Bug 129364

Summary: ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: Web InspectorAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, graouts, joepeck, mark.lam, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch.
none
patch 2: added a comment. none

Description Alexey Proskuryakov 2014-02-25 22:49:53 PST 
http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK2%20(Tests)/r164696%20(2899)/inspector-protocol/page/deny-X-FrameOption-crash-log.txt

ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock()
/Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/heap/MarkedAllocator.cpp(149) : void *JSC::MarkedAllocator::allocateSlowCase(size_t)
1   0x1106508d0 WTFCrash
2   0x110474955 JSC::MarkedAllocator::allocateSlowCase(unsigned long)
3   0x11189f7af JSC::MarkedAllocator::allocate(unsigned long)
4   0x11189f649 JSC::MarkedSpace::allocateWithImmortalStructureDestructor(unsigned long)
5   0x11189f5b6 JSC::Heap::allocateWithImmortalStructureDestructor(unsigned long)
6   0x11189f487 void* JSC::allocateCell<JSC::Structure>(JSC::Heap&, unsigned long)
7   0x11189f05f void* JSC::allocateCell<JSC::Structure>(JSC::Heap&)
8   0x11189eddf JSC::Structure::create(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::TypeInfo const&, JSC::ClassInfo const*, unsigned char, unsigned int)
9   0x1124cc810 WebCore::JSCommandLineAPIHostPrototype::createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue)
10  0x1124cb769 WebCore::JSCommandLineAPIHost::createPrototype(JSC::VM&, JSC::JSGlobalObject*)
...
Comment 1 Radar WebKit Bug Importer 2014-02-25 22:50:56 PST 
<rdar://problem/16170264>
Comment 2 Alexey Proskuryakov 2014-02-25 22:53:52 PST 
Actually, there are lots of inspector tests failing with this assertion, probably should file a bug about each one.

Also:

inspector-protocol/debugger/nested-inspectors.html
inspector-protocol/dom-debugger/node-removed.html
Comment 3 Mark Lam 2014-02-25 22:54:49 PST 
(In reply to comment #2)
> Actually, there are lots of inspector tests failing with this assertion, probably should file a bug about each one.
> 
> Also:
> 
> inspector-protocol/debugger/nested-inspectors.html
> inspector-protocol/dom-debugger/node-removed.html

They are probably due to the same root cause though.  I'm investigating.
Comment 4 Mark Lam 2014-02-26 00:32:25 PST 
*** Bug 129360 has been marked as a duplicate of this bug. ***
Comment 5 Mark Lam 2014-02-26 00:38:42 PST 
The test failure is intermittent because it depends on an GC / allocation activity happening at exactly the right moment.  That is why I don't see the failures when I run it on my machine.  However, there is an easy way to get an equivalent reproduction case i.e. by adding the following assertion to JSC::Structure::create():

    ASSERT(vm.currentThreadIsHoldingAPILock());

With that I can get the inspector-protocol tests to fail all the time.

The failure is because InjectedScriptModule::ensureInjected() isn't using an APIEntryShim before it started calling functions that enter the VM.  The fix is to use the shim here.  Patch coming soon.
Comment 6 Mark Lam 2014-02-26 00:47:59 PST 
Created attachment 225235 [details]
the patch.
Comment 7 Mark Lam 2014-02-26 00:52:00 PST 
Created attachment 225237 [details]
patch 2: added a comment.
Comment 8 WebKit Commit Bot 2014-02-26 08:36:37 PST 
Comment on attachment 225237 [details]
patch 2: added a comment.

Clearing flags on attachment: 225237

Committed r164717: <http://trac.webkit.org/changeset/164717>
Comment 9 WebKit Commit Bot 2014-02-26 08:36:40 PST 
All reviewed patches have been landed.  Closing bug.