Bug 120099 - Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
Summary: Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P1 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-20 20:19 PDT by Ryosuke Niwa
Modified: 2013-08-21 13:53 PDT (History)
8 users (show)

See Also:


Attachments
the patch (21.39 KB, patch)
2013-08-21 13:01 PDT, Filip Pizlo
mhahnenberg: review+
webkit-ews: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2013-08-20 20:19:57 PDT
Saw this crash on fast/canvas/webgl/array-message-passing.html:

Thread 9 Crashed:: JavaScriptCore::Marking
0   com.apple.JavaScriptCore      	0x000000010658986a WTFCrash + 42 (Assertions.cpp:342)
1   com.apple.JavaScriptCore      	0x00000001061b68f5 JSC::SlotVisitor::copyLater(JSC::JSCell*, JSC::CopyToken, void*, unsigned long) + 85 (SlotVisitorInlines.h:213)
2   com.apple.JavaScriptCore      	0x00000001063cb624 JSC::JSObject::visitButterfly(JSC::SlotVisitor&, JSC::Butterfly*, unsigned long) + 356 (JSObject.cpp:193)
3   com.apple.JavaScriptCore      	0x00000001063bf6e9 JSC::JSObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 409 (JSObject.cpp:223)
4   com.apple.JavaScriptCore      	0x00000001064fe5a8 JSC::visitChildren(JSC::SlotVisitor&, JSC::JSCell const*) + 264 (SlotVisitor.cpp:96)
5   com.apple.JavaScriptCore      	0x00000001064fe40d JSC::SlotVisitor::drain() + 237 (SlotVisitor.cpp:136)
6   com.apple.JavaScriptCore      	0x00000001064fea18 JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode) + 1128 (SlotVisitor.cpp:226)
7   com.apple.JavaScriptCore      	0x00000001062e568d JSC::GCThread::gcThreadMain() + 189 (GCThread.cpp:109)
8   com.apple.JavaScriptCore      	0x00000001062e576d JSC::GCThread::gcThreadStartFunc(void*) + 29 (GCThread.cpp:136)
9   com.apple.JavaScriptCore      	0x00000001065cf8b0 WTF::threadEntryPoint(void*) + 144 (Threading.cpp:70)
10  com.apple.JavaScriptCore      	0x00000001065d0258 WTF::wtfThreadEntryPoint(void*) + 104 (ThreadingPthreads.cpp:195)
11  libsystem_c.dylib             	0x00007fff96a7b7a2 _pthread_start + 327
12  libsystem_c.dylib             	0x00007fff96a681e1 thread_start + 13

http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r154377%20(11827)/fast/canvas/webgl/array-message-passing-crash-log.txt
Comment 1 Mark Hahnenberg 2013-08-21 08:36:50 PDT
This ASSERT is meant to catch cases where we would have corrupted to the state of CopiedSpace which may or may not have caused a crash later. I'll see if I can track down the particular object that's causing this issue.
Comment 3 Ryosuke Niwa 2013-08-21 08:49:13 PDT
I haven't seen this particular crash on WK1 bots so maybe it's more or only reproducible on WK2.
Comment 5 Mark Hahnenberg 2013-08-21 09:29:41 PDT
I can repro very easily with WKTR by running fast/canvas/webgl/array-message-passing.html repeatedly.
Comment 6 Mark Hahnenberg 2013-08-21 09:40:15 PDT
Looks like the offending object is a DataView.
Comment 7 Mark Hahnenberg 2013-08-21 09:41:18 PDT
(In reply to comment #6)
> Looks like the offending object is a DataView.

A JSDataView, to be more precise.
Comment 8 Tim Horton 2013-08-21 12:02:10 PDT
Temporarily marked as a debug crash in http://trac.webkit.org/changeset/154402
Comment 9 Filip Pizlo 2013-08-21 13:01:10 PDT
Created attachment 209295 [details]
the patch
Comment 10 Mark Hahnenberg 2013-08-21 13:06:54 PDT
Comment on attachment 209295 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=209295&action=review

r=me

> Source/JavaScriptCore/runtime/JSArrayBufferView.h:74
> +    // A data view. B is unusewd, V points to a vector allocated using who-

unused

> Source/JavaScriptCore/runtime/JSArrayBufferView.h:75
> +    // knows-what, and M = DataViewMode. The view does not own the vector

vector.
Comment 11 Tim Horton 2013-08-21 13:07:33 PDT
(In reply to comment #8)
> Temporarily marked as a debug crash in http://trac.webkit.org/changeset/154402

Please revert this too, in your patch (or after it).
Comment 12 Early Warning System Bot 2013-08-21 13:11:55 PDT
Comment on attachment 209295 [details]
the patch

Attachment 209295 [details] did not pass qt-wk2-ews (qt-wk2):
Output: http://webkit-queues.appspot.com/results/1529149
Comment 13 EFL EWS Bot 2013-08-21 13:23:22 PDT
Comment on attachment 209295 [details]
the patch

Attachment 209295 [details] did not pass efl-wk2-ews (efl-wk2):
Output: http://webkit-queues.appspot.com/results/1512963
Comment 14 EFL EWS Bot 2013-08-21 13:35:07 PDT
Comment on attachment 209295 [details]
the patch

Attachment 209295 [details] did not pass efl-ews (efl):
Output: http://webkit-queues.appspot.com/results/1516849
Comment 15 Filip Pizlo 2013-08-21 13:53:08 PDT
Landed in http://trac.webkit.org/changeset/154408