Bug 159075

Summary: Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
Product: WebKit Reporter: Blaze Burg <bburg>
Component: Web InspectorAssignee: Blaze Burg <bburg>
Status: RESOLVED FIXED    
Severity: Normal CC: bburg, commit-queue, joepeck, keith_miller, mark.lam, mattbaker, msaboff, nvasilyev, saam, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Bug Depends on: 159105    
Bug Blocks:    
Attachments:
Description Flags
Proposed Fix
none
Proposed Fix
none
Proposed Fix v3
none
Followup fix fpizlo: review+

Blaze Burg
Reported 2016-06-23 16:06:02 PDT
Very persistent-but-infrequent crashes ever since this was added. which makes sense.
Attachments
Proposed Fix (1.68 KB, patch)
2016-06-23 16:12 PDT, Blaze Burg 		no flags
DetailsFormatted DiffDiff
Proposed Fix (6.96 KB, patch)
2016-06-24 11:06 PDT, Blaze Burg 		no flags
DetailsFormatted DiffDiff
Proposed Fix v3 (7.56 KB, patch)
2016-06-24 16:57 PDT, Blaze Burg 		no flags
DetailsFormatted DiffDiff
Followup fix (1.81 KB, patch)
2016-06-27 13:46 PDT, Blaze Burg 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Blaze Burg
Comment 1 2016-06-23 16:06:16 PDT
<rdar://problem/26094341>
Blaze Burg
Comment 2 2016-06-23 16:12:09 PDT
Created attachment 281938 [details] Proposed Fix
Joseph Pecoraro
Comment 3 2016-06-23 19:27:25 PDT
Comment on attachment 281938 [details] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=281938&action=review > Source/JavaScriptCore/inspector/agents/InspectorHeapAgent.cpp:297 > + // The frontend could have gone away after the activity was scheduled. > + if (m_frontendDispatcher) Is `this` valid? Could it be stale?
Blaze Burg
Comment 4 2016-06-24 10:43:53 PDT
Comment on attachment 281938 [details] Proposed Fix Yeah, you are right. I guess it needs to go the direction of CSSAgent's ChangeRegionOversetTask... blah.
Blaze Burg
Comment 5 2016-06-24 11:06:16 PDT
Created attachment 282001 [details] Proposed Fix
Joseph Pecoraro
Comment 6 2016-06-24 13:05:56 PDT
Comment on attachment 282001 [details] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=282001&action=review r=me! > Source/JavaScriptCore/inspector/agents/InspectorHeapAgent.cpp:52 > + RunLoop::Timer<SendGarbageCollectionEventsTask> m_timer; I did not know there was a RunLoop::Timer! This is excellent.
WebKit Commit Bot
Comment 7 2016-06-24 13:30:19 PDT
Comment on attachment 282001 [details] Proposed Fix Clearing flags on attachment: 282001 Committed r202443: <http://trac.webkit.org/changeset/202443>
WebKit Commit Bot
Comment 8 2016-06-24 13:30:23 PDT
All reviewed patches have been landed. Closing bug.
Alexey Proskuryakov
Comment 9 2016-06-24 15:44:19 PDT
This has introduced a number of memory corruption crashes, rolling out. Will follow up with details in e-mail.
WebKit Commit Bot
Comment 10 2016-06-24 15:46:59 PDT
Re-opened since this is blocked by bug 159105
Blaze Burg
Comment 11 2016-06-24 16:57:43 PDT
Created attachment 282033 [details] Proposed Fix v3
Blaze Burg
Comment 12 2016-06-27 10:47:25 PDT
Comment on attachment 282033 [details] Proposed Fix v3 Let's give this another try.
WebKit Commit Bot
Comment 13 2016-06-27 10:50:36 PDT
Comment on attachment 282033 [details] Proposed Fix v3 Clearing flags on attachment: 282033 Committed r202492: <http://trac.webkit.org/changeset/202492>
WebKit Commit Bot
Comment 14 2016-06-27 10:50:40 PDT
All reviewed patches have been landed. Closing bug.
Blaze Burg
Comment 15 2016-06-27 13:43:15 PDT
Causing JSC stress tests to fail due to an (apparently not harmless) change introduced in the last patch. Will post a fix.
Blaze Burg
Comment 16 2016-06-27 13:46:52 PDT
Reopening to attach new patch.
Blaze Burg
Comment 17 2016-06-27 13:46:54 PDT
Created attachment 282165 [details] Followup fix
Blaze Burg
Comment 18 2016-06-27 14:52:26 PDT
Landed followup in <https://trac.webkit.org/r202515>.
Joseph Pecoraro
Comment 19 2016-06-27 17:18:09 PDT
Comment on attachment 282033 [details] Proposed Fix v3 View in context: https://bugs.webkit.org/attachment.cgi?id=282033&action=review > Source/JavaScriptCore/inspector/agents/InspectorHeapAgent.cpp:71 > + std::lock_guard<Lock> lock(m_mutex); Maybe we should use LockHolder instead of std::lock_guard.
Note You need to log in before you can comment on or make changes to this bug.