[Webkit-unassigned] [Bug 87723] New: CRASH() in Heap::markRoots

Tue May 29 03:48:30 PDT 2012

https://bugs.webkit.org/show_bug.cgi?id=87723

           Summary: CRASH() in Heap::markRoots
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: luxtella at company100.net

This bug maybe arose between r116279 and r118267.

Heap::markRoots can call indirectly Heap::markRoots again.
It is why CRASH() can be fired in Heap::markRoots's following code.

    if (m_operationInProgress != NoOperation)
        CRASH();

I attached an example callstack.
JSC::Heap::markRoots() at Heap.cpp:428 0x7ffff5a2fe79    
JSC::Heap::collect() at Heap.cpp:683 0x7ffff5a307b5    
JSC::CopiedSpace::getFreshBlock() at CopiedSpace.cpp:240 0x7ffff5a25944    
JSC::CopiedSpace::addNewBlock() at CopiedSpaceInlineMethods.h:107 0x7ffff5a26859    
JSC::CopiedSpace::doneCopying() at CopiedSpace.cpp:226 0x7ffff5a257ed    
JSC::Heap::markRoots() at Heap.cpp:588 0x7ffff5a303ae    
JSC::Heap::collect() at Heap.cpp:683 0x7ffff5a307b5    
JSC::Heap::reportExtraMemoryCostSlowCase() at Heap.cpp:305 0x7ffff5a2f5f6    
JSC::Heap::reportExtraMemoryCost() at Heap.h:322 0x7ffff463ffb3    
WebCore::HTMLImageLoader::notifyFinished() at HTMLImageLoader.cpp:86 0x7ffff4afa6bd    

I tested " http://www.dorothybrowser.com/test/webkitTest/imgdecode/bgimage-png/test.html " using WebKitQt.
If you go into the site and push a back button and push a go button, you can encounter CRASH().

I don't know JSC' GC, so I want for JSC experts to fix it.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.