[Webkit-unassigned] [Bug 68220] REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences using Domino's online ordering

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 15 23:41:26 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=68220





--- Comment #2 from Mark Rowe (bdash) <mrowe at apple.com>  2011-09-15 23:41:26 PST ---
In a debug build I hit an assertion failure when following the same steps:


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000000bbadbeef
0x000000010429797c in WTF::Vector<JSC::ValueProfile, 8ul>::at (this=0x7f80e834d138, i=0) at Vector.h:537
537                ASSERT(i < size());
(gdb) bt 10
#0  0x000000010429797c in WTF::Vector<JSC::ValueProfile, 8ul>::at (this=0x7f80e834d138, i=0) at Vector.h:537
#1  0x00000001042978bd in WTF::Vector<JSC::ValueProfile, 8ul>::operator[] (this=0x7f80e834d138, i=0) at Vector.h:546
#2  0x000000010429785c in WTF::SegmentedVector<JSC::ValueProfile, 8ul>::at (this=0x7f80e834d130, index=0) at SegmentedVector.h:124
#3  0x000000010429780d in WTF::SegmentedVector<JSC::ValueProfile, 8ul>::operator[] (this=0x7f80e834d130, index=0) at SegmentedVector.h:130
#4  0x000000010428e673 in JSC::CodeBlock::valueProfile (this=0x7f80e834d000, index=0) at CodeBlock.h:455
#5  0x000000010428b928 in JSC::CodeBlock::visitWeakReferences (this=0x7f80e834d000) at JavaScriptCore/bytecode/CodeBlock.cpp:1608
#6  0x00000001044d4f91 in JSC::SlotVisitor::harvestWeakReferences (this=0x7f80e4060ce0) at JavaScriptCore/heap/MarkStack.cpp:146
#7  0x00000001044dbddc in JSC::Heap::harvestWeakReferences (this=0x7f80e40608d8) at JavaScriptCore/heap/Heap.cpp:518
#8  0x00000001044dc38b in JSC::Heap::markRoots (this=0x7f80e40608d8) at JavaScriptCore/heap/Heap.cpp:589
#9  0x00000001044db7d9 in JSC::Heap::collect (this=0x7f80e40608d8, sweepToggle=JSC::Heap::DoSweep) at JavaScriptCore/heap/Heap.cpp:674

A little poking around shows:
(gdb) up
#2  0x000000010429785c in WTF::SegmentedVector<JSC::ValueProfile, 8ul>::at (this=0x7f80e834d130, index=0) at SegmentedVector.h:124
124                    return m_inlineSegment[index];
(gdb) list
119            bool isEmpty() const { return !size(); }
120    
121            T& at(size_t index)
122            {
123                if (index < SegmentSize)
124                    return m_inlineSegment[index];
125                return segmentFor(index)->at(subscriptFor(index));
126            }
127    
128            T& operator[](size_t index)
(gdb) print index
$7 = 0
(gdb) print m_inlineSegment.m_size
$8 = 0
(gdb) print m_segments.m_size
$9 = 0
(gdb) print m_size
$10 = 1

Something is shady about that SegmentedVector!

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list