[Webkit-unassigned] [Bug 71045] Crash in JSC::Structure::materializePropertyMap when viewing Garden-O-Matic
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 27 13:40:32 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=71045
--- Comment #4 from Filip Pizlo <fpizlo at apple.com> 2011-10-27 13:40:32 PST ---
This looks like continued sloppiness in JSC::Structure's management of the property table. It sometimes creates structures marked pinned (meaning that they have a property table) but then never creates the property table.
I don't see a good testing strategy to repro this particular case, because the garden-o-matic code seems to only trigger the bug by happening to run code in such an order, and with such frequency, that tiered compilation ends up accidentally poking and prodding JSC::Structure at just the right times to get this to appear.
On the other hand, if I add a simple assertion in a few places that says "if you're pinned you must have a property table", then I can get JavaScriptCore to crash while allocating a JSDOMWindowShell. I'm slowly prodding along now, making sure that all of the places that pin structures also force an allocation of the property table... Thereafter so long as nobody removes my assertions, any regressions should be detectable when you try to run any script.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list