[Webkit-unassigned] [Bug 98612] New: REGRESSION (r130584): Crashes in JSC::MarkedAllocator::allocateSlowCase, failing fast/dom/gc-dom-tree-lifetime.html

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Oct 7 01:37:11 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=98612

           Summary: REGRESSION (r130584): Crashes in
                    JSC::MarkedAllocator::allocateSlowCase, failing
                    fast/dom/gc-dom-tree-lifetime.html
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Tools / Tests
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: zandobersek at gmail.com
                CC: ggaren at apple.com, barraclough at apple.com


The following tests started to crash after r130584
http://trac.webkit.org/changeset/130584

fast/events/drag-link.html
fast/events/crash-on-mutate-during-drop.html
fast/lists/drag-into-marker.html
editing/pasteboard/drag-drop-list.html
editing/pasteboard/drop-link.html
editing/pasteboard/smart-drag-drop.html
editing/pasteboard/subframe-dragndrop-1.html
editing/selection/4895428-1.html
editing/selection/4895428-4.html
editing/selection/contains-boundaries.html
svg/custom/use-animation-in-fill.html
svg/custom/use-multiple-on-nested-disallowed-font.html

The list may not be complete. The tests are mostly crashing on the GTK 64-bit debug builder, but there are crashes on Apple's Lion and MountainLion WK2 Debug builders as well.
Here's the long link to the flakiness dashboard for all these tests:
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Fevents%2Fdrag-link.html%20fast%2Fevents%2Fcrash-on-mutate-during-drop.html%20fast%2Flists%2Fdrag-into-marker.html%20editing%2Fpasteboard%2Fdrag-drop-list.html%20editing%2Fpasteboard%2Fdrop-link.html%20editing%2Fpasteboard%2Fsmart-drag-drop.html%20editing%2Fpasteboard%2Fsubframe-dragndrop-1.html%20editing%2Fselection%2F4895428-1.html%20editing%2Fselection%2F4895428-4.html%20editing%2Fselection%2Fcontains-boundaries.html%20svg%2Fcustom%2Fuse-animation-in-fill.html%20svg%2Fcustom%2Fuse-multiple-on-nested-disallowed-font.html

Here's a sample crash log from http://build.webkit.org/results/GTK%20Linux%2064-bit%20Debug/r130593%20(37369)/results.html
Crash log for DumpRenderTree (pid 7407):

...
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fc8b85527a9 in JSC::MarkedAllocator::allocateSlowCase (this=0xd14978, bytes=32) at ../../Source/JavaScriptCore/heap/MarkedAllocator.cpp:73
73        ASSERT(m_heap->globalData()->apiLock().currentThreadIsHoldingLock());

...

Thread 1 (Thread 0x7fc8aa0bd900 (LWP 7407)):
#0  0x00007fc8b85527a9 in JSC::MarkedAllocator::allocateSlowCase (this=0xd14978, bytes=32) at ../../Source/JavaScriptCore/heap/MarkedAllocator.cpp:73
#1  0x00007fc8b46d84aa in JSC::MarkedAllocator::allocate (this=0xd14978, bytes=32) at ../../Source/JavaScriptCore/heap/MarkedAllocator.h:78
#2  0x00007fc8b46d869c in JSC::MarkedSpace::allocateWithNormalDestructor (this=0xd14978, bytes=32) at ../../Source/JavaScriptCore/heap/MarkedSpace.h:224
#3  0x00007fc8b46d871d in JSC::Heap::allocateWithNormalDestructor (this=0xd148b8, bytes=32) at ../../Source/JavaScriptCore/heap/Heap.h:373
#4  0x00007fc8b57708fd in JSC::allocateCell<WebCore::JSHTMLAnchorElement> (heap=..., size=32) at ../../Source/JavaScriptCore/runtime/JSCell.h:328
#5  0x00007fc8b576a78e in JSC::allocateCell<WebCore::JSHTMLAnchorElement> (heap=...) at ../../Source/JavaScriptCore/runtime/JSCell.h:338
#6  0x00007fc8b576670e in WebCore::JSHTMLAnchorElement::create (structure=0x7fc8682934e0, globalObject=0x7fc86823e1a0, impl=...) at DerivedSources/WebCore/JSHTMLAnchorElement.h:36
#7  0x00007fc8b576b9bd in WebCore::createWrapper<WebCore::JSHTMLAnchorElement, WebCore::HTMLAnchorElement> (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, node=0xfa6400) at ../../Source/WebCore/bindings/js/JSDOMBinding.h:164
#8  0x00007fc8b5762166 in WebCore::createHTMLAnchorElementWrapper (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, element=...) at DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:227
#9  0x00007fc8b57665d0 in WebCore::createJSHTMLWrapper (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, element=...) at DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:822
#10 0x00007fc8b473795a in WebCore::createWrapperInline (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, node=0xfa6400) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:218
#11 0x00007fc8b4737b8d in WebCore::createWrapper (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, node=0xfa6400) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:268
#12 0x00007fc8b4704012 in WebCore::toJS (exec=0x7fc86823e3a8, globalObject=0x7fc86823e1a0, node=0xfa6400) at ../../Source/WebCore/bindings/js/JSNodeCustom.h:69
#13 0x00007fc8b49a0c57 in WebCore::willCreatePossiblyOrphanedTreeByRemoval (root=0xfa6400) at ../../Source/WebCore/bindings/js/JSNodeCustom.h:88
#14 0x00007fc8b499f8f1 in WebCore::dispatchChildRemovalEvents (child=0xfa6400) at ../../Source/WebCore/dom/ContainerNode.cpp:985
#15 0x00007fc8b499d202 in WebCore::willRemoveChild (child=0xfa6400) at ../../Source/WebCore/dom/ContainerNode.cpp:350
#16 0x00007fc8b499d597 in WebCore::ContainerNode::removeChild (this=0xf7aa10, oldChild=0xfa6400, ec=@0x7fffa1aa1fd4: 0) at ../../Source/WebCore/dom/ContainerNode.cpp:427
#17 0x00007fc8b4b3f9d4 in WebCore::ReplacementFragment::removeNode (this=0x7fffa1aa2240, node=...) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:237
#18 0x00007fc8b4b43a30 in WebCore::ReplaceSelectionCommand::doApply (this=0xf4b5d0) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:962
#19 0x00007fc8b4ad3ae0 in WebCore::CompositeEditCommand::apply (this=0xf4b5d0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:204
#20 0x00007fc8b4ad37e0 in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:161
#21 0x00007fc8b4f0da89 in WebCore::DragController::concludeEditDrag (this=0x679700, dragData=0x1162600) at ../../Source/WebCore/page/DragController.cpp:513
#22 0x00007fc8b4f0bf23 in WebCore::DragController::performDrag (this=0x679700, dragData=0x1162600) at ../../Source/WebCore/page/DragController.cpp:228
#23 0x00007fc8b45d7301 in webkit_web_view_drag_drop (widget=0x658030, context=0x5f9d10, x=400, y=35, time=0) at ../../Source/WebKit/gtk/webkit/webkitwebview.cpp:1570
#24 0x00007fc8b3c63347 in _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#25 0x00007fc8b3476a7d in g_type_class_meta_marshal () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0
#26 0x00007fc8b347642d in g_closure_invoke () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0
#27 0x00007fc8b3493ca0 in signal_emit_unlocked_R () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0
#28 0x00007fc8b3492e3a in g_signal_emit_valist () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0
#29 0x00007fc8b349344a in g_signal_emit_by_name () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0
#30 0x00007fc8b3e1f9c3 in gtk_drag_dest_drop () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#31 0x00007fc8b3e1ec6d in gtk_drag_find_widget () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#32 0x00007fc8b3e1e4ca in _gtk_drag_dest_handle_event () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#33 0x00007fc8b3c60a5a in gtk_main_do_event () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#34 0x00007fc8b8d070aa in _gdk_event_emit () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgdk-3.so.0
#35 0x00007fc8b8d3b15c in gdk_event_source_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgdk-3.so.0
#36 0x00007fc8b336fc91 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#37 0x00007fc8b3370956 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#38 0x00007fc8b3370b39 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#39 0x00007fc8b3370bfd in g_main_context_iteration () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#40 0x00007fc8b3c5ff02 in gtk_main_iteration () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#41 0x0000000000481992 in dispatchEvent (event=0xdfac50) at ../../Tools/DumpRenderTree/gtk/EventSender.cpp:648
#42 0x0000000000481a3d in replaySavedEvents () at ../../Tools/DumpRenderTree/gtk/EventSender.cpp:663
#43 0x0000000000481812 in sendOrQueueEvent (event=0xdfac50, shouldReplaySavedEvents=true) at ../../Tools/DumpRenderTree/gtk/EventSender.cpp:600
#44 0x00000000004809b2 in mouseUpCallback (context=0x7fc8682a4130, function=0x7fc8681ffae0, thisObject=0x7fc8681ff440, argumentCount=0, arguments=0x7fffa1aa3b38, exception=0x7fffa1aa3bd8) at ../../Tools/DumpRenderTree/gtk/EventSender.cpp:386
#45 0x00007fc8b83a82c4 in JSC::JSCallbackFunction::call (exec=0x7fc8682a4130) at ../../Source/JavaScriptCore/API/JSCallbackFunction.cpp:73
#46 0x00007fc8b85b84bf in JSC::LLInt::handleHostCall (execCallee=0x7fc8682a4130, pc=0x1192890, callee=..., kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1315
#47 0x00007fc8b85bb2d3 in JSC::LLInt::setUpCall (execCallee=0x7fc8682a4130, pc=0x1192890, kind=JSC::CodeForCall, calleeAsValue=..., callLinkInfo=0x118def8) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1359
#48 0x00007fc8b85bb842 in JSC::LLInt::genericCall (exec=0x7fc8682a40d0, pc=0x1192890, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1415
#49 0x00007fc8b85b8a2c in JSC::LLInt::llint_slow_path_call (exec=0x7fc8682a40d0, pc=0x1192890) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1421
#50 0x00007fc8b85bf774 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#51 0x00007fffa1aa3f90 in ?? ()
#52 0x00007fffa1aa3fc0 in ?? ()
#53 0x0000000000000000 in ?? ()


Another regression of this commit is the failing fast/dom/gc-dom-tree-lifetime.html test on GTK and Chromium platforms
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Fdom%2Fgc-dom-tree-lifetime.html

The diff shows 6 of these failure messages (the complete diff is too big to paste):
+FAIL <div> objects in a DOM tree are not destructed.

(Taken from http://build.webkit.org/results/GTK%20Linux%2064-bit%20Release/r130591%20(29477)/results.html)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list