167322 2017-01-23 13:51:24 -0800 ObjCCallbackFunction::destroy() should not use jsCast(). 2017-05-16 16:51:06 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mark.lam mark.lam ap fpizlo ggaren jfbastien keith_miller msaboff ryanhaddad saam oldest_to_newest 1269176 0 mark.lam 2017-01-23 13:51:24 -0800 testapi is failing on this assertion (with a debug build, of course) on every run for me, and on almost every run on the bots. The assertion was added recently by Fil on Jan 17, 2017 for r210829. The assertion stack trace: 2017-01-23 13:45:03.013196-0800 testapi[93369:25981002] /Volumes/Data/ws3/OpenSource/Source/JavaScriptCore/runtime/JSCellInlines.h(287) : const JSC::ClassInfo *JSC::JSCell::classInfo() const /Volumes/Data/ws3/OpenSource/Source/JavaScriptCore/runtime/JSCellInlines.h(287) : const JSC::ClassInfo *JSC::JSCell::classInfo() const 2017-01-23 13:45:03.014399-0800 testapi[93369:25981002] 1 0x1014d93bd WTFCrash 1 0x1014d93bd WTFCrash 2017-01-23 13:45:03.015235-0800 testapi[93369:25981002] 2 0x100100936 JSC::JSCell::classInfo() const 2 0x100100936 JSC::JSCell::classInfo() const 2017-01-23 13:45:03.015992-0800 testapi[93369:25981002] 3 0x1000f7a09 JSC::JSCell::inherits(JSC::ClassInfo const*) const 3 0x1000f7a09 JSC::JSCell::inherits(JSC::ClassInfo const*) const 2017-01-23 13:45:03.016879-0800 testapi[93369:25981002] 4 0x101127c30 JSC::ObjCCallbackFunction* JSC::jsCast<JSC::ObjCCallbackFunction*, JSC::JSCell>(JSC::JSCell*) 4 0x101127c30 JSC::ObjCCallbackFunction* JSC::jsCast<JSC::ObjCCallbackFunction*, JSC::JSCell>(JSC::JSCell*) 2017-01-23 13:45:03.017770-0800 testapi[93369:25981002] 5 0x101126d15 JSC::ObjCCallbackFunction::destroy(JSC::JSCell*) 5 0x101126d15 JSC::ObjCCallbackFunction::destroy(JSC::JSCell*) 2017-01-23 13:45:03.018760-0800 testapi[93369:25981002] 6 0x100bc3f0a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const 6 0x100bc3f0a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const 2017-01-23 13:45:03.019615-0800 testapi[93369:25981002] 7 0x100bc5a25 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const 7 0x100bc5a25 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const 2017-01-23 13:45:03.020479-0800 testapi[93369:25981002] 8 0x100bc4515 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) 8 0x100bc4515 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) 2017-01-23 13:45:03.021301-0800 testapi[93369:25981002] 9 0x100bc3e8f JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) 9 0x100bc3e8f JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) 2017-01-23 13:45:03.022104-0800 testapi[93369:25981002] 10 0x100bc3d0d JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) 10 0x100bc3d0d JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) 2017-01-23 13:45:03.022961-0800 testapi[93369:25981002] 11 0x1010d6863 JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) 11 0x1010d6863 JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) 2017-01-23 13:45:03.023811-0800 testapi[93369:25981002] 12 0x1010d6592 JSC::MarkedBlock::Handle::lastChanceToFinalize() 12 0x1010d6592 JSC::MarkedBlock::Handle::lastChanceToFinalize() 2017-01-23 13:45:03.024680-0800 testapi[93369:25981002] 13 0x1010d5049 JSC::MarkedAllocator::lastChanceToFinalize()::$_4::operator()(JSC::MarkedBlock::Handle*) const 13 0x1010d5049 JSC::MarkedAllocator::lastChanceToFinalize()::$_4::operator()(JSC::MarkedBlock::Handle*) const 2017-01-23 13:45:03.025525-0800 testapi[93369:25981002] 14 0x1010d501b void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&)::'lambda'(unsigned long)::operator()(unsigned long) const 14 0x1010d501b void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&)::'lambda'(unsigned long)::operator()(unsigned long) const 2017-01-23 13:45:03.026398-0800 testapi[93369:25981002] 15 0x1010d4f9c void WTF::FastBitVectorImpl<WTF::FastBitVectorWordOwner>::forEachSetBit<void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&)::'lambda'(unsigned long)>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&) const 15 0x1010d4f9c void WTF::FastBitVectorImpl<WTF::FastBitVectorWordOwner>::forEachSetBit<void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&)::'lambda'(unsigned long)>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&) const 2017-01-23 13:45:03.027271-0800 testapi[93369:25981002] 16 0x1010d32c3 void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&) 16 0x1010d32c3 void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&) 2017-01-23 13:45:03.028136-0800 testapi[93369:25981002] 17 0x1010d3289 JSC::MarkedAllocator::lastChanceToFinalize() 17 0x1010d3289 JSC::MarkedAllocator::lastChanceToFinalize() 2017-01-23 13:45:03.029007-0800 testapi[93369:25981002] 18 0x1010e1389 JSC::MarkedSpace::lastChanceToFinalize()::$_2::operator()(JSC::MarkedAllocator&) const 18 0x1010e1389 JSC::MarkedSpace::lastChanceToFinalize()::$_2::operator()(JSC::MarkedAllocator&) const 2017-01-23 13:45:03.029892-0800 testapi[93369:25981002] 19 0x1010dba67 void JSC::MarkedSpace::forEachAllocator<JSC::MarkedSpace::lastChanceToFinalize()::$_2>(JSC::MarkedSpace::lastChanceToFinalize()::$_2 const&) 19 0x1010dba67 void JSC::MarkedSpace::forEachAllocator<JSC::MarkedSpace::lastChanceToFinalize()::$_2>(JSC::MarkedSpace::lastChanceToFinalize()::$_2 const&) 2017-01-23 13:45:03.030768-0800 testapi[93369:25981002] 20 0x1010db9cd JSC::MarkedSpace::lastChanceToFinalize() 20 0x1010db9cd JSC::MarkedSpace::lastChanceToFinalize() 2017-01-23 13:45:03.031612-0800 testapi[93369:25981002] 21 0x100d6b278 JSC::Heap::lastChanceToFinalize() 21 0x100d6b278 JSC::Heap::lastChanceToFinalize() 2017-01-23 13:45:03.032489-0800 testapi[93369:25981002] 22 0x1013b0d52 JSC::VM::~VM() 22 0x1013b0d52 JSC::VM::~VM() 2017-01-23 13:45:03.033342-0800 testapi[93369:25981002] 23 0x1013b2a65 JSC::VM::~VM() 23 0x1013b2a65 JSC::VM::~VM() 2017-01-23 13:45:03.034215-0800 testapi[93369:25981002] 24 0x100da5fd7 WTF::ThreadSafeRefCounted<JSC::VM>::deref() const 24 0x100da5fd7 WTF::ThreadSafeRefCounted<JSC::VM>::deref() const 2017-01-23 13:45:03.035012-0800 testapi[93369:25981002] 25 0x100da5f81 void WTF::derefIfNotNull<JSC::VM>(JSC::VM*) 25 0x100da5f81 void WTF::derefIfNotNull<JSC::VM>(JSC::VM*) 2017-01-23 13:45:03.035845-0800 testapi[93369:25981002] 26 0x100fa145b WTF::RefPtr<JSC::VM>::operator=(std::nullptr_t) 26 0x100fa145b WTF::RefPtr<JSC::VM>::operator=(std::nullptr_t) 2017-01-23 13:45:03.036692-0800 testapi[93369:25981002] 27 0x100fb1d5a JSC::JSLockHolder::~JSLockHolder() 27 0x100fb1d5a JSC::JSLockHolder::~JSLockHolder() 2017-01-23 13:45:03.037527-0800 testapi[93369:25981002] 28 0x100fb1dd5 JSC::JSLockHolder::~JSLockHolder() 28 0x100fb1dd5 JSC::JSLockHolder::~JSLockHolder() 2017-01-23 13:45:03.038356-0800 testapi[93369:25981002] 29 0x100f43d2b JSContextGroupRelease 29 0x100f43d2b JSContextGroupRelease 2017-01-23 13:45:03.039223-0800 testapi[93369:25981002] 30 0x101056584 -[JSVirtualMachine dealloc] 30 0x101056584 -[JSVirtualMachine dealloc] 2017-01-23 13:45:03.040088-0800 testapi[93369:25981002] 31 0x100f42456 -[JSContext dealloc] 31 0x100f42456 -[JSContext dealloc] 1269177 1 fpizlo 2017-01-23 13:59:01 -0800 Looks like another jsCast that should be a static_cast. 1269191 2 299541 mark.lam 2017-01-23 14:44:14 -0800 Created attachment 299541 proposed patch. 1269196 3 mark.lam 2017-01-23 14:51:26 -0800 Thanks for the review. Landed in r211063: <http://trac.webkit.org/r211063>. 1309383 4 mark.lam 2017-05-16 16:51:06 -0700 <rdar://problem/32228083> 299541 2017-01-23 14:44:14 -0800 2017-01-23 14:48:26 -0800 proposed patch. bug-167322.patch text/plain 1450 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjExMDYyKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBA CisyMDE3LTAxLTIzICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBP YmpDQ2FsbGJhY2tGdW5jdGlvbjo6ZGVzdHJveSgpIHNob3VsZCBub3QgdXNlIGpzQ2FzdCgpLgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTY3MzIyCisK KyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgU2luY2UgcjIx MDgyOSwgaXQgaXMgbm8gbG9uZ2VyIGNvcnJlY3QgZm9yIG9iamVjdCBkZXN0cnVjdG9ycyB0byB1 c2UganNDYXN0KCkuCisgICAgICAgIEZpeGVkIE9iakNDYWxsYmFja0Z1bmN0aW9uOjpkZXN0cm95 KCkgdG8gdXNlIGEgc3RhdGljX2Nhc3QgaW5zdGVhZC4KKworICAgICAgICAqIEFQSS9PYmpDQ2Fs bGJhY2tGdW5jdGlvbi5tbToKKyAgICAgICAgKEpTQzo6T2JqQ0NhbGxiYWNrRnVuY3Rpb246OmRl c3Ryb3kpOgorCiAyMDE3LTAxLTIzICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29t PgogCiAgICAgICAgIEludGxPYmplY3QgdXNlcyBKU0FycmF5Ojp0cnlDcmVhdGVVbmluaXRpYWxp emVkIGluIGFuIHVuc2FmZSB3YXkKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9BUEkvT2Jq Q0NhbGxiYWNrRnVuY3Rpb24ubW0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3Jl L0FQSS9PYmpDQ2FsbGJhY2tGdW5jdGlvbi5tbQkocmV2aXNpb24gMjExMDU5KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0FQSS9PYmpDQ2FsbGJhY2tGdW5jdGlvbi5tbQkod29ya2luZyBjb3B5 KQpAQCAtNTIzLDcgKzUyMyw3IEBAIE9iakNDYWxsYmFja0Z1bmN0aW9uKiBPYmpDQ2FsbGJhY2tG dW5jdGkKIAogdm9pZCBPYmpDQ2FsbGJhY2tGdW5jdGlvbjo6ZGVzdHJveShKU0NlbGwqIGNlbGwp CiB7Ci0gICAgT2JqQ0NhbGxiYWNrRnVuY3Rpb24mIGZ1bmN0aW9uID0gKmpzQ2FzdDxPYmpDQ2Fs bGJhY2tGdW5jdGlvbio+KGNlbGwpOworICAgIE9iakNDYWxsYmFja0Z1bmN0aW9uJiBmdW5jdGlv biA9ICpzdGF0aWNfY2FzdDxPYmpDQ2FsbGJhY2tGdW5jdGlvbio+KGNlbGwpOwogICAgIGZ1bmN0 aW9uLmltcGwoKS0+ZGVzdHJveSgqSGVhcDo6aGVhcChjZWxsKSk7CiAgICAgZnVuY3Rpb24ufk9i akNDYWxsYmFja0Z1bmN0aW9uKCk7CiB9Cg==