222453 – REGRESSION(r273225) [GLIB] imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/evaluation-order-4-tla.html is crashing in release builds

RESOLVED WORKSFORME222453

REGRESSION(r273225) [GLIB] imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/evaluation-order-4-tla.html is crashing in release builds

https://bugs.webkit.org/show_bug.cgi?id=222453

Summary REGRESSION(r273225) [GLIB] imported/w3c/web-platform-tests/html/semantics/scr...

Lauro Moura

Reported 2021-02-25 19:54:51 PST

Created attachment 421602 [details] GTK release local crash log imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/evaluation-order-4-tla.html Debug builds passing. Trace: Thread 1 (Thread 0x7f9cb2c989c0 (LWP 157)): #0 0x00007f9cb8886558 in JSC::mapProtoFuncSet(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007f9c71fff1d8 in () #2 0x00007ffed90c73a0 in () #3 0x00007f9cb79c2323 in llint_op_call () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x0000000000000000 in () Printf'ing, the crash seems to occur in the map->set(..) call inside mapProtoFuncSet. Full trace attached.

Attachments
GTK release local crash log (14.75 KB, text/plain) 2021-02-25 19:54 PST, Lauro Moura	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Keith Miller

Comment 1 2021-02-26 10:25:39 PST

Interesting... this crash doesn't seem to happen on the Mac port. I'm not sure what would be different about the GTK build? Is it possible to figure out what line in mapProtoFuncSet we are crashing on?

Lauro Moura

Comment 2 2021-02-28 20:22:59 PST

(In reply to Keith Miller from comment #1) > Interesting... this crash doesn't seem to happen on the Mac port. I'm not > sure what would be different about the GTK build? Is it possible to figure > out what line in mapProtoFuncSet we are crashing on? I could not get a proper backtrace, but it's consistently crashing accessing the string content in the first iter->key() when rehashing a map right after inserting the key "http://localhost:8800/html/semantics/scripting-1/the-script-element/module/evaluation-order-4.2.mjs". (e.g. asString(iter->key())->length() is enough to crash).

Radar WebKit Bug Importer

Comment 3 2021-03-04 19:55:17 PST

<rdar://problem/75074133>

Lauro Moura

Comment 4 2021-03-22 18:37:34 PDT

Crash is gone after r274239 / bug223039.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WORKSFORME

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2021-02-25 19:54 PST

Modified

2021-03-22 18:37 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks