With some simple use of the JSCore API, I get a crash when calling JSGarbageCollect(). Reduced test case by bdash: // Put me in test.c // gcc -o test test.c -framework JavaScriptCore // Run me against a debug build of JavaScriptCore like so: // DYLD_FRAMEWORK_PATH=WebKitBuild/Debug DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib ./test #include <JavaScriptCore/JavaScriptCore.h> #include <stdio.h> void doIt() { JSClassDefinition definition = kJSClassDefinitionEmpty; JSClassRef a, b; JSGlobalContextRef global; definition.className = "A"; a = JSClassCreate(&definition); definition = kJSClassDefinitionEmpty; definition.className = "B"; definition.parentClass = a; b = JSClassCreate(&definition); global = JSGlobalContextCreate(b); JSGlobalContextRelease(global); JSClassRelease(b); JSClassRelease(a); JSGarbageCollect(NULL); printf("Done\n"); } int main(int argc, char **argv) { int i; for (i = 0; i < 1000; i++) doIt(); return 0; }
Backtrack from bdash: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000b0812fd0 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x002d7df3 KJS::JSCallbackObject<KJS::JSGlobalObject>::~JSCallbackObject() + 57 (JSCallbackObjectFunctions.h:86) 1 com.apple.JavaScriptCore 0x002d7e63 KJS::JSCallbackObject<KJS::JSGlobalObject>::~JSCallbackObject() + 17 (JSCallbackObjectFunctions.h:90) 2 com.apple.JavaScriptCore 0x002a6f70 unsigned long KJS::Collector::sweep<(KJS::Collector::HeapType)0>(bool) + 760 (collector.cpp:883) 3 com.apple.JavaScriptCore 0x00277dee KJS::Collector::collect() + 382 (collector.cpp:963) 4 com.apple.JavaScriptCore 0x002d17b8 JSGarbageCollect + 34 (JSBase.cpp:83) 5 test 0x00001fba doIt + 192 6 test 0x00001fe2 main + 20 7 test 0x00001ece start + 54 And one from me, on Windows: > myapp.exe!KJS::JSCallbackObject<KJS::JSGlobalObject>::~JSCallbackObject<KJS::JSGlobalObject>() Line 105 + 0x7 bytes C++ myapp.exe!KJS::JSCallbackObject<KJS::JSGlobalObject>::`scalar deleting destructor'() + 0xf bytes C++ myapp.exe!KJS::Collector::sweep<0>(bool currentThreadIsMainThread=false) Line 883 C++ myapp.exe!KJS::Collector::collect() Line 963 + 0x9 bytes C++ myapp.exe!JSGarbageCollect(const OpaqueJSContext * __formal=0x00000000) Line 87 C++ myapp.exe!myfunction(void * pUserData=0x020d734c, void * pDocument=0x020cfdf8, void * * ppDocumentUserData=0x020d16e4) Line 271 + 0x7 bytes C
<rdar://problem/5694270>
A workaround is to do an additional JSGarbageCollect() just before the JSGlobalContextRelease() call. I wonder whether making OpaqueJSClass retain its parentClass would solve the problem.
Works for me in ToT, looks like this has been fixed. Please reopen if you can still repro the problem. cheers, G.