[Webkit-unassigned] [Bug 69599] New: [JSC] JIT buffer refcounting causing assertions in debug WebSocket tests when using proxy PAC
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 6 20:00:29 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=69599
Summary: [JSC] JIT buffer refcounting causing assertions in
debug WebSocket tests when using proxy PAC
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: dominicc at chromium.org
CC: ggaren at apple.com, levin at chromium.org,
yutak at chromium.org
Blocks: 67329
When I have a proxy PAC on OS X and run-webkit-tests --debug http/tests/websocket, I get a high rate (~8%) of DRT crashes with the below callstack. Removing proxy configuration PAC results in no DRT crashes. I believe JSC is used to interpret the proxy PAC file, and when it does this it reuses code buffers in different threads. We should verify that this reuse is safe, and if so, change the verifier to not squawk at this.
ASSERTION FAILED: m_verifier.isSafeToUse()
./wtf/RefCounted.h(122) : bool WTF::RefCountedBase::derefBase()
2 0x1002288a4 WTF::RefCountedBase::derefBase()
3 0x1003ac931 WTF::RefCounted<WTF::MetaAllocatorHandle>::deref()
4 0x100217303 void WTF::derefIfNotNull<WTF::MetaAllocatorHandle>(WTF::MetaAllocatorHandle*)
5 0x10021731e WTF::RefPtr<WTF::MetaAllocatorHandle>::~RefPtr()
6 0x1003ac96d JSC::MacroAssemblerCodeRef::~MacroAssemblerCodeRef()
7 0x1002175e3 JSC::JITCode::~JITCode()
8 0x100208244 JSC::CodeBlock::~CodeBlock()
9 0x1002179bf JSC::GlobalCodeBlock::~GlobalCodeBlock()
10 0x1002179f7 JSC::ProgramCodeBlock::~ProgramCodeBlock()
11 0x1002649f0 void WTF::deleteOwnedPtr<JSC::ProgramCodeBlock>(JSC::ProgramCodeBlock*)
12 0x100264a51 WTF::OwnPtr<JSC::ProgramCodeBlock>::clear()
13 0x100261770 JSC::ProgramExecutable::clearCodeVirtual()
14 0x100260262 JSC::ExecutableBase::clearCode(JSC::JSCell*)
15 0x1003bcbde JSC::Heap::FinalizerOwner::finalize(JSC::Handle<JSC::Unknown>, void*)
16 0x10026d1ec JSC::HandleHeap::finalizeWeakHandles()
17 0x1003be777 JSC::Heap::collect(JSC::Heap::SweepToggle)
18 0x1003d0042 JSC::AllocationSpace::allocateSlowCase(JSC::MarkedSpace::SizeClass&)
19 0x1001ca832 JSC::AllocationSpace::allocate(JSC::MarkedSpace::SizeClass&)
20 0x1002021b6 JSC::AllocationSpace::allocate(unsigned long)
21 0x100202223 JSC::Heap::allocate(unsigned long)
22 0x10024c692 void* JSC::allocateCell<JSC::JSFinalObject>(JSC::Heap&)
23 0x10024c6c4 JSC::JSFinalObject::create(JSC::ExecState*, JSC::Structure*)
24 0x1002ac281 JSC::constructEmptyObject(JSC::ExecState*, JSC::Structure*)
25 0x10024c72f JSC::constructEmptyObject(JSC::ExecState*, JSC::JSGlobalObject*)
26 0x1003333e1 JSC::constructEmptyObject(JSC::ExecState*)
27 0x10029bfaa cti_op_new_object
28 0x10029b301 jscGeneratedNativeCode
29 0x1002797f4 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
30 0x100273aaf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
31 0x100205021 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
32 0x1002e6303 JSObjectCallAsFunction
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list