RESOLVED FIXED 173488
Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js 
https://bugs.webkit.org/show_bug.cgi?id=173488
Summary Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300...
Michael Saboff
Reported 2017-06-16 12:38:39 PDT
While running JavaSCriptCore tests on a release build of r218202 I got a crash under JSC::JSObject::visitChildren(). Here is the relevent part of the crashing stack’s backtrace: Thread 8 Crashed:: WTF::AutomaticThread 0 com.apple.JavaScriptCore 0x000000010ade8759 JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 1641 (MarkedBlock.h:497) 1 com.apple.JavaScriptCore 0x000000010a8c5675 JSC::ClonedArguments::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 21 (WriteBarrier.h:91) 2 com.apple.JavaScriptCore 0x000000010b06030e JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3::operator()(JSC::MarkStackArray&) const + 334 (SlotVisitor.cpp:388) 3 com.apple.JavaScriptCore 0x000000010b05e554 JSC::SlotVisitor::drain(WTF::MonotonicTime) + 164 (SlotVisitorInlines.h:173) 4 com.apple.JavaScriptCore 0x000000010b05ea2d JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) + 61 (SlotVisitor.cpp:652) 5 com.apple.JavaScriptCore 0x000000010ac7bbf2 WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_11>::run() + 594 (SlotVisitor.h:258) 6 com.apple.JavaScriptCore 0x000000010b1c790c WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) + 44 (RefPtr.h:80) 7 com.apple.JavaScriptCore 0x000000010b1c8400 WTF::ParallelHelperPool::Thread::work() + 48 (utility:754) … I tried reproducing by running the test 20 times and got 2 crashes.
Attachments
Patch (2.20 KB, patch)
2017-06-16 12:51 PDT, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2017-06-16 12:39:04 PDT
<rdar://problem/32750435>
Michael Saboff
Comment 2 2017-06-16 12:51:52 PDT
Created attachment 313114 [details] Patch
Michael Saboff
Comment 3 2017-06-16 14:12:17 PDT
Committed r218414: <http://trac.webkit.org/changeset/218414>
Simon Fraser (smfr)
Comment 4 2017-06-19 13:15:11 PDT
Comment on attachment 313114 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=313114&action=review Can we not make a test for this? > Source/JavaScriptCore/ChangeLog:10 > + bogus values in those slots. Instead, let's use the standard BUtterfly:tryCreate() method BUtterfly
Note You need to log in before you can comment on or make changes to this bug.