RESOLVED FIXED 168354
ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id() 
https://bugs.webkit.org/show_bug.cgi?id=168354
Summary ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLo...
Joseph Pecoraro
Reported 2017-02-14 20:39:40 PST
Assert seen while using Web Inspector and debugging code in a Worker. Steps to Reproduce: 1. Pause in Worker in web-platform-test/foo.worker.html 2. Hover variables and step around the debugger => ASSERT ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id() Source/JavaScriptCore/runtime/JSCellInlines.h(283) : const JSC::ClassInfo *JSC::JSCell::classInfo(JSC::VM &) const 1 0x10b6183ed WTFCrash 2 0x10a21d4a8 JSC::JSCell::classInfo(JSC::VM&) const 3 0x10a214581 JSC::JSCell::inherits(JSC::VM&, JSC::ClassInfo const*) const 4 0x10a229fd4 JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(JSC::JSCell*) 5 0x10a228d2f JSC::asObject(JSC::JSCell*) 6 0x10a22a700 JSC::asObject(JSC::JSValue) 7 0x10a22dcc2 JSC::Register::object() const 8 0x10a22dc99 JSC::ExecState::jsCallee() const 9 0x10a217ca5 JSC::ExecState::lexicalGlobalObject() const 10 0x10a7bdff7 JSC::ExecState::vmEntryGlobalObject() 11 0x10a8a4e80 JSC::Debugger::detach(JSC::JSGlobalObject*, JSC::Debugger::ReasonForDetach) 12 0x10b0827ae JSC::JSGlobalObject::~JSGlobalObject() 13 0x115b25577 WebCore::JSDOMGlobalObject::~JSDOMGlobalObject() 14 0x115c4ef43 WebCore::JSDOMWindowBase::~JSDOMWindowBase() 15 0x115c4e195 WebCore::JSDOMWindowBase::~JSDOMWindowBase() 16 0x115c4cd55 WebCore::JSDOMWindowBase::destroy(JSC::JSCell*) 17 0x10b11e00a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const 18 0x10b11fb25 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const 19 0x10b11e615 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) 20 0x10b11df8f JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) 21 0x10b11de0d JSC::JSSegmentedVariableObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) 22 0x10b2014e3 JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) 23 0x10aed781d JSC::IncrementalSweeper::sweepNextBlock() 24 0x10aed7712 JSC::IncrementalSweeper::doSweep(double) 25 0x10aed76e2 JSC::IncrementalSweeper::doWork() 26 0x10aecbfa0 JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*) 27 0x7fff94f87de4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ 28 0x7fff94f87a73 __CFRunLoopDoTimer 29 0x7fff94f875ca __CFRunLoopDoTimers 30 0x7fff94f7efa1 __CFRunLoopRun 31 0x7fff94f7e524 CFRunLoopRunSpecific
Attachments
[CRASH] Crash Log (120.94 KB, text/plain)
2017-02-14 20:40 PST, Joseph Pecoraro 		no flags
Details
Patch (4.00 KB, patch)
2017-02-16 12:02 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (4.37 KB, patch)
2017-02-16 13:35 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews116 for mac-elcapitan (1.54 MB, application/zip)
2017-02-16 15:28 PST, Build Bot 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Joseph Pecoraro
Comment 1 2017-02-14 20:40:28 PST
Created attachment 301577 [details] [CRASH] Crash Log
Joseph Pecoraro
Comment 2 2017-02-14 20:40:52 PST
I'm at r212337.
Alexey Proskuryakov
Comment 3 2017-02-15 09:09:56 PST
See also rdar://problem/30171876 (same assertion, but it doesn't seem to be obviously related to repro steps in this bug).
Keith Miller
Comment 4 2017-02-15 19:17:49 PST
Hmm, this assertion is there to fix issue where people are inappropriately getting the structure of an object while they are destroying it. However, detach are trying to access the global object of some executing frame, which is unusual, but in this case should be ok. I'm not sure what the best solution is here... :/
Keith Miller
Comment 5 2017-02-16 12:02:28 PST
Created attachment 301793 [details] Patch
WebKit Commit Bot
Comment 6 2017-02-16 13:06:06 PST
Comment on attachment 301793 [details] Patch Clearing flags on attachment: 301793 Committed r212458: <http://trac.webkit.org/changeset/212458>
WebKit Commit Bot
Comment 7 2017-02-16 13:06:11 PST
All reviewed patches have been landed. Closing bug.
Geoffrey Garen
Comment 8 2017-02-16 13:27:25 PST
Comment on attachment 301793 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=301793&action=review > Source/JavaScriptCore/debugger/Debugger.cpp:174 > + if (m_isPaused && m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObjectForDebuggerDetach() == globalObject) { I think it would be cleaner for this code just to use m_vm.entryScope->globalObject(). Then there's no need for a special helper function just for our destructor. We know that there is an entryScope because otherwise m_currentCallFrame would be null.
Keith Miller
Comment 9 2017-02-16 13:35:50 PST
Reopening to attach new patch.
Keith Miller
Comment 10 2017-02-16 13:35:53 PST
Created attachment 301814 [details] Patch
Geoffrey Garen
Comment 11 2017-02-16 13:36:30 PST
Comment on attachment 301814 [details] Patch r=me
Build Bot
Comment 12 2017-02-16 15:28:53 PST
Comment on attachment 301814 [details] Patch Attachment 301814 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3135127 New failing tests: imported/w3c/web-platform-tests/resource-timing/rt-resource-ignored.html
Build Bot
Comment 13 2017-02-16 15:28:57 PST
Created attachment 301841 [details] Archive of layout-test-results from ews116 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Keith Miller
Comment 14 2017-02-16 15:43:56 PST
Comment on attachment 301814 [details] Patch I highly doubt I actually broke that test. It's broken on the bots.
Joseph Pecoraro
Comment 15 2017-02-16 15:50:50 PST
> I highly doubt I actually broke that test. It's broken on the bots. Correct. This is the other assert that I filed a bug about. It should have been skipped for Debug though...
WebKit Commit Bot
Comment 16 2017-02-16 16:10:19 PST
Comment on attachment 301814 [details] Patch Clearing flags on attachment: 301814 Committed r212483: <http://trac.webkit.org/changeset/212483>
WebKit Commit Bot
Comment 17 2017-02-16 16:10:25 PST
All reviewed patches have been landed. Closing bug.
youenn fablet
Comment 18 2017-02-16 20:27:56 PST
*** Bug 167955 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.