Bug 127582

Summary: ASSERT(!m_markedSpace.m_currentDelayedReleaseScope) reloading page in inspector
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, mhahnenberg, msaboff, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch. mhahnenberg: review+

Description Joseph Pecoraro 2014-01-24 13:38:53 PST 
Seeing an ASSERT reloading a page with the inspector.

* STEPS TO REPRODUCE
1. Inspect <http://bogojoker.com/shell/>
2. Set some breakpoints in easySlider.min.js that should trigger on load
3. Reload the page
  => ASSERT


(lldb) f
frame #0: 0x000000010830685a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333
   330 	        globalHook();
   331 	
   332 	    WTFReportBacktrace();
-> 333 	    *(int *)(uintptr_t)0xbbadbeef = 0;
   334 	    // More reliable, but doesn't say BBADBEEF.
   335 	#if COMPILER(CLANG)
   336 	    __builtin_trap();

(lldb) up
frame #1: 0x0000000107f97a4a JavaScriptCore`JSC::DelayedReleaseScope::DelayedReleaseScope(this=0x00007fff5efe4290, markedSpace=0x00007fc39c82bad8) + 106 at DelayedReleaseScope.h:41
   38  	    DelayedReleaseScope(MarkedSpace& markedSpace)
   39  	        : m_markedSpace(markedSpace)
   40  	    {
-> 41  	        ASSERT(!m_markedSpace.m_currentDelayedReleaseScope);
   42  	        m_markedSpace.m_currentDelayedReleaseScope = this;
   43  	    }
   44  	

(lldb) p *m_markedSpace.m_currentDelayedReleaseScope
(JSC::DelayedReleaseScope) $1 = {
  m_markedSpace = 0x00007fc39c82bad8
  m_delayedReleaseObjects = { size = 0, capacity = 0 } {
    m_size = 0
    m_capacity = 0
    m_buffer = 0x0000000000000000
  }
}

(lldb) bt
* thread #1: tid = 0x1b8a01, 0x000000010830685a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x000000010830685a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:333
    frame #1: 0x0000000107f97a4a JavaScriptCore`JSC::DelayedReleaseScope::DelayedReleaseScope(this=0x00007fff5efe4290, markedSpace=0x00007fc39c82bad8) + 106 at DelayedReleaseScope.h:41
    frame #2: 0x0000000107f8cf3d JavaScriptCore`JSC::DelayedReleaseScope::DelayedReleaseScope(this=0x00007fff5efe4290, markedSpace=0x00007fc39c82bad8) + 29 at DelayedReleaseScope.h:43
    frame #3: 0x0000000108135427 JavaScriptCore`JSC::MarkedSpace::resumeAllocating(this=0x00007fc39c82bad8) + 87 at MarkedSpace.cpp:216
    frame #4: 0x0000000108135ba3 JavaScriptCore`JSC::MarkedSpace::didFinishIterating(this=0x00007fc39c82bad8) + 83 at MarkedSpace.cpp:349
    frame #5: 0x0000000107f88ecc JavaScriptCore`JSC::Heap::didFinishIterating(this=0x00007fc39c82b818) + 28 at Heap.cpp:427
    frame #6: 0x0000000107d63618 JavaScriptCore`JSC::HeapIterationScope::~HeapIterationScope(this=0x00007fff5efe4358) + 24 at HeapIterationScope.h:52
    frame #7: 0x0000000107d52345 JavaScriptCore`JSC::HeapIterationScope::~HeapIterationScope(this=0x00007fff5efe4358) + 21 at HeapIterationScope.h:51
    frame #8: 0x0000000107d4fbfb JavaScriptCore`JSC::Debugger::clearDebuggerRequests(this=0x00007fc398f264e0, globalObject=0x000000011283c470) + 155 at Debugger.cpp:525
    frame #9: 0x0000000107d4fac6 JavaScriptCore`JSC::Debugger::detach(this=0x00007fc398f264e0, globalObject=0x000000011283c470) + 198 at Debugger.cpp:193
    frame #10: 0x000000010802ff0f JavaScriptCore`JSC::JSGlobalObject::~JSGlobalObject(this=0x000000011283c470) + 63 at JSGlobalObject.cpp:167
    frame #11: 0x000000010a06db05 WebCore`WebCore::JSDOMGlobalObject::~JSDOMGlobalObject(this=0x000000011283c470) + 85 at JSDOMGlobalObject.h:44
    frame #12: 0x000000010a0f1661 WebCore`WebCore::JSDOMWindowBase::~JSDOMWindowBase(this=0x000000011283c470) + 49 at JSDOMWindowBase.h:37
    frame #13: 0x000000010a0ee095 WebCore`WebCore::JSDOMWindowBase::~JSDOMWindowBase(this=0x000000011283c470) + 21 at JSDOMWindowBase.h:37
    frame #14: 0x000000010a0ed335 WebCore`WebCore::JSDOMWindowBase::destroy(cell=0x000000011283c470) + 21 at JSDOMWindowBase.cpp:84
    frame #15: 0x0000000107f8ae16 JavaScriptCore`JSC::Heap::FinalizerOwner::finalize(this=0x00007fc39c835bb0, handle=Handle<JSC::Unknown> at 0x00007fff5efe44f0, context=0x000000010a0ed320) + 70 at Heap.cpp:1024
    frame #16: 0x00000001082b2a3d JavaScriptCore`JSC::WeakBlock::finalize(this=0x00000001047bd000, weakImpl=0x00000001047bdf60) + 189 at WeakSetInlines.h:52
    frame #17: 0x00000001082b23fe JavaScriptCore`JSC::WeakBlock::sweep(this=0x00000001047bd000) + 158 at WeakBlock.cpp:76
    frame #18: 0x00000001082b9b00 JavaScriptCore`JSC::WeakSet::sweep(this=0x0000000112830448) + 64 at WeakSet.cpp:47
    frame #19: 0x0000000108132f4d JavaScriptCore`JSC::MarkedBlock::sweep(this=0x0000000112830000, sweepMode=SweepOnly) + 109 at MarkedBlock.cpp:109
    frame #20: 0x0000000107f9e489 JavaScriptCore`JSC::IncrementalSweeper::sweepNextBlock(this=0x00007fc39ab477f0) + 137 at IncrementalSweeper.cpp:100
    frame #21: 0x0000000107f9e37a JavaScriptCore`JSC::IncrementalSweeper::doSweep(this=0x00007fc39ab477f0, sweepBeginTime=85259.169231679) + 106 at IncrementalSweeper.cpp:78
    frame #22: 0x0000000107f9e302 JavaScriptCore`JSC::IncrementalSweeper::doWork(this=0x00007fc39ab477f0) + 34 at IncrementalSweeper.cpp:71
    frame #23: 0x0000000107f9a472 JavaScriptCore`JSC::HeapTimer::timerDidFire(timer=0x00007fc39ab47890, context=0x00007fc39ab46280) + 338 at HeapTimer.cpp:97
    frame #24: 0x00007fff95ff8564 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
    frame #25: 0x00007fff95ff809f CoreFoundation`__CFRunLoopDoTimer + 1151
    frame #26: 0x00007fff960695aa CoreFoundation`__CFRunLoopDoTimers + 298
    frame #27: 0x00007fff95fb38e5 CoreFoundation`__CFRunLoopRun + 1525
    frame #28: 0x00007fff95fb30b5 CoreFoundation`CFRunLoopRunSpecific + 309
    frame #29: 0x00007fff8c2c7a0d HIToolbox`RunCurrentEventLoopInMode + 226
    frame #30: 0x00007fff8c2c77b7 HIToolbox`ReceiveNextEventCommon + 479
    frame #31: 0x00007fff8c2c75bc HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 65
    frame #32: 0x00007fff926ad6de AppKit`_DPSNextEvent + 1434
    frame #33: 0x00007fff926acd2b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
    frame #34: 0x00007fff926a0e2c AppKit`-[NSApplication run] + 553
    frame #35: 0x00007fff9268bbf3 AppKit`NSApplicationMain + 940
    frame #36: 0x00007fff8dd1fc0f XPCService`_xpc_main + 385
    frame #37: 0x00007fff93840bde libxpc.dylib`xpc_main + 399
    frame #38: 0x0000000100c19365 com.apple.WebKit.WebContent.Development`main(argc=1, argv=0x00007fff5efe7130) + 37 at XPCServiceMain.Development.mm:166
    frame #39: 0x00007fff8bdae5fd libdyld.dylib`start + 1
Comment 1 Mark Lam 2014-01-24 15:14:18 PST 
Created attachment 222160 [details]
the patch.
Comment 2 Mark Lam 2014-01-24 15:16:48 PST 
The assertion failure is because we had entered a HeapIterationScope while the JSGlobalObject is destructing, which in turn means that a GC is progress. It's not legal to iterate the heap while a GC is in progress.

To fix this:
1. We should not enter a HeapIterationScope when we iterate the CodeBlocks.  Apparently, iterating the CodeBlocks does not count as heap iteration.

2. If we're detaching the debugger due to the JSGlobalObject destructing, then we don't need to clear the debugger requests in the associated CodeBlocks. The JSGlobalObject destructing would mean that those CodeBlocks would be destructing too, and it may not be safe to access them anyway at this point.
Comment 3 Mark Hahnenberg 2014-01-24 15:19:48 PST 
Comment on attachment 222160 [details]
the patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=222160&action=review

r=me

> Source/JavaScriptCore/ChangeLog:19
> +        while the JSGlobalObject is destructing, which in turn means that a GC
> +        is progress. It's not legal to iterate the heap while a GC is in

Not true. We were in the middle of sweeping, not collecting.
Comment 4 Mark Lam 2014-01-24 15:41:38 PST 
Thanks.  The comment has been fixed.  Landed in r162735: <http://trac.webkit.org/r162735>.