RESOLVED FIXED 107978
Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases 
https://bugs.webkit.org/show_bug.cgi?id=107978
Summary Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases
Mark Hahnenberg
Reported 2013-01-25 12:49:17 PST
JSGlobalContextRelease should be the last release of a JSContextGroupRef to make sure that Identifier table is that of the current virtual machine when that virtual machine is destroyed. In the current order, we save the Identifier table from the last JSGlobalData, load our table, deref the JSGlobalData (which is not destroyed because there's still a reference from the JSVirtualMachine object), then we restore the old Identifier table. When the JSVirtualMachine calls JSContextGroupRelease, the JSGlobalData will be destroyed with the incorrect Identifier table loaded in wtfThreadData(). We can either reorder these calls in JSContext's dealloc or make it so that JSContextGroupRelease also does the save/restore of the Identifier table like JSGlobalContextRelease.
Attachments
Patch (1.67 KB, patch)
2013-01-30 14:35 PST, Mark Hahnenberg 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-01-29 14:56:06 PST
This is a bug in C API. We need to add the Identifier table save/restore in JSContextGroupRelease.
Radar WebKit Bug Importer
Comment 2 2013-01-30 14:22:11 PST
<rdar://problem/13118874>
Mark Hahnenberg
Comment 3 2013-01-30 14:35:37 PST
Created attachment 185578 [details] Patch
Mark Hahnenberg
Comment 4 2013-01-30 14:48:24 PST
Committed r141321: <http://trac.webkit.org/changeset/141321>
Geoffrey Garen
Comment 5 2013-01-30 15:16:17 PST
+ JSLockHolder lock(globalData); I don't think this is valid -- you'll end up unlocking the lock after you've deallocated the JSGlobalData. I think you can just eliminate the lock and rely on thread-safe refcounting.
Mark Hahnenberg
Comment 6 2013-01-30 18:59:05 PST
(In reply to comment #5) > + JSLockHolder lock(globalData); > > I don't think this is valid -- you'll end up unlocking the lock after you've deallocated the JSGlobalData. I think you can just eliminate the lock and rely on thread-safe refcounting. JSLockHolder refs the JSGlobalData when it locks it, so it will only be destroyed after the lock has released the JSGlobalData. I think you're right that we don't need the lock though. I was just trying to replicate what JSGlobalContextRelease does.
Geoffrey Garen
Comment 7 2013-01-30 21:08:34 PST
> JSLockHolder refs the JSGlobalData when it locks it, so it will only be destroyed after the lock has released the JSGlobalData. Cool cool.
Note You need to log in before you can comment on or make changes to this bug.