Bug 167955
| Summary: | DOMPromise is sometimes crashing at destruction time. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | youenn fablet <youennf> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ap, fpizlo, keith_miller, sam |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
youenn fablet
Trace is something like:
ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
/Users/youenn/dev/Apple/OpenSource/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/JSCellInlines.h(283) : const JSC::ClassInfo *JSC::JSCell::classInfo(JSC::VM &) const
1 0x114699abd WTFCrash
2 0x116fd1348 JSC::JSCell::classInfo(JSC::VM&) const
3 0x116fd11d1 JSC::JSCell::inherits(JSC::VM&, JSC::ClassInfo const*) const
4 0x116fd7984 WebCore::JSDOMGlobalObject* JSC::jsCast<WebCore::JSDOMGlobalObject*, JSC::JSCell>(JSC::JSCell*)
5 0x116fd77cc JSC::Weak<WebCore::JSDOMGlobalObject>::operator->() const
6 0x1181ac4d7 WebCore::DeferredPromise::clear()
7 0x1181ac3d7 WebCore::DeferredPromise::~DeferredPromise()
8 0x1181ac5c5 WebCore::DeferredPromise::~DeferredPromise()
9 0x1181ac5e9 WebCore::DeferredPromise::~DeferredPromise()
10 0x116fd6c2f WTF::RefCounted<WebCore::DeferredPromise>::deref() const
11 0x11707f851 WTF::Ref<WebCore::DeferredPromise>::~Ref()
12 0x11707f815 WTF::Ref<WebCore::DeferredPromise>::~Ref()
13 0x11707f7f5 WebCore::DOMPromiseBase::~DOMPromiseBase()
14 0x1178f3fb5 WebCore::DOMPromise<WebCore::IDLInterface<WebCore::FontFace> >::~DOMPromise()
15 0x1178f3f75 WebCore::DOMPromise<WebCore::IDLInterface<WebCore::FontFace> >::~DOMPromise()
16 0x1178f3f3d std::optional_base<WebCore::DOMPromise<WebCore::IDLInterface<WebCore::FontFace> > >::~optional_base()
17 0x1178f3f05 std::optional<WebCore::DOMPromise<WebCore::IDLInterface<WebCore::FontFace> > >::~optional()
18 0x1178f2cb5 std::optional<WebCore::DOMPromise<WebCore::IDLInterface<WebCore::FontFace> > >::~optional()
19 0x1178f2c55 WebCore::FontFace::~FontFace()
20 0x1178f2d15 WebCore::FontFace::~FontFace()
21 0x1178f2d39 WebCore::FontFace::~FontFace()
22 0x1173ecc6f WTF::RefCounted<WebCore::FontFace>::deref() const
23 0x1173ecc19 WebCore::FontFace::deref()
24 0x1173ecbfa WTF::Ref<WebCore::FontFace>::~Ref()
25 0x1173e5055 WTF::Ref<WebCore::FontFace>::~Ref()
26 0x118342619 WebCore::JSDOMWrapper<WebCore::FontFace>::~JSDOMWrapper()
27 0x1183425f5 WebCore::JSFontFace::~JSFontFace()
28 0x11833f605 WebCore::JSFontFace::~JSFontFace()
29 0x11833f0fd WebCore::JSFontFace::destroy(JSC::JSCell*)
30 0x1140f927a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const
31 0x1140fb8a5 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const
This happens when playing with the GC
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Sam Weinig
Can you attach a full stack trace? I am curious what is going on with the other threads.
youenn fablet
*** This bug has been marked as a duplicate of bug 168354 ***
Alexey Proskuryakov
Bug 168354 is specific to detaching the debugger, so it cannot be the same issue.
Bug 168406 may be the correct original, or this could be a separate bug. Keith, what do you think?