Bug 98175 - REGRESSION(r128400): ASSERT (crash in release) @ app.asana.com
Summary: REGRESSION(r128400): ASSERT (crash in release) @ app.asana.com
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
Keywords: InRadar
Depends on:
Reported: 2012-10-02 10:49 PDT by Eric Seidel (no email)
Modified: 2012-10-02 16:28 PDT (History)
5 users (show)

See Also:

the patch (1.48 KB, patch)
2012-10-02 16:16 PDT, Filip Pizlo
oliver: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Seidel (no email) 2012-10-02 10:49:12 PDT
Reproduces every time, when clicking between projects in my task list.

I'm currently using r130184.

/Users/eseidel/Projects/WebKit/Source/JavaScriptCore/runtime/PropertySlot.h(110) : void JSC::PropertySlot::setValue(JSC::JSValue, JSC::JSValue, PropertyOffset)
1   0x1022d4057 JSC::PropertySlot::setValue(JSC::JSValue, JSC::JSValue, int)
2   0x1022d3e2d JSC::JSObject::inlineGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
3   0x1022d5225 JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
4   0x1022d5020 JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
5   0x1025224c5 JSC::JSObject::hasProperty(JSC::ExecState*, JSC::PropertyName) const
6   0x1024cb7de cti_has_property
7   0x1024cdf70 jscGeneratedNativeCode
8   0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
9   0x10249273c JSC::Interpreter::execute(JSC::CallFrameClosure&)
10  0x1022e0983 JSC::CachedCall::call()
11  0x1022dc696 JSC::arrayProtoFuncForEach(JSC::ExecState*)
12  0x3e09b4601265
13  0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
14  0x10249273c JSC::Interpreter::execute(JSC::CallFrameClosure&)
15  0x1022e0983 JSC::CachedCall::call()
16  0x1022dc696 JSC::arrayProtoFuncForEach(JSC::ExecState*)
17  0x3e09b4601265
18  0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
19  0x10249273c JSC::Interpreter::execute(JSC::CallFrameClosure&)
20  0x1022e0983 JSC::CachedCall::call()
21  0x1022dc696 JSC::arrayProtoFuncForEach(JSC::ExecState*)
22  0x3e09b4601265
23  0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
24  0x10249273c JSC::Interpreter::execute(JSC::CallFrameClosure&)
25  0x1022e0983 JSC::CachedCall::call()
26  0x1022dc696 JSC::arrayProtoFuncForEach(JSC::ExecState*)
27  0x3e09b4601265
28  0x102494564 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
29  0x1024912f2 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
30  0x10233ca22 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
31  0x103bd1462 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
LEAK: 2 WebPageProxy
LEAK: 2 WebContext
Comment 1 Eric Seidel (no email) 2012-10-02 10:51:04 PDT
I've sent you all asana invites in case those are still needed.
Comment 2 Geoffrey Garen 2012-10-02 10:55:13 PDT
I can reproduce this with r130184.
Comment 3 Geoffrey Garen 2012-10-02 11:10:44 PDT
Regressed in <http://trac.webkit.org/changeset/128400> (property butterflies).
Comment 4 Geoffrey Garen 2012-10-02 11:11:06 PDT
Comment 5 Eric Seidel (no email) 2012-10-02 11:21:48 PDT
Thanks Geoff.
Comment 6 Filip Pizlo 2012-10-02 16:16:24 PDT
Created attachment 166771 [details]
the patch
Comment 7 Filip Pizlo 2012-10-02 16:19:22 PDT
Structure::nonPropertyTransition was forgetting to set m_offset.  In other regards, what it's doing is right - it doesn't need to pin the property table since the property table is rematerializable; but in case someone steals our property table then a bunch of methods (including GC methods) need to be able to use the m_offset to get the property size.  Since they had a bogus m_offset, properties weren't being copied by GC, and hence the crash.
Comment 8 Filip Pizlo 2012-10-02 16:28:05 PDT
Landed in http://trac.webkit.org/changeset/130228