While running JavaSCriptCore tests on a release build of r218202 I got a crash under JSC::JSObject::visitChildren(). Here is the relevent part of the crashing stack’s backtrace: Thread 8 Crashed:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x000000010ade8759 JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 1641 (MarkedBlock.h:497) 1 com.apple.JavaScriptCore 0x000000010a8c5675 JSC::ClonedArguments::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 21 (WriteBarrier.h:91) 2 com.apple.JavaScriptCore 0x000000010b06030e JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3::operator()(JSC::MarkStackArray&) const + 334 (SlotVisitor.cpp:388) 3 com.apple.JavaScriptCore 0x000000010b05e554 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 164 (SlotVisitorInlines.h:173) 4 com.apple.JavaScriptCore 0x000000010b05ea2d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 61 (SlotVisitor.cpp:652) 5 com.apple.JavaScriptCore 0x000000010ac7bbf2 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 594 (SlotVisitor.h:258) 6 com.apple.JavaScriptCore 0x000000010b1c790c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:80) 7 com.apple.JavaScriptCore 0x000000010b1c8400 WTF::ParallelHelperPool::Thread::work() + 48 (utility:754) … I tried reproducing by running the test 20 times and got 2 crashes.
<rdar://problem/32750435>
Created attachment 313114 [details] Patch
Committed r218414: <http://trac.webkit.org/changeset/218414>
Comment on attachment 313114 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=313114&action=review Can we not make a test for this? > Source/JavaScriptCore/ChangeLog:10 > + bogus values in those slots. Instead, let's use the standard BUtterfly:tryCreate() method BUtterfly