164433 – REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasOwnPropertyCache

RESOLVED FIXED Bug 164433

REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasOwnPropertyCache

https://bugs.webkit.org/show_bug.cgi?id=164433

Summary REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasO...

Jim Oase

Reported 2016-11-04 14:30:02 PDT

Every load results in a error message. The reload appears to work. http://www.video.theblaze.com/video/e187-274027 is the last site to fail

Attachments
Crash log (87.54 KB, text/plain) 2016-11-04 15:54 PDT, Jim Oase	no flags	Details
patch (1.82 KB, patch) 2016-11-07 15:24 PST, Saam Barati	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Jim Oase

Comment 1 2016-11-04 15:54:48 PDT

Created attachment 293945 [details] Crash log

Alexey Proskuryakov

Comment 2 2016-11-05 10:01:02 PDT

I couldn't reproduce this.

Alexey Proskuryakov

Comment 3 2016-11-05 15:15:41 PDT

But, this is seen on bots: https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r208418%20(1259)/imported/w3c/web-platform-tests/html/dom/interfaces-crash-log.txt

Alexey Proskuryakov

Comment 4 2016-11-05 15:22:12 PDT

First occurrence that I see was on 2016-11-02 16:21:01. Filip, could this be caused by threaded GC (r208306)?

Filip Pizlo

Comment 5 2016-11-05 15:30:00 PDT

(In reply to comment #4) > First occurrence that I see was on 2016-11-02 16:21:01. > > Filip, could this be caused by threaded GC (r208306)? Yup, that's the patch at fault. Should be really easy to fix. Basically, we just need to move anything in the GC that touches strings off the GC thread. It's usually easy to do this. Here we see the collector calling some HasOwnPropertyCache thing, which it shouldn't be doing.

Saam Barati

Comment 6 2016-11-07 15:08:34 PST

This looks like the HasOwnPropertyCache at work. It derefs StringImpls from the collector thread.

Saam Barati

Comment 7 2016-11-07 15:24:56 PST

Created attachment 294094 [details] patch

Mark Lam

Comment 8 2016-11-07 15:27:58 PST

Comment on attachment 294094 [details] patch r=me

Saam Barati

Comment 9 2016-11-07 16:49:42 PST

<rdar://problem/29079741>

Ryosuke Niwa

Comment 10 2016-11-08 18:52:38 PST

Landing this patch as a test as a pre-reopening test.

Ryosuke Niwa

Comment 11 2016-11-08 18:53:08 PST

Comment on attachment 294094 [details] patch Clearing flags on attachment: 294094 Committed r208426: <http://trac.webkit.org/changeset/208426>

Ryosuke Niwa

Comment 12 2016-11-08 18:53:14 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Saam Barati

Reported

2016-11-04 14:30 PDT

Modified

2016-11-08 18:53 PST History

CC List

16 users Show

URL

Keywords InRadar

Depends on

Blocks