Assert seen while using Web Inspector and debugging code in a Worker. Steps to Reproduce: 1. Pause in Worker in web-platform-test/foo.worker.html 2. Hover variables and step around the debugger => ASSERT ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id() Source/JavaScriptCore/runtime/JSCellInlines.h(283) : const JSC::ClassInfo *JSC::JSCell::classInfo(JSC::VM &) const 1 0x10b6183ed WTFCrash 2 0x10a21d4a8 JSC::JSCell::classInfo(JSC::VM&) const 3 0x10a214581 JSC::JSCell::inherits(JSC::VM&, JSC::ClassInfo const*) const 4 0x10a229fd4 JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(JSC::JSCell*) 5 0x10a228d2f JSC::asObject(JSC::JSCell*) 6 0x10a22a700 JSC::asObject(JSC::JSValue) 7 0x10a22dcc2 JSC::Register::object() const 8 0x10a22dc99 JSC::ExecState::jsCallee() const 9 0x10a217ca5 JSC::ExecState::lexicalGlobalObject() const 10 0x10a7bdff7 JSC::ExecState::vmEntryGlobalObject() 11 0x10a8a4e80 JSC::Debugger::detach(JSC::JSGlobalObject*, JSC::Debugger::ReasonForDetach) 12 0x10b0827ae JSC::JSGlobalObject::~JSGlobalObject() 13 0x115b25577 WebCore::JSDOMGlobalObject::~JSDOMGlobalObject() 14 0x115c4ef43 WebCore::JSDOMWindowBase::~JSDOMWindowBase() 15 0x115c4e195 WebCore::JSDOMWindowBase::~JSDOMWindowBase() 16 0x115c4cd55 WebCore::JSDOMWindowBase::destroy(JSC::JSCell*) 17 0x10b11e00a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const 18 0x10b11fb25 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const 19 0x10b11e615 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) 20 0x10b11df8f JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) 21 0x10b11de0d JSC::JSSegmentedVariableObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) 22 0x10b2014e3 JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) 23 0x10aed781d JSC::IncrementalSweeper::sweepNextBlock() 24 0x10aed7712 JSC::IncrementalSweeper::doSweep(double) 25 0x10aed76e2 JSC::IncrementalSweeper::doWork() 26 0x10aecbfa0 JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*) 27 0x7fff94f87de4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ 28 0x7fff94f87a73 __CFRunLoopDoTimer 29 0x7fff94f875ca __CFRunLoopDoTimers 30 0x7fff94f7efa1 __CFRunLoopRun 31 0x7fff94f7e524 CFRunLoopRunSpecific
Created attachment 301577 [details] [CRASH] Crash Log
I'm at r212337.
See also rdar://problem/30171876 (same assertion, but it doesn't seem to be obviously related to repro steps in this bug).
Hmm, this assertion is there to fix issue where people are inappropriately getting the structure of an object while they are destroying it. However, detach are trying to access the global object of some executing frame, which is unusual, but in this case should be ok. I'm not sure what the best solution is here... :/
Created attachment 301793 [details] Patch
Comment on attachment 301793 [details] Patch Clearing flags on attachment: 301793 Committed r212458: <http://trac.webkit.org/changeset/212458>
All reviewed patches have been landed. Closing bug.
Comment on attachment 301793 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=301793&action=review > Source/JavaScriptCore/debugger/Debugger.cpp:174 > + if (m_isPaused && m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObjectForDebuggerDetach() == globalObject) { I think it would be cleaner for this code just to use m_vm.entryScope->globalObject(). Then there's no need for a special helper function just for our destructor. We know that there is an entryScope because otherwise m_currentCallFrame would be null.
Reopening to attach new patch.
Created attachment 301814 [details] Patch
Comment on attachment 301814 [details] Patch r=me
Comment on attachment 301814 [details] Patch Attachment 301814 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3135127 New failing tests: imported/w3c/web-platform-tests/resource-timing/rt-resource-ignored.html
Created attachment 301841 [details] Archive of layout-test-results from ews116 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 301814 [details] Patch I highly doubt I actually broke that test. It's broken on the bots.
> I highly doubt I actually broke that test. It's broken on the bots. Correct. This is the other assert that I filed a bug about. It should have been skipped for Debug though...
Comment on attachment 301814 [details] Patch Clearing flags on attachment: 301814 Committed r212483: <http://trac.webkit.org/changeset/212483>
*** Bug 167955 has been marked as a duplicate of this bug. ***