[Webkit-unassigned] [Bug 16868] New: Gmail crash

[bugzilla-daemon at webkit.org]

http://bugs.webkit.org/show_bug.cgi?id=16868

           Summary: Gmail crash
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Major
          Priority: P1
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: cwzwarich at uwaterloo.ca


If you modify the heapAllocate() method of the JS garbage collector so that it
always calls collect(), then logging into Gmail will crash in
ActivationImp::markChildren(). This does not happen in r29414, so it was almost
surely introduced by r29425, the ActivationImp tear-off patch. As far as I can
tell via printf debugging, the crash occurs in this section of code:

    for (size_t i = 0; i < size; ++i) {
        JSValue* value = localStorage[i].value;

        if (!value->marked())
            value->mark();
    }

According to the Maciej, the debug build fails some assertions prior to this
code, so we can't use it to get the exact place where the code fails without
commenting out those assertions. I did some more printf debuging instead. If I
make another copy of this loop that doesn't actually mark anything, it
succeeds, so the problem is probably that value is an invalid pointer.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.