Bug 159075 - Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
Summary: Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbage...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Brian Burg
URL:
Keywords: InRadar
Depends on: 159105
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-23 16:06 PDT by Brian Burg
Modified: 2016-06-27 17:18 PDT (History)
11 users (show)

See Also:


Attachments
Proposed Fix (1.68 KB, patch)
2016-06-23 16:12 PDT, Brian Burg
no flags Details | Formatted Diff | Diff
Proposed Fix (6.96 KB, patch)
2016-06-24 11:06 PDT, Brian Burg
no flags Details | Formatted Diff | Diff
Proposed Fix v3 (7.56 KB, patch)
2016-06-24 16:57 PDT, Brian Burg
no flags Details | Formatted Diff | Diff
Followup fix (1.81 KB, patch)
2016-06-27 13:46 PDT, Brian Burg
fpizlo: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Burg 2016-06-23 16:06:02 PDT
Very persistent-but-infrequent crashes ever since this was added. which makes sense.
Comment 1 Brian Burg 2016-06-23 16:06:16 PDT
<rdar://problem/26094341>
Comment 2 Brian Burg 2016-06-23 16:12:09 PDT
Created attachment 281938 [details]
Proposed Fix
Comment 3 Joseph Pecoraro 2016-06-23 19:27:25 PDT
Comment on attachment 281938 [details]
Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=281938&action=review

> Source/JavaScriptCore/inspector/agents/InspectorHeapAgent.cpp:297
> +        // The frontend could have gone away after the activity was scheduled.
> +        if (m_frontendDispatcher)

Is `this` valid? Could it be stale?
Comment 4 Brian Burg 2016-06-24 10:43:53 PDT
Comment on attachment 281938 [details]
Proposed Fix

Yeah, you are right. I guess it needs to go the direction of CSSAgent's ChangeRegionOversetTask... blah.
Comment 5 Brian Burg 2016-06-24 11:06:16 PDT
Created attachment 282001 [details]
Proposed Fix
Comment 6 Joseph Pecoraro 2016-06-24 13:05:56 PDT
Comment on attachment 282001 [details]
Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=282001&action=review

r=me!

> Source/JavaScriptCore/inspector/agents/InspectorHeapAgent.cpp:52
> +    RunLoop::Timer<SendGarbageCollectionEventsTask> m_timer;

I did not know there was a RunLoop::Timer! This is excellent.
Comment 7 WebKit Commit Bot 2016-06-24 13:30:19 PDT
Comment on attachment 282001 [details]
Proposed Fix

Clearing flags on attachment: 282001

Committed r202443: <http://trac.webkit.org/changeset/202443>
Comment 8 WebKit Commit Bot 2016-06-24 13:30:23 PDT
All reviewed patches have been landed.  Closing bug.
Comment 9 Alexey Proskuryakov 2016-06-24 15:44:19 PDT
This has introduced a number of memory corruption crashes, rolling out.

Will follow up with details in e-mail.
Comment 10 WebKit Commit Bot 2016-06-24 15:46:59 PDT
Re-opened since this is blocked by bug 159105
Comment 11 Brian Burg 2016-06-24 16:57:43 PDT
Created attachment 282033 [details]
Proposed Fix v3
Comment 12 Brian Burg 2016-06-27 10:47:25 PDT
Comment on attachment 282033 [details]
Proposed Fix v3

Let's give this another try.
Comment 13 WebKit Commit Bot 2016-06-27 10:50:36 PDT
Comment on attachment 282033 [details]
Proposed Fix v3

Clearing flags on attachment: 282033

Committed r202492: <http://trac.webkit.org/changeset/202492>
Comment 14 WebKit Commit Bot 2016-06-27 10:50:40 PDT
All reviewed patches have been landed.  Closing bug.
Comment 15 Brian Burg 2016-06-27 13:43:15 PDT
Causing JSC stress tests to fail due to an (apparently not harmless) change introduced in the last patch. Will post a fix.
Comment 16 Brian Burg 2016-06-27 13:46:52 PDT
Reopening to attach new patch.
Comment 17 Brian Burg 2016-06-27 13:46:54 PDT
Created attachment 282165 [details]
Followup fix
Comment 18 Brian Burg 2016-06-27 14:52:26 PDT
Landed followup in <https://trac.webkit.org/r202515>.
Comment 19 Joseph Pecoraro 2016-06-27 17:18:09 PDT
Comment on attachment 282033 [details]
Proposed Fix v3

View in context: https://bugs.webkit.org/attachment.cgi?id=282033&action=review

> Source/JavaScriptCore/inspector/agents/InspectorHeapAgent.cpp:71
> +        std::lock_guard<Lock> lock(m_mutex);

Maybe we should use LockHolder instead of std::lock_guard.