Bug 127582

Summary: ASSERT(!m_markedSpace.m_currentDelayedReleaseScope) reloading page in inspector
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, mhahnenberg, msaboff, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch. mhahnenberg: review+

Joseph Pecoraro
Reported 2014-01-24 13:38:53 PST
Seeing an ASSERT reloading a page with the inspector. * STEPS TO REPRODUCE 1. Inspect <http://bogojoker.com/shell/> 2. Set some breakpoints in easySlider.min.js that should trigger on load 3. Reload the page => ASSERT (lldb) f frame #0: 0x000000010830685a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333 330 globalHook(); 331 332 WTFReportBacktrace(); -> 333 *(int *)(uintptr_t)0xbbadbeef = 0; 334 // More reliable, but doesn't say BBADBEEF. 335 #if COMPILER(CLANG) 336 __builtin_trap(); (lldb) up frame #1: 0x0000000107f97a4a JavaScriptCore`JSC::DelayedReleaseScope::DelayedReleaseScope(this=0x00007fff5efe4290, markedSpace=0x00007fc39c82bad8) + 106 at DelayedReleaseScope.h:41 38 DelayedReleaseScope(MarkedSpace& markedSpace) 39 : m_markedSpace(markedSpace) 40 { -> 41 ASSERT(!m_markedSpace.m_currentDelayedReleaseScope); 42 m_markedSpace.m_currentDelayedReleaseScope = this; 43 } 44 (lldb) p *m_markedSpace.m_currentDelayedReleaseScope (JSC::DelayedReleaseScope) $1 = { m_markedSpace = 0x00007fc39c82bad8 m_delayedReleaseObjects = { size = 0, capacity = 0 } { m_size = 0 m_capacity = 0 m_buffer = 0x0000000000000000 } } (lldb) bt * thread #1: tid = 0x1b8a01, 0x000000010830685a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x000000010830685a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333 frame #1: 0x0000000107f97a4a JavaScriptCore`JSC::DelayedReleaseScope::DelayedReleaseScope(this=0x00007fff5efe4290, markedSpace=0x00007fc39c82bad8) + 106 at DelayedReleaseScope.h:41 frame #2: 0x0000000107f8cf3d JavaScriptCore`JSC::DelayedReleaseScope::DelayedReleaseScope(this=0x00007fff5efe4290, markedSpace=0x00007fc39c82bad8) + 29 at DelayedReleaseScope.h:43 frame #3: 0x0000000108135427 JavaScriptCore`JSC::MarkedSpace::resumeAllocating(this=0x00007fc39c82bad8) + 87 at MarkedSpace.cpp:216 frame #4: 0x0000000108135ba3 JavaScriptCore`JSC::MarkedSpace::didFinishIterating(this=0x00007fc39c82bad8) + 83 at MarkedSpace.cpp:349 frame #5: 0x0000000107f88ecc JavaScriptCore`JSC::Heap::didFinishIterating(this=0x00007fc39c82b818) + 28 at Heap.cpp:427 frame #6: 0x0000000107d63618 JavaScriptCore`JSC::HeapIterationScope::~HeapIterationScope(this=0x00007fff5efe4358) + 24 at HeapIterationScope.h:52 frame #7: 0x0000000107d52345 JavaScriptCore`JSC::HeapIterationScope::~HeapIterationScope(this=0x00007fff5efe4358) + 21 at HeapIterationScope.h:51 frame #8: 0x0000000107d4fbfb JavaScriptCore`JSC::Debugger::clearDebuggerRequests(this=0x00007fc398f264e0, globalObject=0x000000011283c470) + 155 at Debugger.cpp:525 frame #9: 0x0000000107d4fac6 JavaScriptCore`JSC::Debugger::detach(this=0x00007fc398f264e0, globalObject=0x000000011283c470) + 198 at Debugger.cpp:193 frame #10: 0x000000010802ff0f JavaScriptCore`JSC::JSGlobalObject::~JSGlobalObject(this=0x000000011283c470) + 63 at JSGlobalObject.cpp:167 frame #11: 0x000000010a06db05 WebCore`WebCore::JSDOMGlobalObject::~JSDOMGlobalObject(this=0x000000011283c470) + 85 at JSDOMGlobalObject.h:44 frame #12: 0x000000010a0f1661 WebCore`WebCore::JSDOMWindowBase::~JSDOMWindowBase(this=0x000000011283c470) + 49 at JSDOMWindowBase.h:37 frame #13: 0x000000010a0ee095 WebCore`WebCore::JSDOMWindowBase::~JSDOMWindowBase(this=0x000000011283c470) + 21 at JSDOMWindowBase.h:37 frame #14: 0x000000010a0ed335 WebCore`WebCore::JSDOMWindowBase::destroy(cell=0x000000011283c470) + 21 at JSDOMWindowBase.cpp:84 frame #15: 0x0000000107f8ae16 JavaScriptCore`JSC::Heap::FinalizerOwner::finalize(this=0x00007fc39c835bb0, handle=Handle<JSC::Unknown> at 0x00007fff5efe44f0, context=0x000000010a0ed320) + 70 at Heap.cpp:1024 frame #16: 0x00000001082b2a3d JavaScriptCore`JSC::WeakBlock::finalize(this=0x00000001047bd000, weakImpl=0x00000001047bdf60) + 189 at WeakSetInlines.h:52 frame #17: 0x00000001082b23fe JavaScriptCore`JSC::WeakBlock::sweep(this=0x00000001047bd000) + 158 at WeakBlock.cpp:76 frame #18: 0x00000001082b9b00 JavaScriptCore`JSC::WeakSet::sweep(this=0x0000000112830448) + 64 at WeakSet.cpp:47 frame #19: 0x0000000108132f4d JavaScriptCore`JSC::MarkedBlock::sweep(this=0x0000000112830000, sweepMode=SweepOnly) + 109 at MarkedBlock.cpp:109 frame #20: 0x0000000107f9e489 JavaScriptCore`JSC::IncrementalSweeper::sweepNextBlock(this=0x00007fc39ab477f0) + 137 at IncrementalSweeper.cpp:100 frame #21: 0x0000000107f9e37a JavaScriptCore`JSC::IncrementalSweeper::doSweep(this=0x00007fc39ab477f0, sweepBeginTime=85259.169231679) + 106 at IncrementalSweeper.cpp:78 frame #22: 0x0000000107f9e302 JavaScriptCore`JSC::IncrementalSweeper::doWork(this=0x00007fc39ab477f0) + 34 at IncrementalSweeper.cpp:71 frame #23: 0x0000000107f9a472 JavaScriptCore`JSC::HeapTimer::timerDidFire(timer=0x00007fc39ab47890, context=0x00007fc39ab46280) + 338 at HeapTimer.cpp:97 frame #24: 0x00007fff95ff8564 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 frame #25: 0x00007fff95ff809f CoreFoundation`__CFRunLoopDoTimer + 1151 frame #26: 0x00007fff960695aa CoreFoundation`__CFRunLoopDoTimers + 298 frame #27: 0x00007fff95fb38e5 CoreFoundation`__CFRunLoopRun + 1525 frame #28: 0x00007fff95fb30b5 CoreFoundation`CFRunLoopRunSpecific + 309 frame #29: 0x00007fff8c2c7a0d HIToolbox`RunCurrentEventLoopInMode + 226 frame #30: 0x00007fff8c2c77b7 HIToolbox`ReceiveNextEventCommon + 479 frame #31: 0x00007fff8c2c75bc HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 65 frame #32: 0x00007fff926ad6de AppKit`_DPSNextEvent + 1434 frame #33: 0x00007fff926acd2b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 frame #34: 0x00007fff926a0e2c AppKit`-[NSApplication run] + 553 frame #35: 0x00007fff9268bbf3 AppKit`NSApplicationMain + 940 frame #36: 0x00007fff8dd1fc0f XPCService`_xpc_main + 385 frame #37: 0x00007fff93840bde libxpc.dylib`xpc_main + 399 frame #38: 0x0000000100c19365 com.apple.WebKit.WebContent.Development`main(argc=1, argv=0x00007fff5efe7130) + 37 at XPCServiceMain.Development.mm:166 frame #39: 0x00007fff8bdae5fd libdyld.dylib`start + 1
Attachments
the patch. (7.50 KB, patch)
2014-01-24 15:14 PST, Mark Lam 		mhahnenberg: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2014-01-24 15:14:18 PST
Created attachment 222160 [details] the patch.
Mark Lam
Comment 2 2014-01-24 15:16:48 PST
The assertion failure is because we had entered a HeapIterationScope while the JSGlobalObject is destructing, which in turn means that a GC is progress. It's not legal to iterate the heap while a GC is in progress. To fix this: 1. We should not enter a HeapIterationScope when we iterate the CodeBlocks. Apparently, iterating the CodeBlocks does not count as heap iteration. 2. If we're detaching the debugger due to the JSGlobalObject destructing, then we don't need to clear the debugger requests in the associated CodeBlocks. The JSGlobalObject destructing would mean that those CodeBlocks would be destructing too, and it may not be safe to access them anyway at this point.
Mark Hahnenberg
Comment 3 2014-01-24 15:19:48 PST
Comment on attachment 222160 [details] the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=222160&action=review r=me > Source/JavaScriptCore/ChangeLog:19 > + while the JSGlobalObject is destructing, which in turn means that a GC > + is progress. It's not legal to iterate the heap while a GC is in Not true. We were in the middle of sweeping, not collecting.
Mark Lam
Comment 4 2014-01-24 15:41:38 PST
Thanks. The comment has been fixed. Landed in r162735: <http://trac.webkit.org/r162735>.
Note You need to log in before you can comment on or make changes to this bug.