Bug 166034 - Web Inspector: Assertion seen in InspectorDebuggerAgent::refAsyncCallData with Inspector open
Summary: Web Inspector: Assertion seen in InspectorDebuggerAgent::refAsyncCallData wit...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Joseph Pecoraro
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-12-19 13:51 PST by Joseph Pecoraro
Modified: 2016-12-19 14:45 PST (History)
7 users (show)

See Also:

Attachments
[PATCH] Proposed Fix (1.62 KB, patch)
2016-12-19 13:54 PST, Joseph Pecoraro 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2016-12-19 13:51:20 PST 
Summary:
Assertion seen in InspectorDebuggerAgent::refAsyncCallData with Inspector open

Test:
<script>
interval = setTimeout(() => {
    clearInterval(interval);
    setTimeout(() => {}, 0);
}, 0);
</script>

Steps to Reproduce:
1. Inspect test page with Debug build
2. Reload
  => ASSERT

Assert:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000106c834c4 WTFCrash + 36 (Assertions.cpp:323)
1   com.apple.JavaScriptCore      	0x00000001065e0290 Inspector::InspectorDebuggerAgent::refAsyncCallData(std::__1::pair<int, int> const&) + 192 (InspectorDebuggerAgent.cpp:1145)
2   com.apple.JavaScriptCore      	0x00000001065e0057 Inspector::InspectorDebuggerAgent::didScheduleAsyncCall(JSC::ExecState*, int, int, bool) + 391 (InspectorDebuggerAgent.cpp:272)
3   com.apple.WebCore             	0x000000010b530a8f WebCore::didScheduleAsyncCall(WebCore::InstrumentingAgents&, WebCore::AsyncCallType, int, WebCore::ScriptExecutionContext&, bool) + 111 (InspectorInstrumentation.cpp:106)
4   com.apple.WebCore             	0x000000010b530954 WebCore::InspectorInstrumentation::didInstallTimerImpl(WebCore::InstrumentingAgents&, int, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, bool, WebCore::ScriptExecutionContext&) + 116 (InspectorInstrumentation.cpp:344)
5   com.apple.WebCore             	0x000000010ad20404 WebCore::InspectorInstrumentation::didInstallTimer(WebCore::ScriptExecutionContext&, int, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, bool) + 116 (InspectorInstrumentation.h:650)
6   com.apple.WebCore             	0x000000010ad20314 WebCore::DOMTimer::install(WebCore::ScriptExecutionContext&, std::__1::unique_ptr<WebCore::ScheduledAction, std::__1::default_delete<WebCore::ScheduledAction> >, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, bool) + 788 (DOMTimer.cpp:224)
7   com.apple.WebCore             	0x000000010ad36d1f WebCore::DOMWindow::setTimeout(std::__1::unique_ptr<WebCore::ScheduledAction, std::__1::default_delete<WebCore::ScheduledAction> >, int) + 671 (DOMWindow.cpp:1670)
8   com.apple.WebCore             	0x000000010b895e5b WebCore::JSDOMWindow::setTimeout(JSC::ExecState&) + 1131 (JSDOMWindowCustom.cpp:501)
9   com.apple.WebCore             	0x000000010b88d4a9 WebCore::jsDOMWindowInstanceFunctionSetTimeoutCaller(JSC::ExecState*, WebCore::JSDOMWindow*, JSC::ThrowScope&) + 105 (JSDOMWindow.cpp:30532)
10  com.apple.WebCore             	0x000000010b84fd68 long long WebCore::BindingCaller<WebCore::JSDOMWindow>::callOperation<&(WebCore::jsDOMWindowInstanceFunctionSetTimeoutCaller(JSC::ExecState*, WebCore::JSDOMWindow*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) + 632 (JSDOMBinding.h:363)
11  com.apple.WebCore             	0x000000010b84fadc WebCore::jsDOMWindowInstanceFunctionSetTimeout(JSC::ExecState*) + 28 (JSDOMWindow.cpp:30523)
...

Notes:

void InspectorDebuggerAgent::refAsyncCallData(const AsyncCallIdentifier& identifier)
{
    auto iterator = m_asyncCallIdentifierToData.find(identifier);
    ASSERT(iterator != m_asyncCallIdentifierToData.end()); // <---
    if (iterator == m_asyncCallIdentifierToData.end())
        return;

    iterator->value.referenceCount++;
}
Comment 1 Joseph Pecoraro 2016-12-19 13:51:32 PST 
<rdar://problem/29554366>
Comment 2 Joseph Pecoraro 2016-12-19 13:54:59 PST 
Created attachment 297475 [details]
[PATCH] Proposed Fix
Comment 3 BJ Burg 2016-12-19 14:20:15 PST 
Comment on attachment 297475 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=297475&action=review

rs=me

> Source/JavaScriptCore/ChangeLog:13
> +        no async data was found for the given identifier.

It would be nice to add a reduced test case to LayoutTests so that this doesn't regress for some other reason when we change this code.
Comment 4 BJ Burg 2016-12-19 14:20:32 PST 
Comment on attachment 297475 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=297475&action=review

rs=me

>> Source/JavaScriptCore/ChangeLog:13
>> +        no async data was found for the given identifier.
> 
> It would be nice to add a reduced test case to LayoutTests so that this doesn't regress for some other reason when we change this code.

It would be nice to add a reduced test case to LayoutTests so that this doesn't regress for some other reason when we change this code.
Comment 5 WebKit Commit Bot 2016-12-19 14:45:42 PST 
Comment on attachment 297475 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 297475

Committed r209998: <http://trac.webkit.org/changeset/209998>
Comment 6 WebKit Commit Bot 2016-12-19 14:45:46 PST 
All reviewed patches have been landed.  Closing bug.