WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
98612
REGRESSION (
r130584
): Crashes in JSC::MarkedAllocator::allocateSlowCase, failing fast/dom/gc-dom-tree-lifetime.html
https://bugs.webkit.org/show_bug.cgi?id=98612
Summary
REGRESSION (r130584): Crashes in JSC::MarkedAllocator::allocateSlowCase, fail...
Zan Dobersek
Reported
2012-10-07 01:37:43 PDT
The following tests started to crash after
r130584
http://trac.webkit.org/changeset/130584
fast/events/drag-link.html fast/events/crash-on-mutate-during-drop.html fast/lists/drag-into-marker.html editing/pasteboard/drag-drop-list.html editing/pasteboard/drop-link.html editing/pasteboard/smart-drag-drop.html editing/pasteboard/subframe-dragndrop-1.html editing/selection/4895428-1.html editing/selection/4895428-4.html editing/selection/contains-boundaries.html svg/custom/use-animation-in-fill.html svg/custom/use-multiple-on-nested-disallowed-font.html The list may not be complete. The tests are mostly crashing on the GTK 64-bit debug builder, but there are crashes on Apple's Lion and MountainLion WK2 Debug builders as well. Here's the long link to the flakiness dashboard for all these tests:
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Fevents%2Fdrag-link.html%20fast%2Fevents%2Fcrash-on-mutate-during-drop.html%20fast%2Flists%2Fdrag-into-marker.html%20editing%2Fpasteboard%2Fdrag-drop-list.html%20editing%2Fpasteboard%2Fdrop-link.html%20editing%2Fpasteboard%2Fsmart-drag-drop.html%20editing%2Fpasteboard%2Fsubframe-dragndrop-1.html%20editing%2Fselection%2F4895428-1.html%20editing%2Fselection%2F4895428-4.html%20editing%2Fselection%2Fcontains-boundaries.html%20svg%2Fcustom%2Fuse-animation-in-fill.html%20svg%2Fcustom%2Fuse-multiple-on-nested-disallowed-font.html
Here's a sample crash log from
http://build.webkit.org/results/GTK%20Linux%2064-bit%20Debug/r130593%20(37369)/results.html
Crash log for DumpRenderTree (pid 7407): ... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'. Program terminated with signal 11, Segmentation fault. #0 0x00007fc8b85527a9 in JSC::MarkedAllocator::allocateSlowCase (this=0xd14978, bytes=32) at ../../Source/JavaScriptCore/heap/MarkedAllocator.cpp:73 73 ASSERT(m_heap->globalData()->apiLock().currentThreadIsHoldingLock()); ... Thread 1 (Thread 0x7fc8aa0bd900 (LWP 7407)): #0 0x00007fc8b85527a9 in JSC::MarkedAllocator::allocateSlowCase (this=0xd14978, bytes=32) at ../../Source/JavaScriptCore/heap/MarkedAllocator.cpp:73 #1 0x00007fc8b46d84aa in JSC::MarkedAllocator::allocate (this=0xd14978, bytes=32) at ../../Source/JavaScriptCore/heap/MarkedAllocator.h:78 #2 0x00007fc8b46d869c in JSC::MarkedSpace::allocateWithNormalDestructor (this=0xd14978, bytes=32) at ../../Source/JavaScriptCore/heap/MarkedSpace.h:224 #3 0x00007fc8b46d871d in JSC::Heap::allocateWithNormalDestructor (this=0xd148b8, bytes=32) at ../../Source/JavaScriptCore/heap/Heap.h:373 #4 0x00007fc8b57708fd in JSC::allocateCell<WebCore::JSHTMLAnchorElement> (heap=..., size=32) at ../../Source/JavaScriptCore/runtime/JSCell.h:328 #5 0x00007fc8b576a78e in JSC::allocateCell<WebCore::JSHTMLAnchorElement> (heap=...) at ../../Source/JavaScriptCore/runtime/JSCell.h:338 #6 0x00007fc8b576670e in WebCore::JSHTMLAnchorElement::create (structure=0x7fc8682934e0, globalObject=0x7fc86823e1a0, impl=...) at DerivedSources/WebCore/JSHTMLAnchorElement.h:36 #7 0x00007fc8b576b9bd in WebCore::createWrapper<WebCore::JSHTMLAnchorElement, WebCore::HTMLAnchorElement> (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, node=0xfa6400) at ../../Source/WebCore/bindings/js/JSDOMBinding.h:164 #8 0x00007fc8b5762166 in WebCore::createHTMLAnchorElementWrapper (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, element=...) at DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:227 #9 0x00007fc8b57665d0 in WebCore::createJSHTMLWrapper (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, element=...) at DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:822 #10 0x00007fc8b473795a in WebCore::createWrapperInline (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, node=0xfa6400) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:218 #11 0x00007fc8b4737b8d in WebCore::createWrapper (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, node=0xfa6400) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:268 #12 0x00007fc8b4704012 in WebCore::toJS (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, node=0xfa6400) at ../../Source/WebCore/bindings/js/JSNodeCustom.h:69 #13 0x00007fc8b49a0c57 in WebCore::willCreatePossiblyOrphanedTreeByRemoval (root=0xfa6400) at ../../Source/WebCore/bindings/js/JSNodeCustom.h:88 #14 0x00007fc8b499f8f1 in WebCore::dispatchChildRemovalEvents (child=0xfa6400) at ../../Source/WebCore/dom/ContainerNode.cpp:985 #15 0x00007fc8b499d202 in WebCore::willRemoveChild (child=0xfa6400) at ../../Source/WebCore/dom/ContainerNode.cpp:350 #16 0x00007fc8b499d597 in WebCore::ContainerNode::removeChild (this=0xf7aa10, oldChild=0xfa6400, ec=@0x7fffa1aa1fd4: 0) at ../../Source/WebCore/dom/ContainerNode.cpp:427 #17 0x00007fc8b4b3f9d4 in WebCore::ReplacementFragment::removeNode (this=0x7fffa1aa2240, node=...) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:237 #18 0x00007fc8b4b43a30 in WebCore::ReplaceSelectionCommand::doApply (this=0xf4b5d0) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:962 #19 0x00007fc8b4ad3ae0 in WebCore::CompositeEditCommand::apply (this=0xf4b5d0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:204 #20 0x00007fc8b4ad37e0 in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:161 #21 0x00007fc8b4f0da89 in WebCore::DragController::concludeEditDrag (this=0x679700, dragData=0x1162600) at ../../Source/WebCore/page/DragController.cpp:513 #22 0x00007fc8b4f0bf23 in WebCore::DragController::performDrag (this=0x679700, dragData=0x1162600) at ../../Source/WebCore/page/DragController.cpp:228 #23 0x00007fc8b45d7301 in webkit_web_view_drag_drop (widget=0x658030, context=0x5f9d10, x=400, y=35, time=0) at ../../Source/WebKit/gtk/webkit/webkitwebview.cpp:1570 #24 0x00007fc8b3c63347 in _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #25 0x00007fc8b3476a7d in g_type_class_meta_marshal () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0 #26 0x00007fc8b347642d in g_closure_invoke () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0 #27 0x00007fc8b3493ca0 in signal_emit_unlocked_R () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0 #28 0x00007fc8b3492e3a in g_signal_emit_valist () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0 #29 0x00007fc8b349344a in g_signal_emit_by_name () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0 #30 0x00007fc8b3e1f9c3 in gtk_drag_dest_drop () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #31 0x00007fc8b3e1ec6d in gtk_drag_find_widget () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #32 0x00007fc8b3e1e4ca in _gtk_drag_dest_handle_event () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #33 0x00007fc8b3c60a5a in gtk_main_do_event () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #34 0x00007fc8b8d070aa in _gdk_event_emit () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgdk-3.so.0 #35 0x00007fc8b8d3b15c in gdk_event_source_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgdk-3.so.0 #36 0x00007fc8b336fc91 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #37 0x00007fc8b3370956 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #38 0x00007fc8b3370b39 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #39 0x00007fc8b3370bfd in g_main_context_iteration () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #40 0x00007fc8b3c5ff02 in gtk_main_iteration () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #41 0x0000000000481992 in dispatchEvent (event=0xdfac50) at ../../Tools/DumpRenderTree/gtk/EventSender.cpp:648 #42 0x0000000000481a3d in replaySavedEvents () at ../../Tools/DumpRenderTree/gtk/EventSender.cpp:663 #43 0x0000000000481812 in sendOrQueueEvent (event=0xdfac50, shouldReplaySavedEvents=true) at ../../Tools/DumpRenderTree/gtk/EventSender.cpp:600 #44 0x00000000004809b2 in mouseUpCallback (context=0x7fc8682a4130, function=0x7fc8681ffae0, thisObject=0x7fc8681ff440, argumentCount=0, arguments=0x7fffa1aa3b38, exception=0x7fffa1aa3bd8) at ../../Tools/DumpRenderTree/gtk/EventSender.cpp:386 #45 0x00007fc8b83a82c4 in JSC::JSCallbackFunction::call (exec=0x7fc8682a4130) at ../../Source/JavaScriptCore/API/JSCallbackFunction.cpp:73 #46 0x00007fc8b85b84bf in JSC::LLInt::handleHostCall (execCallee=0x7fc8682a4130, pc=0x1192890, callee=..., kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1315 #47 0x00007fc8b85bb2d3 in JSC::LLInt::setUpCall (execCallee=0x7fc8682a4130, pc=0x1192890, kind=JSC::CodeForCall, calleeAsValue=..., callLinkInfo=0x118def8) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1359 #48 0x00007fc8b85bb842 in JSC::LLInt::genericCall (exec=0x7fc8682a40d0, pc=0x1192890, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1415 #49 0x00007fc8b85b8a2c in JSC::LLInt::llint_slow_path_call (exec=0x7fc8682a40d0, pc=0x1192890) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1421 #50 0x00007fc8b85bf774 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #51 0x00007fffa1aa3f90 in ?? () #52 0x00007fffa1aa3fc0 in ?? () #53 0x0000000000000000 in ?? () Another regression of this commit is the failing fast/dom/gc-dom-tree-lifetime.html test on GTK and Chromium platforms
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Fdom%2Fgc-dom-tree-lifetime.html
The diff shows 6 of these failure messages (the complete diff is too big to paste): +FAIL <div> objects in a DOM tree are not destructed. (Taken from
http://build.webkit.org/results/GTK%20Linux%2064-bit%20Release/r130591%20(29477)/results.html
)
Attachments
Patch
(2.88 KB, patch)
2012-10-07 14:55 PDT
,
Geoffrey Garen
darin
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Geoffrey Garen
Comment 1
2012-10-07 12:30:21 PDT
Thanks for filing this, Zan. The crash at <
http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r130593%20(1942)/svg/custom/use-animation-in-fill-crash-log.txt
> is caused by a missing JSLock in WebCore. I'll start with that. I'm not sure whether the other issues you've mentioned are related.
Geoffrey Garen
Comment 2
2012-10-07 14:55:38 PDT
Created
attachment 167490
[details]
Patch
Geoffrey Garen
Comment 3
2012-10-07 14:58:13 PDT
dom-modify.html does not object: NOPATCH Time: avg 3995.7266272339084 runs/s median 0 runs/s stdev 61.311309422082424 runs/s min 3856.1373046215685 runs/s max 4091.4790332559633 runs/s PATCH Time: avg 3999.5760388693543 runs/s median 0 runs/s stdev 71.86646160261233 runs/s min 3876.1227097396336 runs/s max 4120.732978044795 runs/s Instruments shows that the slow path is only 0.3% of this benchmark, which is otherwise dominated by .innerHTML, and that the JS lock is only about 2% of the slow path, which is otherwise dominated by running destructors for dead paragraph elements.
Darin Adler
Comment 4
2012-10-07 15:10:32 PDT
Comment on
attachment 167490
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=167490&action=review
> Source/WebCore/bindings/js/JSNodeCustom.h:77 > +void willCreatePossiblyOrphanedTreeByRemovalSlowCase(Node* root); > inline void willCreatePossiblyOrphanedTreeByRemoval(Node* root)
The formatting here is a little confusing. Not sure how to make it more readable.
Geoffrey Garen
Comment 5
2012-10-07 15:56:33 PDT
Committed
r130611
: <
http://trac.webkit.org/changeset/130611
>
Zan Dobersek
Comment 6
2012-10-08 06:37:59 PDT
(In reply to
comment #0
)
> > Another regression of this commit is the failing fast/dom/gc-dom-tree-lifetime.html test on GTK and Chromium platforms >
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Fdom%2Fgc-dom-tree-lifetime.html
> > The diff shows 6 of these failure messages (the complete diff is too big to paste): > +FAIL <div> objects in a DOM tree are not destructed. > > (Taken from
http://build.webkit.org/results/GTK%20Linux%2064-bit%20Release/r130591%20(29477)/results.html
)
This is still failing. Will it be handled in another bug?
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug