21057 – Crash in RegisterID::deref() running fast/canvas/canvas-putImageData.html

Bug 21057 - Crash in RegisterID::deref() running fast/canvas/canvas-putImageData.html

Summary: Crash in RegisterID::deref() running fast/canvas/canvas-putImageData.html

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.5

Importance:	P1 Normal
Assignee:	Geoffrey Garen

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-09-24 06:48 PDT by Alexey Proskuryakov
Modified:	2008-09-24 10:54 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
patch (1.41 KB, patch) 2008-09-24 08:38 PDT, Geoffrey Garen	zwarich: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexey Proskuryakov 2008-09-24 06:48:02 PDT

Reliably crashes under GuardMalloc:

run-webkit-tests -g fast/canvas/canvas-putImageData.html

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x004569c8 JSC::RegisterID::deref() + 16 (RegisterID.h:91)
1   com.apple.JavaScriptCore      	0x00459ad9 WTF::RefPtr<JSC::RegisterID>::~RefPtr() + 31
2   com.apple.JavaScriptCore      	0x00490b8e JSC::CodeGenerator::~CodeGenerator() + 194
3   com.apple.JavaScriptCore      	0x00446098 JSC::ProgramNode::generateCode(JSC::ScopeChainNode*) + 430 (nodes.cpp:1851)
4   com.apple.JavaScriptCore      	0x004ca159 JSC::ProgramNode::byteCode(JSC::ScopeChainNode*) + 43 (nodes.h:2205)
5   com.apple.JavaScriptCore      	0x004b7a52 JSC::Machine::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue**) + 62 (Machine.cpp:885)
6   com.apple.JavaScriptCore      	0x00442927 JSC::Interpreter::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::UString const&, int, WTF::PassRefPtr<JSC::SourceProvider>, JSC::JSValue*) + 427 (interpreter.cpp:83)

Comment 1 Cameron Zwarich (cpst) 2008-09-24 07:01:04 PDT

This is likely caused by r36821, since that is where the only RefPtr<RegisterID> instance variable for CodeGenerator was defined:

http://trac.webkit.org/changeset/36821

Comment 2 Geoffrey Garen 2008-09-24 07:57:36 PDT

Ah, looks like the RefPtr destructor runs after the SegmentedVector destructor. Should be easy to fix.

Comment 3 Geoffrey Garen 2008-09-24 08:38:17 PDT

Created attachment 23750 [details]
patch

Comment 4 Geoffrey Garen 2008-09-24 08:39:20 PDT

I haven't been able to verify this patch with the original test case, because DRT with GuardMalloc crashes in LaunchServices on my machine. However, I did verify that this patch fixes the destructor order.

Comment 5 Cameron Zwarich (cpst) 2008-09-24 09:02:43 PDT

Comment on attachment 23750 [details]
patch

r=me

Comment 6 Geoffrey Garen 2008-09-24 10:54:19 PDT

Committed revision 36853.