[Webkit-unassigned] [Bug 69599] New: [JSC] JIT buffer refcounting causing assertions in debug WebSocket tests when using proxy PAC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 6 20:00:29 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=69599

           Summary: [JSC] JIT buffer refcounting causing assertions in
                    debug WebSocket tests when using proxy PAC
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dominicc at chromium.org
                CC: ggaren at apple.com, levin at chromium.org,
                    yutak at chromium.org
            Blocks: 67329


When I have a proxy PAC on OS X and run-webkit-tests --debug http/tests/websocket, I get a high rate (~8%) of DRT crashes with the below callstack. Removing proxy configuration PAC results in no DRT crashes. I believe JSC is used to interpret the proxy PAC file, and when it does this it reuses code buffers in different threads. We should verify that this reuse is safe, and if so, change the verifier to not squawk at this.

ASSERTION FAILED: m_verifier.isSafeToUse()
./wtf/RefCounted.h(122) : bool WTF::RefCountedBase::derefBase()
2   0x1002288a4 WTF::RefCountedBase::derefBase()
3   0x1003ac931 WTF::RefCounted<WTF::MetaAllocatorHandle>::deref()
4   0x100217303 void WTF::derefIfNotNull<WTF::MetaAllocatorHandle>(WTF::MetaAllocatorHandle*)
5   0x10021731e WTF::RefPtr<WTF::MetaAllocatorHandle>::~RefPtr()
6   0x1003ac96d JSC::MacroAssemblerCodeRef::~MacroAssemblerCodeRef()
7   0x1002175e3 JSC::JITCode::~JITCode()
8   0x100208244 JSC::CodeBlock::~CodeBlock()
9   0x1002179bf JSC::GlobalCodeBlock::~GlobalCodeBlock()
10  0x1002179f7 JSC::ProgramCodeBlock::~ProgramCodeBlock()
11  0x1002649f0 void WTF::deleteOwnedPtr<JSC::ProgramCodeBlock>(JSC::ProgramCodeBlock*)
12  0x100264a51 WTF::OwnPtr<JSC::ProgramCodeBlock>::clear()
13  0x100261770 JSC::ProgramExecutable::clearCodeVirtual()
14  0x100260262 JSC::ExecutableBase::clearCode(JSC::JSCell*)
15  0x1003bcbde JSC::Heap::FinalizerOwner::finalize(JSC::Handle<JSC::Unknown>, void*)
16  0x10026d1ec JSC::HandleHeap::finalizeWeakHandles()
17  0x1003be777 JSC::Heap::collect(JSC::Heap::SweepToggle)
18  0x1003d0042 JSC::AllocationSpace::allocateSlowCase(JSC::MarkedSpace::SizeClass&)
19  0x1001ca832 JSC::AllocationSpace::allocate(JSC::MarkedSpace::SizeClass&)
20  0x1002021b6 JSC::AllocationSpace::allocate(unsigned long)
21  0x100202223 JSC::Heap::allocate(unsigned long)
22  0x10024c692 void* JSC::allocateCell<JSC::JSFinalObject>(JSC::Heap&)
23  0x10024c6c4 JSC::JSFinalObject::create(JSC::ExecState*, JSC::Structure*)
24  0x1002ac281 JSC::constructEmptyObject(JSC::ExecState*, JSC::Structure*)
25  0x10024c72f JSC::constructEmptyObject(JSC::ExecState*, JSC::JSGlobalObject*)
26  0x1003333e1 JSC::constructEmptyObject(JSC::ExecState*)
27  0x10029bfaa cti_op_new_object
28  0x10029b301 jscGeneratedNativeCode
29  0x1002797f4 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
30  0x100273aaf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
31  0x100205021 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
32  0x1002e6303 JSObjectCallAsFunction

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list