RESOLVED FIXED Bug 25785
Segfault in mark when using JSObjectMakeConstructor 
https://bugs.webkit.org/show_bug.cgi?id=25785
Summary Segfault in mark when using JSObjectMakeConstructor
Robert Carr
Reported 2009-05-14 02:46:23 PDT
Making two constructors of a class with JSObjectMakeConstructor, setting them on an object, and then creating/releasing a context, reliably produces a segfault in GC Mark with r43686 on Linux. Not setting either of the constructs on the object, OR passing NULL as the class argument to JSObjectMakeConstructor prevents the segfault from happening. Attached is a test case which triggers the segfault.
Attachments
Test case (2.47 KB, text/plain)
2009-05-14 02:47 PDT, Robert Carr 		no flags
Details
Further reduction (260 bytes, application/octet-stream)
2009-05-14 03:06 PDT, Mark Rowe (bdash) 		no flags
Details
Patch (3.53 KB, patch)
2009-05-14 03:45 PDT, Mark Rowe (bdash) 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Robert Carr
Comment 1 2009-05-14 02:47:16 PDT
Created attachment 30321 [details] Test case
Mark Rowe (bdash)
Comment 2 2009-05-14 02:50:16 PDT
This also crashes on i386 Mac OS X.
Mark Rowe (bdash)
Comment 3 2009-05-14 03:06:47 PDT
Created attachment 30326 [details] Further reduction I hit the following assertion in a debug build: 0x000bb760 in JSC::JSObject::putDirect (this=0x4a1260, propertyName=@0x5047e8, value={m_ptr = 0x0}, attributes=14, checkReadOnly=false, slot=@0xbffff6e0) at JSObject.h:389 389 ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this)); This attached file is all that is necessary to reproduce the assertion failure, which is likely to be the root cause of this crash during GC.
Mark Rowe (bdash)
Comment 4 2009-05-14 03:45:35 PDT
Created attachment 30327 [details] Patch
Mark Rowe (bdash)
Comment 5 2009-05-14 04:15:02 PDT
Fixed in r43692.
Note You need to log in before you can comment on or make changes to this bug.