Bug 199340

Summary: DataCue destructor calls JSC::gcUnprotect() without holding JSLock.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: MediaAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: dino, eric.carlson, rniwa, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Mark Lam
Reported 2019-06-28 17:13:27 PDT
You repro this with a debug build as follows: $ VM=WebKitBuild/Debug && DYLD_FRAMEWORK_PATH=$VM JSC_slowPathAllocsBetweenGCs=10 $VM/DumpRenderTree LayoutTests/media/track/track-in-band-metadata-display-order.html ASSERTION FAILED: m_vm->currentThreadIsHoldingAPILock() ./heap/Heap.cpp(583) : bool JSC::Heap::unprotect(JSC::JSValue) 1 0x1011974f9 WTFCrash 2 0x10119a2ab WTFCrashWithInfo(int, char const*, char const*, int) 3 0x102146a0d JSC::Heap::unprotect(JSC::JSValue) 4 0x110686873 JSC::gcUnprotect(JSC::JSCell*) 5 0x1106857b9 JSC::gcUnprotect(JSC::JSValue) 6 0x110685728 WebCore::DataCue::~DataCue() 7 0x110685875 WebCore::DataCue::~DataCue() 8 0x110685899 WebCore::DataCue::~DataCue() 9 0x110688acf WTF::RefCounted<WebCore::TextTrackCue>::deref() const 10 0x110785545 void WTF::derefIfNotNull<WebCore::TextTrackCue>(WebCore::TextTrackCue*) 11 0x110785509 WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >::~RefPtr() 12 0x110778595 WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >::~RefPtr() 13 0x11082bdbf WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> > >::destruct(WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*) 14 0x11082bd1d WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> > >::destruct(WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*) 15 0x11082bce0 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, 16ul>::~Vector() 16 0x11082a6f5 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, 16ul>::~Vector() 17 0x11082bfa3 WebCore::TextTrackCueList::~TextTrackCueList() 18 0x11082bf45 WebCore::TextTrackCueList::~TextTrackCueList() 19 0x11082bf17 WTF::RefCounted<WebCore::TextTrackCueList>::deref() const 20 0x11082c061 void WTF::derefIfNotNull<WebCore::TextTrackCueList>(WebCore::TextTrackCueList*) 21 0x11082c029 WTF::RefPtr<WebCore::TextTrackCueList, WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr() 22 0x11082bfd5 WTF::RefPtr<WebCore::TextTrackCueList, WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr() 23 0x11098081f WebCore::TextTrack::~TextTrack() 24 0x110980975 WebCore::TextTrack::~TextTrack() 25 0x1109809d9 WebCore::TextTrack::~TextTrack() 26 0x1105f3c5f WTF::RefCounted<WebCore::TrackBase>::deref() const 27 0x1109aa505 void WTF::derefIfNotNull<WebCore::TrackBase>(WebCore::TrackBase*) 28 0x1109aa4c9 WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr() 29 0x1109aa495 WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr() 30 0x1109aa45f WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> > >::destruct(WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*) 31 0x1109aa3cd WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> > >::destruct(WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*)
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2019-08-28 08:24:58 PDT
Is this fixed by https://trac.webkit.org/changeset/249133?
Yusuke Suzuki
Comment 2 2019-08-28 10:38:08 PDT
(In reply to Ryosuke Niwa from comment #1) > Is this fixed by https://trac.webkit.org/changeset/249133? Yes, this is fixed in that change. Closing.
Yusuke Suzuki
Comment 3 2019-08-28 10:38:37 PDT
*** This bug has been marked as a duplicate of bug 201170 ***
Note You need to log in before you can comment on or make changes to this bug.