Under the newly refactored heap object creation scheme, only one heap object can have its C++ constructor in flight at a time. This ensures that a GC cannot be fired while some object has yet to have its initial state (i.e. vtable) set. However, the ErrorInstance::create(ExecState*, Structure*, JSValue) constructor violates this constraint by calling toString() in the argument list to a placement new call.
Created attachment 104974 [details] the patch
Comment on attachment 104974 [details] the patch Tests pass, ready to commit if others concur. Interestingly, this failure is already covered by our run-javascriptcore-tests, but not in LayoutTests. Should we port the relevant test into LayoutTests, or maybe we should have run-webkit-tests trigger run-javascriptcore-tests automatically?
(In reply to comment #2) > maybe we should have run-webkit-tests trigger run-javascriptcore-tests automatically? This is the right long term direction. But ideally we want this to run tests and show failures the same way run-webkit-tests does, not an entirely different way. The internal machinery doesn’t have to be identical, but the format of results should be.
Comment on attachment 104974 [details] the patch Clearing flags on attachment: 104974 Committed r93710: <http://trac.webkit.org/changeset/93710>
All reviewed patches have been landed. Closing bug.