0x10e7df5be JSC::Heap::markRoots(double, void*, void*, int (&) [37])
8   0x10e7e32fc JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, int (&) [37])
9   0x10e7e2bdd JSC::Heap::collectWithoutAnySweep(JSC::HeapOperation)
10  0x10e7e2d50 JSC::Heap::collect(JSC::HeapOperation)
11  0x10dfcb637 JSC::Heap::collectIfNecessaryOrDefer(JSC::GCDeferralContext*)
12  0x10dfcb4af JSC::Heap::decrementDeferralDepthAndGCIfNeeded()
13  0x10dfcb458 JSC::DeferGC::~DeferGC()
14  0x10dfcafc5 JSC::DeferGC::~DeferGC()
15  0x10eda9471 JSC::Structure::takePropertyTableOrCloneIfPinned(JSC::VM&)
16  0x10eda8e7a JSC::Structure::addNewPropertyTransition(JSC::VM&, JSC::Structure*, JSC::PropertyName, unsigned int, int&, JSC::PutPropertySlot::Context, JSC::DeferredStructureTransitionWatchpointFire*)
17  0x10e1f882b bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)
18  0x10e1f7a95 JSC::JSObject::putInline(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
19  0x10e1f2ff4 JSC::JSValue::putInline(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
20  0x10e949dc3 operationPutByIdStrict
21  0x452ccf0481cf
22  0x452ccf0a8242
23  0x452ccf096126
24  0x452ccf047e73
25  0x452ccf0963dd
26  0x452ccf047e73
27  0x452ccf09ad93
28  0x452ccf047e73
29  0x452ccf096699
30  0x452ccf047e73
31  0x452ccf0a8242
Comment 1 Ryan Haddad 2016-10-05 14:25:18 PDT 
<rdar://problem/28514822>
Comment 2 Ryan Haddad 2016-10-05 16:23:12 PDT 
Marked test as flaky on mac-wk1 in http://trac.webkit.org/projects/webkit/changeset/206835
Comment 3 Filip Pizlo 2016-11-15 12:03:28 PST 
Same problem as https://bugs.webkit.org/show_bug.cgi?id=164775.
Comment 4 Filip Pizlo 2016-11-15 12:04:35 PST 
(In reply to comment #3)
> Same problem as https://bugs.webkit.org/show_bug.cgi?id=164775.

Wait, no it's not.
Comment 5 Filip Pizlo 2016-11-15 12:25:27 PST 
Created attachment 294863 [details]
the patch
Comment 6 Alexey Proskuryakov 2016-11-15 12:30:40 PST 
*** Bug 141253 has been marked as a duplicate of this bug. ***
Comment 7 Filip Pizlo 2016-11-15 15:32:57 PST 
Landed in https://trac.webkit.org/changeset/208762