Bug 132021

Summary: WebCore::HTMLMediaElement::ensureMediaControlsInjectedScript() needs to acquire the JSLock before calling into JS
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: calvaris, commit-queue, eric.carlson, esprehn+autocc, glenn, gyuyoung.kim, jer.noble, mhahnenberg, msaboff, philipj, sergio, thorton, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch. mhahnenberg: review+

Mark Lam
Reported 2014-04-22 12:49:11 PDT
And because it's not acquiring the lock, we see the following failure: http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK2%20(Tests)/r167665%20(4123)/media/video-controller-currentTime-crash-log.txt ASSERTION FAILED: vm()->currentThreadIsHoldingAPILock() /Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/heap/Heap.cpp(977) : void JSC::Heap::collect(JSC::HeapOperation) 1 0x1092840a0 WTFCrash 2 0x108e9eabd JSC::Heap::collect(JSC::HeapOperation) 3 0x108b58e67 JSC::Heap::collectIfNecessaryOrDefer() 4 0x108b58d92 JSC::Heap::decrementDeferralDepthAndGCIfNeeded() 5 0x108b58d68 JSC::DeferGC::~DeferGC() 6 0x108b58435 JSC::DeferGC::~DeferGC() 7 0x10920888e JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&, JSC::JSCell*&) 8 0x108b5b08d JSC::JSObject::inlineGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&) 9 0x108b5479e JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 10 0x108fa9c19 bool JSC::getStaticFunctionSlot<JSC::JSSegmentedVariableObject>(JSC::ExecState*, JSC::HashTable const&, JSC::JSObject*, JSC::PropertyName, JSC::PropertySlot&) 11 0x108f9762c JSC::JSGlobalObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 12 0x10b28f9ed WebCore::JSDOMWindow::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 13 0x10a89ff74 JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&) 14 0x10a89fd1e JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 15 0x10a89db95 JSC::JSObject::get(JSC::ExecState*, JSC::PropertyName) const 16 0x10ada8974 WebCore::HTMLMediaElement::ensureMediaControlsInjectedScript() 17 0x10ada8b93 WebCore::HTMLMediaElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot*) 18 0x10aa3f586 WebCore::Element::ensureUserAgentShadowRoot() 19 0x10ad949cb WebCore::HTMLMediaElement::configureMediaControls() 20 0x10ad95414 WebCore::HTMLMediaElement::insertedInto(WebCore::ContainerNode&) 21 0x10a5feff3 WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument(WebCore::Node&) 22 0x10a5f72a3 WebCore::ChildNodeInsertionNotifier::notify(WebCore::Node&) 23 0x10a5f2dc6 WebCore::ContainerNode::parserAppendChild(WTF::PassRefPtr<WebCore::Node>) 24 0x10ad2859a WebCore::insert(WebCore::HTMLConstructionSiteTask&) 25 0x10ad281ee WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) 26 0x10ad24d00 WebCore::executeTask(WebCore::HTMLConstructionSiteTask&) 27 0x10ad24c92 WebCore::HTMLConstructionSite::executeQueuedTasks() 28 0x10ae33245 WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken*) 29 0x10ad35a27 WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLToken&) 30 0x10ad34e32 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 31 0x10ad34419 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
Attachments
the patch. (1.43 KB, patch)
2014-04-22 12:54 PDT, Mark Lam 		mhahnenberg: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2014-04-22 12:49:56 PDT
<rdar://problem/16689723>
Mark Lam
Comment 2 2014-04-22 12:54:04 PDT
Created attachment 229908 [details] the patch.
Mark Hahnenberg
Comment 3 2014-04-22 12:55:58 PDT
Comment on attachment 229908 [details] the patch. r=me
Mark Lam
Comment 4 2014-04-22 12:59:26 PDT
Thanks. Landed in r167676: <http://trac.webkit.org/r167676>.
Darin Adler
Comment 5 2014-04-24 16:46:03 PDT
Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue.
Note You need to log in before you can comment on or make changes to this bug.