Bug 151495 - REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren().
Summary: REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::vi...
Status: REOPENED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Andreas Kling
URL:
Keywords: InRadar
Depends on: 151561 151593
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-20 09:24 PST by Andreas Kling
Modified: 2015-11-24 13:35 PST (History)
8 users (show)

See Also:

Attachments
Patch (4.10 KB, patch)
2015-11-20 09:34 PST, Andreas Kling 		no flags Details | Formatted Diff | Diff
Patch (4.66 KB, patch)
2015-11-20 09:36 PST, Andreas Kling 		mark.lam: review+
buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews116 for mac-yosemite (766.97 KB, application/zip)
2015-11-20 10:28 PST, Build Bot 		no flags Details
Patch for landing (4.69 KB, patch)
2015-11-20 20:33 PST, Andreas Kling 		no flags Details | Formatted Diff | Diff
Patch (1.78 KB, patch)
2015-11-21 15:41 PST, Andreas Kling 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Kling 2015-11-20 09:24:12 PST 
There's a bug in https://trac.webkit.org/changeset/192536
If the call to tryAllocateStorage() in JSPropertyNameEnumerator::finishCreation() ends up having to do a GC, the JSPropertyNameEnumerator will not be in a good-enough state to handle a visitChildren() callback.
Comment 1 Andreas Kling 2015-11-20 09:34:18 PST 
Created attachment 265959 [details]
Patch
Comment 2 Andreas Kling 2015-11-20 09:36:06 PST 
Created attachment 265961 [details]
Patch
Comment 3 Mark Lam 2015-11-20 09:39:29 PST 
Comment on attachment 265961 [details]
Patch

r=me
Comment 4 Andreas Kling 2015-11-20 10:09:19 PST 
From mac-debug bot:

Regressions: Unexpected timeouts (1)
  js/property-name-enumerator-gc-151495.html [ Timeout ]

I wonder if this test is too slow for debug. I'll check locally.
Comment 5 Build Bot 2015-11-20 10:28:20 PST 
Comment on attachment 265961 [details]
Patch

Attachment 265961 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/455095

New failing tests:
js/property-name-enumerator-gc-151495.html
Comment 6 Build Bot 2015-11-20 10:28:23 PST 
Created attachment 265969 [details]
Archive of layout-test-results from ews116 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews116  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 7 Andreas Kling 2015-11-20 20:33:53 PST 
Created attachment 266027 [details]
Patch for landing

Take the number of test iterations down to 2000 (from 10000) so it won't timeout on debug.
It's still enough to trip the bug, and finishes in a fraction of the time.
Comment 8 WebKit Commit Bot 2015-11-20 22:07:46 PST 
Comment on attachment 266027 [details]
Patch for landing

Clearing flags on attachment: 266027

Committed r192722: <http://trac.webkit.org/changeset/192722>
Comment 9 WebKit Commit Bot 2015-11-20 22:07:51 PST 
All reviewed patches have been landed.  Closing bug.
Comment 10 David Kilzer (:ddkilzer) 2015-11-21 02:20:58 PST 
<rdar://problem/23626411>
Comment 11 Andreas Kling 2015-11-21 15:41:59 PST 
Created attachment 266033 [details]
Patch

32-bit testers caught another issue; jsString() can trigger GC, so m_propertyNames must remain null until after all the property names have been stringified.
Comment 12 Mark Lam 2015-11-21 16:44:51 PST 
Comment on attachment 266033 [details]
Patch

r=me
Comment 13 Csaba Osztrogonác 2015-11-23 03:48:25 PST 
reopen to let the CQ land the followup fix.
Comment 14 Csaba Osztrogonác 2015-11-23 03:49:11 PST 
(In reply to comment #13)
> reopen to let the CQ land the followup fix.

Next time please file new bug report for followup patches.
Comment 15 WebKit Commit Bot 2015-11-23 04:44:32 PST 
Comment on attachment 266033 [details]
Patch

Clearing flags on attachment: 266033

Committed r192743: <http://trac.webkit.org/changeset/192743>
Comment 16 WebKit Commit Bot 2015-11-23 04:44:35 PST 
All reviewed patches have been landed.  Closing bug.
Comment 17 WebKit Commit Bot 2015-11-24 13:35:18 PST 
Re-opened since this is blocked by bug 151593