73886 2011-12-05 19:15:27 -0800 REGRESSION(r101863-r102042): Assertion hit: m_verifier.isSafeToUse() in RefCountedBase::ref in FunctionCodeBlock 2011-12-09 18:13:24 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P1 Normal --- 1 rniwa levin ap fpizlo ggaren levin levin+threading oliver webkit.review.bot oldest_to_newest 515593 0 rniwa 2011-12-05 19:15:27 -0800 I've been browsing on r102042 and I've been repeatedly hitting the following assertion: class RefCountedBase { public: void ref() { #ifndef NDEBUG // Start thread verification as soon as the ref count gets to 2. This // heuristic reflects the fact that items are often created on one thread // and then given to another thread to be used. // FIXME: Make this restriction tigher. Especially as we move to more // common methods for sharing items across threads like CrossThreadCopier.h // We should be able to add a "detachFromThread" method to make this explicit. if (m_refCount == 1) m_verifier.setShared(true); #endif // If this assert fires, it either indicates a thread safety issue or // that the verification needs to change. See ThreadRestrictionVerifier for // the different modes. ASSERT(m_verifier.isSafeToUse()); // < this one! #0 0x1000c940a in WTF::RefCountedBase::ref at RefCounted.h:53 #1 0x1000dd65c in JSC::FunctionCodeBlock::FunctionCodeBlock at CodeBlock.h:1361 #2 0x1000d5a67 in JSC::FunctionExecutable::produceCodeBlockFor at Executable.cpp:475 #3 0x1000d6aea in JSC::FunctionExecutable::compileForCallInternal at Executable.cpp:516 #4 0x1000d6ffd in JSC::FunctionExecutable::compileOptimizedForCall at Executable.cpp:447 #5 0x1000780b3 in JSC::FunctionExecutable::compileOptimizedFor at Executable.h:573 #6 0x1000657cc in JSC::FunctionCodeBlock::compileOptimized at CodeBlock.cpp:2146 #7 0x10011e8b8 in cti_optimize_from_ret at JITStubs.cpp:2059 #8 0x100117386 in ctiOpThrowNotCaught at Instruction.h:81 #9 0x1000f41a0 in JSC::JITCode::execute at JITCode.h:115 #10 0x1000ea0ca in JSC::Interpreter::executeCall at Interpreter.cpp:1075 #11 0x100062787 in JSC::call at CallData.cpp:39 #12 0x10016238e in JSObjectCallAsFunction at JSObjectRef.cpp:443 515594 1 rniwa 2011-12-05 19:16:40 -0800 JSC changes in the regression window: http://trac.webkit.org/log/trunk/Source/JavaScriptCore?action=stop_on_copy&mode=stop_on_copy&rev=102042&stop_rev=101863&limit=100&verbose=on 515596 2 ggaren 2011-12-05 19:22:57 -0800 Can you attach a full set of backtraces for all threads? My guess is that the ASSERT (i.e., the verifier) needs to change, but I'd like to make sure. 515602 3 rniwa 2011-12-05 19:43:49 -0800 (In reply to comment #2) > Can you attach a full set of backtraces for all threads? > > My guess is that the ASSERT (i.e., the verifier) needs to change, but I'd like to make sure. Hm... I'm using WebKit1 so this is the "only" thread. Is there any information you're looking for? 515605 4 rniwa 2011-12-05 19:50:22 -0800 Some stack traces. FYI, it's super easy to reproduce if you go to facebook and spend even like 1-2 minutes click on different places. Safari: SafeBrowsingManager: #0 0x1000c940a in WTF::RefCountedBase::ref at RefCounted.h:53 #1 0x1000dd65c in JSC::FunctionCodeBlock::FunctionCodeBlock at CodeBlock.h:1361 #2 0x1000d5a67 in JSC::FunctionExecutable::produceCodeBlockFor at Executable.cpp:475 #3 0x1000d6aea in JSC::FunctionExecutable::compileForCallInternal at Executable.cpp:516 #4 0x1000d6ffd in JSC::FunctionExecutable::compileOptimizedForCall at Executable.cpp:447 #5 0x1000780b3 in JSC::FunctionExecutable::compileOptimizedFor at Executable.h:573 #6 0x1000657cc in JSC::FunctionCodeBlock::compileOptimized at CodeBlock.cpp:2146 #7 0x10011e8b8 in cti_optimize_from_ret at JITStubs.cpp:2059 #8 0x100117386 in ctiOpThrowNotCaught at Instruction.h:81 #9 0x1000f41a0 in JSC::JITCode::execute at JITCode.h:115 #10 0x1000ea0ca in JSC::Interpreter::executeCall at Interpreter.cpp:1075 #11 0x100062787 in JSC::call at CallData.cpp:39 #12 0x10016238e in JSObjectCallAsFunction at JSObjectRef.cpp:443 JavaScriptCore::Marking #0 0x7fff88483a6a in __semwait_signal #1 0x7fff88487881 in _pthread_cond_wait #2 0x100234f4d in WTF::ThreadCondition::wait at ThreadingPthreads.cpp:372 #3 0x100268245 in JSC::SlotVisitor::drainFromShared at MarkStack.cpp:423 #4 0x1002686cc in JSC::MarkStackThreadSharedData::markingThreadMain at MarkStack.cpp:224 #5 0x100268711 in JSC::MarkStackThreadSharedData::markingThreadStartFunc at MarkStack.cpp:229 #6 0x100234dc2 in WTF::threadEntryPoint at Threading.cpp:67 #7 0x7fff88481fd6 in _pthread_start #8 0x7fff88481e89 in thread_start JavaScriptCore::Marking #0 0x7fff88483a6a in __semwait_signal #1 0x7fff88487881 in _pthread_cond_wait #2 0x100234f4d in WTF::ThreadCondition::wait at ThreadingPthreads.cpp:372 #3 0x100268245 in JSC::SlotVisitor::drainFromShared at MarkStack.cpp:423 #4 0x1002686cc in JSC::MarkStackThreadSharedData::markingThreadMain at MarkStack.cpp:224 #5 0x100268711 in JSC::MarkStackThreadSharedData::markingThreadStartFunc at MarkStack.cpp:229 #6 0x100234dc2 in WTF::threadEntryPoint at Threading.cpp:67 #7 0x7fff88481fd6 in _pthread_start #8 0x7fff88481e89 in thread_start JavaScriptCore::Marking #0 0x7fff88483a6a in __semwait_signal #1 0x7fff88487881 in _pthread_cond_wait #2 0x100234f4d in WTF::ThreadCondition::wait at ThreadingPthreads.cpp:372 #3 0x100268245 in JSC::SlotVisitor::drainFromShared at MarkStack.cpp:423 #4 0x1002686cc in JSC::MarkStackThreadSharedData::markingThreadMain at MarkStack.cpp:224 #5 0x100268711 in JSC::MarkStackThreadSharedData::markingThreadStartFunc at MarkStack.cpp:229 #6 0x100234dc2 in WTF::threadEntryPoint at Threading.cpp:67 #7 0x7fff88481fd6 in _pthread_start #8 0x7fff88481e89 in thread_start JavaScriptCore::BlockFree #0 0x7fff88483a6a in __semwait_signal #1 0x7fff88487881 in _pthread_cond_wait #2 0x100235047 in WTF::ThreadCondition::timedWait at ThreadingPthreads.cpp:393 #3 0x10026f0a3 in JSC::Heap::waitForRelativeTimeWhileHoldingLock at Heap.cpp:391 #4 0x10026f0d9 in JSC::Heap::waitForRelativeTime at Heap.cpp:401 #5 0x10026f106 in JSC::Heap::blockFreeingThreadMain at Heap.cpp:415 #6 0x10026f239 in JSC::Heap::blockFreeingThreadStartFunc at Heap.cpp:406 #7 0x100234dc2 in WTF::threadEntryPoint at Threading.cpp:67 #8 0x7fff88481fd6 in _pthread_start #9 0x7fff88481e89 in thread_start Safari: SnapshotStore #0 0x7fff88483a6a in __semwait_signal #1 0x7fff88487881 in _pthread_cond_wait #2 0x100234f4d in WTF::ThreadCondition::wait at ThreadingPthreads.cpp:372 #3 0x100234fde in WTF::ThreadCondition::timedWait at ThreadingPthreads.cpp:382 #4 0x7fff8729b949 in Safari::MessageQueue<WTF::RefPtr<Safari::SnapshotStore::DiskAccessMessage> >::waitForMessageFilteredWithTimeout<bool ()(WTF::RefPtr<Safari::SnapshotStore::DiskAccessMessage>&)> #5 0x7fff87299d49 in Safari::SnapshotStore::diskAccessThreadBody #6 0x7fff8729a503 in Safari::SnapshotStore::diskAccessThreadCallback #7 0x100234dc2 in WTF::threadEntryPoint at Threading.cpp:67 #8 0x7fff88481fd6 in _pthread_start #9 0x7fff88481e89 in thread_start 515607 5 rniwa 2011-12-05 19:51:36 -0800 com.apple.main-thread: #0 0x1025dbefa in WebCore::JSNode::getOwnPropertySlot at JSNode.h:81 #1 0x1026cb777 in JSC::getStaticValueSlot<WebCore::JSElement, WebCore::JSNode> at Lookup.h:346 #2 0x1026cb8e7 in WebCore::JSElement::getOwnPropertySlot at JSElement.h:69 #3 0x1027254d3 in JSC::getStaticValueSlot<WebCore::JSHTMLElement, WebCore::JSElement> at Lookup.h:346 #4 0x10272485f in WebCore::JSHTMLElement::getOwnPropertySlot at JSHTMLElement.cpp:213 #5 0x10271e7c1 in JSC::getStaticValueSlot<WebCore::JSHTMLDivElement, WebCore::JSHTMLElement> at Lookup.h:346 #6 0x10271dc6d in WebCore::JSHTMLDivElement::getOwnPropertySlot at JSHTMLDivElement.cpp:148 #7 0x1000f46c8 in JSC::JSCell::fastGetOwnPropertySlot at JSObject.h:562 #8 0x1000f4889 in JSC::JSValue::get at JSObject.h:796 #9 0x1000b06e4 in operationGetById at DFGOperations.cpp:338 #10 0x56fc8d9b986a in ?? #11 0x1000f41a0 in JSC::JITCode::execute at JITCode.h:115 #12 0x1000ea0ca in JSC::Interpreter::executeCall at Interpreter.cpp:1075 #13 0x100062787 in JSC::call at CallData.cpp:39 #14 0x1026045dc in WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:52 #15 0x1026def8d in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:124 #16 0x10231651a in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:228 #17 0x102316a60 in WebCore::EventTarget::fireEventListeners at EventTarget.cpp:197 #18 0x102a44b61 in WebCore::Node::handleLocalEvents at Node.cpp:2842 #19 0x1022f80cc in WebCore::EventContext::handleLocalEvents at EventContext.cpp:48 #20 0x1022f9862 in WebCore::EventDispatcher::dispatchEvent at EventDispatcher.cpp:329 #21 0x102a30729 in WebCore::MouseEventDispatchMediator::dispatchEvent at MouseEvent.cpp:207 #22 0x1022f8b17 in WebCore::EventDispatcher::dispatchEvent at EventDispatcher.cpp:55 #23 0x102a44777 in WebCore::Node::dispatchMouseEvent at Node.cpp:2904 #24 0x102302c7d in WebCore::EventHandler::updateMouseEventTargetNode at EventHandler.cpp:2050 #25 0x102302dc8 in WebCore::EventHandler::dispatchMouseEvent at EventHandler.cpp:2067 #26 0x102305228 in WebCore::EventHandler::handleMouseMoveEvent at EventHandler.cpp:1675 #27 0x1023052de in WebCore::EventHandler::mouseMoved at EventHandler.cpp:1560 #28 0x10230b2fd in WebCore::EventHandler::mouseMoved at EventHandlerMac.mm:595 #29 0x100bfacf2 in -[WebHTMLView(WebPrivate) _updateMouseoverWithEvent:] at WebHTMLView.mm:1621 #30 0x100be3eaf in -[WebHTMLView mouseMovedNotification:] at WebHTMLView.mm:3711 515617 6 ggaren 2011-12-05 20:18:33 -0800 It looks like the SafeBrowsingManager thread backtrace got truncated. Anyway, I think the right solution is to disable verification (deprecatedTurnOffVerifier). Verification is incorrect for all JavaScriptCore objects, since JavaScriptCore objects allow use on multiple threads. 516026 7 levin 2011-12-06 10:43:12 -0800 Agreed with Geoff, just like this: http://trac.webkit.org/changeset/85233/trunk/Source/JavaScriptCore/parser/SourceProvider.h for FunctionCodeBlock 516054 8 rniwa 2011-12-06 11:14:18 -0800 Apparently this assertion hits on r101863 as well. 518547 9 118646 levin 2011-12-09 14:48:31 -0800 Created attachment 118646 Patch 518711 10 118646 webkit.review.bot 2011-12-09 18:13:18 -0800 Comment on attachment 118646 Patch Clearing flags on attachment: 118646 Committed r102508: <http://trac.webkit.org/changeset/102508> 518712 11 webkit.review.bot 2011-12-09 18:13:24 -0800 All reviewed patches have been landed. Closing bug. 118646 2011-12-09 14:48:31 -0800 2011-12-09 18:13:18 -0800 Patch bug-73886-20111209144830.patch text/plain 1730 levin U3VidmVyc2lvbiBSZXZpc2lvbjogMTAyNDczCmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA4 YTA0OWFiYTczNDhhNTRiNTY4YjAyNTg0YzQzODg0ZDA1Y2VhMWJmLi44OTQ5NDhhYzZkZGZlMjE5 ZTBiNmY4ZDU2ZmE1ZTFmMWFkZDAwZjJkIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs NSArMSwxOCBAQAogMjAxMS0xMi0wOSAgRGF2aWQgTGV2aW4gIDxsZXZpbkBjaHJvbWl1bS5vcmc+ CiAKKyAgICAgICAgUkVHUkVTU0lPTihyMTAxODYzLXIxMDIwNDIpOiBBc3NlcnRpb24gaGl0OiBt X3ZlcmlmaWVyLmlzU2FmZVRvVXNlKCkgaW4gUmVmQ291bnRlZEJhc2U6OnJlZiBpbiBGdW5jdGlv bkNvZGVCbG9jaworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9NzM4ODYKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICAqIHJ1bnRpbWUvU3ltYm9sVGFibGUuaDoKKyAgICAgICAgKEpTQzo6U2hhcmVkU3ltYm9sVGFi bGU6OlNoYXJlZFN5bWJvbFRhYmxlKTogQWRkZWQgZGVwcmVjYXRlZFR1cm5PZmZWZXJpZmllciBm b3IKKyAgICAgICAgYW5vdGhlciBKYXZhU2NyaXB0T2JqZWN0LCBzaW5jZSBKYXZhU2NyaXB0Q29y ZSBvYmplY3RzIGFsbG93IHVzZSBvbiBtdWx0aXBsZSB0aHJlYWRzLgorICAgICAgICBCdWcgNTgw OTEgaXMgYWJvdXQgY2hhbmdpbmcgdGhlc2UgZGVwcmVjYXRlZCBjYWxscyB0byBzb21ldGhpbmcg ZWxzZSBidXQgdGhhdCBzb21ldGhpbmcKKyAgICAgICAgZWxzZSB3aWxsIHN0aWxsIG5lZWQgdG8g YmUgaW4gYWxsIG9mIHRoZXNlIHBsYWNlcy4KKworMjAxMS0xMi0wOSAgRGF2aWQgTGV2aW4gIDxs ZXZpbkBjaHJvbWl1bS5vcmc+CisKICAgICAgICAgUmVncmVzc2lvbihyNTM1OTUpOiBTeW5jIHho ciByZXF1ZXN0cyBpbiB3b3JrZXJzIGFyZW4ndCB0ZXJtaW5hdGVkIG9uIHdvcmtlciBjbG9zZS4K ICAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTcxNjk1CiAK ZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL1N5bWJvbFRhYmxlLmgg Yi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9TeW1ib2xUYWJsZS5oCmluZGV4IDgzMTk2 NzcwYmE0NmM4MGI0YWQ5YTAyZWJiZDgzOWQyNzY5NGYwZmUuLjgxNzMxMjIyYmJhMzU1ZGFmMzZi NTY1YThmMDdiNDFmNDcxMDk4MmEgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9y dW50aW1lL1N5bWJvbFRhYmxlLmgKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUv U3ltYm9sVGFibGUuaApAQCAtMTI1LDcgKzEyNSw3IEBAIG5hbWVzcGFjZSBKU0MgewogICAgIHB1 YmxpYzoKICAgICAgICAgc3RhdGljIFBhc3NSZWZQdHI8U2hhcmVkU3ltYm9sVGFibGU+IGNyZWF0 ZSgpIHsgcmV0dXJuIGFkb3B0UmVmKG5ldyBTaGFyZWRTeW1ib2xUYWJsZSk7IH0KICAgICBwcml2 YXRlOgotICAgICAgICBTaGFyZWRTeW1ib2xUYWJsZSgpIHsgfQorICAgICAgICBTaGFyZWRTeW1i b2xUYWJsZSgpIHsgZGVwcmVjYXRlZFR1cm5PZmZWZXJpZmllcigpOyB9CiAgICAgfTsKICAgICAK IH0gLy8gbmFtZXNwYWNlIEpTQwo=