Bug 167322

Summary: ObjCCallbackFunction::destroy() should not use jsCast().
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, fpizlo, ggaren, jfbastien, keith_miller, msaboff, ryanhaddad, saam
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch. fpizlo: review+

Mark Lam
Reported 2017-01-23 13:51:24 PST
testapi is failing on this assertion (with a debug build, of course) on every run for me, and on almost every run on the bots. The assertion was added recently by Fil on Jan 17, 2017 for r210829. The assertion stack trace: 2017-01-23 13:45:03.013196-0800 testapi[93369:25981002] /Volumes/Data/ws3/OpenSource/Source/JavaScriptCore/runtime/JSCellInlines.h(287) : const JSC::ClassInfo *JSC::JSCell::classInfo() const /Volumes/Data/ws3/OpenSource/Source/JavaScriptCore/runtime/JSCellInlines.h(287) : const JSC::ClassInfo *JSC::JSCell::classInfo() const 2017-01-23 13:45:03.014399-0800 testapi[93369:25981002] 1 0x1014d93bd WTFCrash 1 0x1014d93bd WTFCrash 2017-01-23 13:45:03.015235-0800 testapi[93369:25981002] 2 0x100100936 JSC::JSCell::classInfo() const 2 0x100100936 JSC::JSCell::classInfo() const 2017-01-23 13:45:03.015992-0800 testapi[93369:25981002] 3 0x1000f7a09 JSC::JSCell::inherits(JSC::ClassInfo const*) const 3 0x1000f7a09 JSC::JSCell::inherits(JSC::ClassInfo const*) const 2017-01-23 13:45:03.016879-0800 testapi[93369:25981002] 4 0x101127c30 JSC::ObjCCallbackFunction* JSC::jsCast<JSC::ObjCCallbackFunction*, JSC::JSCell>(JSC::JSCell*) 4 0x101127c30 JSC::ObjCCallbackFunction* JSC::jsCast<JSC::ObjCCallbackFunction*, JSC::JSCell>(JSC::JSCell*) 2017-01-23 13:45:03.017770-0800 testapi[93369:25981002] 5 0x101126d15 JSC::ObjCCallbackFunction::destroy(JSC::JSCell*) 5 0x101126d15 JSC::ObjCCallbackFunction::destroy(JSC::JSCell*) 2017-01-23 13:45:03.018760-0800 testapi[93369:25981002] 6 0x100bc3f0a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const 6 0x100bc3f0a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const 2017-01-23 13:45:03.019615-0800 testapi[93369:25981002] 7 0x100bc5a25 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const 7 0x100bc5a25 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const 2017-01-23 13:45:03.020479-0800 testapi[93369:25981002] 8 0x100bc4515 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) 8 0x100bc4515 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) 2017-01-23 13:45:03.021301-0800 testapi[93369:25981002] 9 0x100bc3e8f JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) 9 0x100bc3e8f JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) 2017-01-23 13:45:03.022104-0800 testapi[93369:25981002] 10 0x100bc3d0d JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) 10 0x100bc3d0d JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) 2017-01-23 13:45:03.022961-0800 testapi[93369:25981002] 11 0x1010d6863 JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) 11 0x1010d6863 JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) 2017-01-23 13:45:03.023811-0800 testapi[93369:25981002] 12 0x1010d6592 JSC::MarkedBlock::Handle::lastChanceToFinalize() 12 0x1010d6592 JSC::MarkedBlock::Handle::lastChanceToFinalize() 2017-01-23 13:45:03.024680-0800 testapi[93369:25981002] 13 0x1010d5049 JSC::MarkedAllocator::lastChanceToFinalize()::$_4::operator()(JSC::MarkedBlock::Handle*) const 13 0x1010d5049 JSC::MarkedAllocator::lastChanceToFinalize()::$_4::operator()(JSC::MarkedBlock::Handle*) const 2017-01-23 13:45:03.025525-0800 testapi[93369:25981002] 14 0x1010d501b void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&)::'lambda'(unsigned long)::operator()(unsigned long) const 14 0x1010d501b void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&)::'lambda'(unsigned long)::operator()(unsigned long) const 2017-01-23 13:45:03.026398-0800 testapi[93369:25981002] 15 0x1010d4f9c void WTF::FastBitVectorImpl<WTF::FastBitVectorWordOwner>::forEachSetBit<void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&)::'lambda'(unsigned long)>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&) const 15 0x1010d4f9c void WTF::FastBitVectorImpl<WTF::FastBitVectorWordOwner>::forEachSetBit<void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&)::'lambda'(unsigned long)>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&) const 2017-01-23 13:45:03.027271-0800 testapi[93369:25981002] 16 0x1010d32c3 void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&) 16 0x1010d32c3 void JSC::MarkedAllocator::forEachBlock<JSC::MarkedAllocator::lastChanceToFinalize()::$_4>(JSC::MarkedAllocator::lastChanceToFinalize()::$_4 const&) 2017-01-23 13:45:03.028136-0800 testapi[93369:25981002] 17 0x1010d3289 JSC::MarkedAllocator::lastChanceToFinalize() 17 0x1010d3289 JSC::MarkedAllocator::lastChanceToFinalize() 2017-01-23 13:45:03.029007-0800 testapi[93369:25981002] 18 0x1010e1389 JSC::MarkedSpace::lastChanceToFinalize()::$_2::operator()(JSC::MarkedAllocator&) const 18 0x1010e1389 JSC::MarkedSpace::lastChanceToFinalize()::$_2::operator()(JSC::MarkedAllocator&) const 2017-01-23 13:45:03.029892-0800 testapi[93369:25981002] 19 0x1010dba67 void JSC::MarkedSpace::forEachAllocator<JSC::MarkedSpace::lastChanceToFinalize()::$_2>(JSC::MarkedSpace::lastChanceToFinalize()::$_2 const&) 19 0x1010dba67 void JSC::MarkedSpace::forEachAllocator<JSC::MarkedSpace::lastChanceToFinalize()::$_2>(JSC::MarkedSpace::lastChanceToFinalize()::$_2 const&) 2017-01-23 13:45:03.030768-0800 testapi[93369:25981002] 20 0x1010db9cd JSC::MarkedSpace::lastChanceToFinalize() 20 0x1010db9cd JSC::MarkedSpace::lastChanceToFinalize() 2017-01-23 13:45:03.031612-0800 testapi[93369:25981002] 21 0x100d6b278 JSC::Heap::lastChanceToFinalize() 21 0x100d6b278 JSC::Heap::lastChanceToFinalize() 2017-01-23 13:45:03.032489-0800 testapi[93369:25981002] 22 0x1013b0d52 JSC::VM::~VM() 22 0x1013b0d52 JSC::VM::~VM() 2017-01-23 13:45:03.033342-0800 testapi[93369:25981002] 23 0x1013b2a65 JSC::VM::~VM() 23 0x1013b2a65 JSC::VM::~VM() 2017-01-23 13:45:03.034215-0800 testapi[93369:25981002] 24 0x100da5fd7 WTF::ThreadSafeRefCounted<JSC::VM>::deref() const 24 0x100da5fd7 WTF::ThreadSafeRefCounted<JSC::VM>::deref() const 2017-01-23 13:45:03.035012-0800 testapi[93369:25981002] 25 0x100da5f81 void WTF::derefIfNotNull<JSC::VM>(JSC::VM*) 25 0x100da5f81 void WTF::derefIfNotNull<JSC::VM>(JSC::VM*) 2017-01-23 13:45:03.035845-0800 testapi[93369:25981002] 26 0x100fa145b WTF::RefPtr<JSC::VM>::operator=(std::nullptr_t) 26 0x100fa145b WTF::RefPtr<JSC::VM>::operator=(std::nullptr_t) 2017-01-23 13:45:03.036692-0800 testapi[93369:25981002] 27 0x100fb1d5a JSC::JSLockHolder::~JSLockHolder() 27 0x100fb1d5a JSC::JSLockHolder::~JSLockHolder() 2017-01-23 13:45:03.037527-0800 testapi[93369:25981002] 28 0x100fb1dd5 JSC::JSLockHolder::~JSLockHolder() 28 0x100fb1dd5 JSC::JSLockHolder::~JSLockHolder() 2017-01-23 13:45:03.038356-0800 testapi[93369:25981002] 29 0x100f43d2b JSContextGroupRelease 29 0x100f43d2b JSContextGroupRelease 2017-01-23 13:45:03.039223-0800 testapi[93369:25981002] 30 0x101056584 -[JSVirtualMachine dealloc] 30 0x101056584 -[JSVirtualMachine dealloc] 2017-01-23 13:45:03.040088-0800 testapi[93369:25981002] 31 0x100f42456 -[JSContext dealloc] 31 0x100f42456 -[JSContext dealloc]
Attachments
proposed patch. (1.42 KB, patch)
2017-01-23 14:44 PST, Mark Lam 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2017-01-23 13:59:01 PST
Looks like another jsCast that should be a static_cast.
Mark Lam
Comment 2 2017-01-23 14:44:14 PST
Created attachment 299541 [details] proposed patch.
Mark Lam
Comment 3 2017-01-23 14:51:26 PST
Thanks for the review. Landed in r211063: <http://trac.webkit.org/r211063>.
Mark Lam
Comment 4 2017-05-16 16:51:06 PDT
<rdar://problem/32228083>
Note You need to log in before you can comment on or make changes to this bug.