166034 2016-12-19 13:51:20 -0800 Web Inspector: Assertion seen in InspectorDebuggerAgent::refAsyncCallData with Inspector open 2016-12-19 14:45:46 -0800 1 1 1 Unclassified WebKit Web Inspector WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Normal --- 1 joepeck joepeck commit-queue inspector-bugzilla-changes joepeck keith_miller mark.lam msaboff saam oldest_to_newest 1261197 0 joepeck 2016-12-19 13:51:20 -0800 Summary: Assertion seen in InspectorDebuggerAgent::refAsyncCallData with Inspector open Test: <script> interval = setTimeout(() => { clearInterval(interval); setTimeout(() => {}, 0); }, 0); </script> Steps to Reproduce: 1. Inspect test page with Debug build 2. Reload => ASSERT Assert: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000106c834c4 WTFCrash + 36 (Assertions.cpp:323) 1 com.apple.JavaScriptCore 0x00000001065e0290 Inspector::InspectorDebuggerAgent::refAsyncCallData(std::__1::pair<int, int> const&) + 192 (InspectorDebuggerAgent.cpp:1145) 2 com.apple.JavaScriptCore 0x00000001065e0057 Inspector::InspectorDebuggerAgent::didScheduleAsyncCall(JSC::ExecState*, int, int, bool) + 391 (InspectorDebuggerAgent.cpp:272) 3 com.apple.WebCore 0x000000010b530a8f WebCore::didScheduleAsyncCall(WebCore::InstrumentingAgents&, WebCore::AsyncCallType, int, WebCore::ScriptExecutionContext&, bool) + 111 (InspectorInstrumentation.cpp:106) 4 com.apple.WebCore 0x000000010b530954 WebCore::InspectorInstrumentation::didInstallTimerImpl(WebCore::InstrumentingAgents&, int, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, bool, WebCore::ScriptExecutionContext&) + 116 (InspectorInstrumentation.cpp:344) 5 com.apple.WebCore 0x000000010ad20404 WebCore::InspectorInstrumentation::didInstallTimer(WebCore::ScriptExecutionContext&, int, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, bool) + 116 (InspectorInstrumentation.h:650) 6 com.apple.WebCore 0x000000010ad20314 WebCore::DOMTimer::install(WebCore::ScriptExecutionContext&, std::__1::unique_ptr<WebCore::ScheduledAction, std::__1::default_delete<WebCore::ScheduledAction> >, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, bool) + 788 (DOMTimer.cpp:224) 7 com.apple.WebCore 0x000000010ad36d1f WebCore::DOMWindow::setTimeout(std::__1::unique_ptr<WebCore::ScheduledAction, std::__1::default_delete<WebCore::ScheduledAction> >, int) + 671 (DOMWindow.cpp:1670) 8 com.apple.WebCore 0x000000010b895e5b WebCore::JSDOMWindow::setTimeout(JSC::ExecState&) + 1131 (JSDOMWindowCustom.cpp:501) 9 com.apple.WebCore 0x000000010b88d4a9 WebCore::jsDOMWindowInstanceFunctionSetTimeoutCaller(JSC::ExecState*, WebCore::JSDOMWindow*, JSC::ThrowScope&) + 105 (JSDOMWindow.cpp:30532) 10 com.apple.WebCore 0x000000010b84fd68 long long WebCore::BindingCaller<WebCore::JSDOMWindow>::callOperation<&(WebCore::jsDOMWindowInstanceFunctionSetTimeoutCaller(JSC::ExecState*, WebCore::JSDOMWindow*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) + 632 (JSDOMBinding.h:363) 11 com.apple.WebCore 0x000000010b84fadc WebCore::jsDOMWindowInstanceFunctionSetTimeout(JSC::ExecState*) + 28 (JSDOMWindow.cpp:30523) ... Notes: void InspectorDebuggerAgent::refAsyncCallData(const AsyncCallIdentifier& identifier) { auto iterator = m_asyncCallIdentifierToData.find(identifier); ASSERT(iterator != m_asyncCallIdentifierToData.end()); // <--- if (iterator == m_asyncCallIdentifierToData.end()) return; iterator->value.referenceCount++; } 1261198 1 joepeck 2016-12-19 13:51:32 -0800 <rdar://problem/29554366> 1261199 2 297475 joepeck 2016-12-19 13:54:59 -0800 Created attachment 297475 [PATCH] Proposed Fix 1261210 3 297475 bburg 2016-12-19 14:20:15 -0800 Comment on attachment 297475 [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=297475&action=review rs=me > Source/JavaScriptCore/ChangeLog:13 > + no async data was found for the given identifier. It would be nice to add a reduced test case to LayoutTests so that this doesn't regress for some other reason when we change this code. 1261211 4 297475 bburg 2016-12-19 14:20:32 -0800 Comment on attachment 297475 [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=297475&action=review rs=me >> Source/JavaScriptCore/ChangeLog:13 >> + no async data was found for the given identifier. > > It would be nice to add a reduced test case to LayoutTests so that this doesn't regress for some other reason when we change this code. It would be nice to add a reduced test case to LayoutTests so that this doesn't regress for some other reason when we change this code. 1261219 5 297475 commit-queue 2016-12-19 14:45:42 -0800 Comment on attachment 297475 [PATCH] Proposed Fix Clearing flags on attachment: 297475 Committed r209998: <http://trac.webkit.org/changeset/209998> 1261220 6 commit-queue 2016-12-19 14:45:46 -0800 All reviewed patches have been landed. Closing bug. 297475 2016-12-19 13:54:59 -0800 2016-12-19 14:45:42 -0800 [PATCH] Proposed Fix remove-assert-1.patch text/plain 1659 joepeck ZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvSmF2 YVNjcmlwdENvcmUvQ2hhbmdlTG9nCmluZGV4IGVmNTUxOTMuLmVlYTZlODQgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL0phdmFTY3JpcHRD b3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3IEBACisyMDE2LTEyLTE5ICBKb3NlcGggUGVjb3Jh cm8gIDxwZWNvcmFyb0BhcHBsZS5jb20+CisKKyAgICAgICAgV2ViIEluc3BlY3RvcjogQXNzZXJ0 aW9uIHNlZW4gaW4gSW5zcGVjdG9yRGVidWdnZXJBZ2VudDo6cmVmQXN5bmNDYWxsRGF0YSB3aXRo IEluc3BlY3RvciBvcGVuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xNjYwMzQKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzI5NTU0MzY2PgorCisgICAg ICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogaW5zcGVjdG9yL2Fn ZW50cy9JbnNwZWN0b3JEZWJ1Z2dlckFnZW50LmNwcDoKKyAgICAgICAgKEluc3BlY3Rvcjo6SW5z cGVjdG9yRGVidWdnZXJBZ2VudDo6cmVmQXN5bmNDYWxsRGF0YSk6CisgICAgICAgIFJlbW92ZSBh c3NlcnRpb24uIFRoaXMgYXNzZXJ0IGNhbiBoYXBwZW4gaWYgdGhlIGN1cnJlbnRseSBleGVjdXRp bmcgY2FsbGJhY2sKKyAgICAgICAgd2FzIGp1c3QgZXhwbGljaXRseSBjYW5jZWxsZWQgYnkgc2Ny aXB0LiBFeGlzdGluZyBjb2RlIGFscmVhZHkgaGFuZGxlcyBpZgorICAgICAgICBubyBhc3luYyBk YXRhIHdhcyBmb3VuZCBmb3IgdGhlIGdpdmVuIGlkZW50aWZpZXIuCisKIDIwMTYtMTItMTggIFNh YW0gQmFyYXRpICA8c2JhcmF0aUBhcHBsZS5jb20+CiAKICAgICAgICAgV2ViQXNzZW1ibHk6IElt cGxlbWVudCB0aGUgV2ViQXNzZW1ibHkuY29tcGlsZSBhbmQgV2ViQXNzZW1ibHkudmFsaWRhdGUK ZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnNwZWN0b3IvYWdlbnRzL0luc3Bl Y3RvckRlYnVnZ2VyQWdlbnQuY3BwIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2luc3BlY3Rvci9h Z2VudHMvSW5zcGVjdG9yRGVidWdnZXJBZ2VudC5jcHAKaW5kZXggYWNkOTk2NS4uYWJmYjE3NCAx MDA2NDQKLS0tIGEvU291cmNlL0phdmFTY3JpcHRDb3JlL2luc3BlY3Rvci9hZ2VudHMvSW5zcGVj dG9yRGVidWdnZXJBZ2VudC5jcHAKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2luc3BlY3Rv ci9hZ2VudHMvSW5zcGVjdG9yRGVidWdnZXJBZ2VudC5jcHAKQEAgLTExNDIsNyArMTE0Miw2IEBA IHZvaWQgSW5zcGVjdG9yRGVidWdnZXJBZ2VudDo6Y2xlYXJBc3luY1N0YWNrVHJhY2VEYXRhKCkK IHZvaWQgSW5zcGVjdG9yRGVidWdnZXJBZ2VudDo6cmVmQXN5bmNDYWxsRGF0YShjb25zdCBBc3lu Y0NhbGxJZGVudGlmaWVyJiBpZGVudGlmaWVyKQogewogICAgIGF1dG8gaXRlcmF0b3IgPSBtX2Fz eW5jQ2FsbElkZW50aWZpZXJUb0RhdGEuZmluZChpZGVudGlmaWVyKTsKLSAgICBBU1NFUlQoaXRl cmF0b3IgIT0gbV9hc3luY0NhbGxJZGVudGlmaWVyVG9EYXRhLmVuZCgpKTsKICAgICBpZiAoaXRl cmF0b3IgPT0gbV9hc3luY0NhbGxJZGVudGlmaWVyVG9EYXRhLmVuZCgpKQogICAgICAgICByZXR1 cm47CiAK