Bug 28997

Summary: Web Inspector assertion failure related to marking
Product: WebKit Reporter: Jessie Berlin <jberlin>
Component: Web Inspector (Deprecated)Assignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ggaren, mrowe, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.5   
Attachments:
Description Flags
Patch v1 ggaren: review+

Jessie Berlin
Reported 2009-09-05 17:57:52 PDT
In a debug build (r48097), interacting with the web inspector causes an assertion failure in JSC::MarkStack::append ASSERTION FAILED: !m_isCheckingForDefaultMarkViolation (/Users/jessieberlin/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/JSCell.h:329 void JSC::MarkStack::append(JSC::JSCell*)) Steps to reproduce: 1. Make sure the Develop menu is showing in the menu bar. 2. Navigate to a web page (e.g. webkit.org) 3. Inspect any element on the page. 4. Interact with the Web Inspector (e.g. expand or collapse "Computed Style") 5. Note that safari crashes with the assertion above. Possibly related to http://trac.webkit.org/changeset/48068
Attachments
Patch v1 (4.94 KB, patch)
2009-09-08 11:56 PDT, Oliver Hunt 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-09-05 18:00:20 PDT
(gdb) bt #0 0x00000001019b338e in JSC::MarkStack::append (this=0x117826ba0, cell=0x1085aff80) at JSCell.h:329 #1 0x0000000101ad8661 in WebCore::JSQuarantinedObjectWrapper::markChildren (this=0x119f03fc0, markStack=@0x117826ba0) at WebCore/bindings/js/JSQuarantinedObjectWrapper.cpp:99 #2 0x0000000100b42359 in JSC::MarkStack::markChildren (this=0x117826ba0, cell=0x119f03fc0) at JSArray.h:166 #3 0x0000000100b42687 in JSC::MarkStack::drain (this=0x117826ba0) at JSArray.h:215
Darin Adler
Comment 2 2009-09-05 21:05:18 PDT
JSQuarantinedObjectWrapper overrides markChildren, therefore needs to have a structure without the HasDefaultMark flag set. I can fix this on Tuesday, but if someone else wants to tackle it before then it should be similar to the fix in <http://trac.webkit.org/changeset/48079>. Another alternative would be to turn off the JavaScriptCore assertion by removing it for now. The garbage collection bug will remain, but the inconvenient assertion will be gone for the time being.
Mark Rowe (bdash)
Comment 3 2009-09-06 06:03:07 PDT
JSQuarantinedObjectWrapper does have a structure without HasDefaultMark set (per its implementation of createStructure in JSQuarantinedObjectWrapper.h). The problematic object appears to be an instance of JSInspectorCallbackWrapper. The structure seems to be passed in to the JSInspectorCallbackWrapper constructor, and sometimes ends up being the result of a call to asObject(wrap(unwrappedExec, prototype))->inheritorID() (<http://trac.webkit.org/browser/trunk/WebCore/bindings/js/JSInspectorCallbackWrapper.cpp#L76>). JSObject::inheritorID() seems to call JSObject::createStructure itself if there is no inheritor ID set, which results in HasDefaultMark being set on the structure.
Geoffrey Garen
Comment 4 2009-09-08 11:09:54 PDT
(In reply to comment #3) Oliver's in the middle of a fix.
Geoffrey Garen
Comment 5 2009-09-08 11:11:02 PDT
(In reply to comment #4) (Changing the call to inheritorID() to a call to createStructure(), since inheritorID() is only appropriate for vanilla JavaScript objects.)
Oliver Hunt
Comment 6 2009-09-08 11:56:41 PDT
Created attachment 39200 [details] Patch v1
Geoffrey Garen
Comment 7 2009-09-08 11:59:11 PDT
Comment on attachment 39200 [details] Patch v1 Please revert changes to b/WebCore/WebCore.xcodeproj/project.pbxproj. r=me
Oliver Hunt
Comment 8 2009-09-08 12:02:38 PDT
Committed r48172
Note You need to log in before you can comment on or make changes to this bug.