Bug 168354 - ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
Summary: ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLo...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Keith Miller
URL:
Keywords:
: 167955 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-02-14 20:39 PST by Joseph Pecoraro
Modified: 2017-02-16 20:27 PST (History)
9 users (show)

See Also:

Attachments
[CRASH] Crash Log (120.94 KB, text/plain)
2017-02-14 20:40 PST, Joseph Pecoraro 		no flags Details
Patch (4.00 KB, patch)
2017-02-16 12:02 PST, Keith Miller 		no flags Details | Formatted Diff | Diff
Patch (4.37 KB, patch)
2017-02-16 13:35 PST, Keith Miller 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews116 for mac-elcapitan (1.54 MB, application/zip)
2017-02-16 15:28 PST, Build Bot 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2017-02-14 20:39:40 PST 
Assert seen while using Web Inspector and debugging code in a Worker.

Steps to Reproduce:
1. Pause in Worker in web-platform-test/foo.worker.html
2. Hover variables and step around the debugger
  => ASSERT

ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
Source/JavaScriptCore/runtime/JSCellInlines.h(283) : const JSC::ClassInfo *JSC::JSCell::classInfo(JSC::VM &) const
1   0x10b6183ed WTFCrash
2   0x10a21d4a8 JSC::JSCell::classInfo(JSC::VM&) const
3   0x10a214581 JSC::JSCell::inherits(JSC::VM&, JSC::ClassInfo const*) const
4   0x10a229fd4 JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(JSC::JSCell*)
5   0x10a228d2f JSC::asObject(JSC::JSCell*)
6   0x10a22a700 JSC::asObject(JSC::JSValue)
7   0x10a22dcc2 JSC::Register::object() const
8   0x10a22dc99 JSC::ExecState::jsCallee() const
9   0x10a217ca5 JSC::ExecState::lexicalGlobalObject() const
10  0x10a7bdff7 JSC::ExecState::vmEntryGlobalObject()
11  0x10a8a4e80 JSC::Debugger::detach(JSC::JSGlobalObject*, JSC::Debugger::ReasonForDetach)
12  0x10b0827ae JSC::JSGlobalObject::~JSGlobalObject()
13  0x115b25577 WebCore::JSDOMGlobalObject::~JSDOMGlobalObject()
14  0x115c4ef43 WebCore::JSDOMWindowBase::~JSDOMWindowBase()
15  0x115c4e195 WebCore::JSDOMWindowBase::~JSDOMWindowBase()
16  0x115c4cd55 WebCore::JSDOMWindowBase::destroy(JSC::JSCell*)
17  0x10b11e00a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const
18  0x10b11fb25 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const
19  0x10b11e615 JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)
20  0x10b11df8f JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)
21  0x10b11de0d JSC::JSSegmentedVariableObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode)
22  0x10b2014e3 JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode)
23  0x10aed781d JSC::IncrementalSweeper::sweepNextBlock()
24  0x10aed7712 JSC::IncrementalSweeper::doSweep(double)
25  0x10aed76e2 JSC::IncrementalSweeper::doWork()
26  0x10aecbfa0 JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*)
27  0x7fff94f87de4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
28  0x7fff94f87a73 __CFRunLoopDoTimer
29  0x7fff94f875ca __CFRunLoopDoTimers
30  0x7fff94f7efa1 __CFRunLoopRun
31  0x7fff94f7e524 CFRunLoopRunSpecific
Comment 1 Joseph Pecoraro 2017-02-14 20:40:28 PST 
Created attachment 301577 [details]
[CRASH] Crash Log
Comment 2 Joseph Pecoraro 2017-02-14 20:40:52 PST 
I'm at r212337.
Comment 3 Alexey Proskuryakov 2017-02-15 09:09:56 PST 
See also rdar://problem/30171876 (same assertion, but it doesn't seem to be obviously related to repro steps in this bug).
Comment 4 Keith Miller 2017-02-15 19:17:49 PST 
Hmm, this assertion is there to fix issue where people are inappropriately getting the structure of an object while they are destroying it. However, detach are trying to access the global object of some executing frame, which is unusual, but in this case should be ok. I'm not sure what the best solution is here... :/
Comment 5 Keith Miller 2017-02-16 12:02:28 PST 
Created attachment 301793 [details]
Patch
Comment 6 WebKit Commit Bot 2017-02-16 13:06:06 PST 
Comment on attachment 301793 [details]
Patch

Clearing flags on attachment: 301793

Committed r212458: <http://trac.webkit.org/changeset/212458>
Comment 7 WebKit Commit Bot 2017-02-16 13:06:11 PST 
All reviewed patches have been landed.  Closing bug.
Comment 8 Geoffrey Garen 2017-02-16 13:27:25 PST 
Comment on attachment 301793 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=301793&action=review

> Source/JavaScriptCore/debugger/Debugger.cpp:174
> +    if (m_isPaused && m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObjectForDebuggerDetach() == globalObject) {

I think it would be cleaner for this code just to use m_vm.entryScope->globalObject(). Then there's no need for a special helper function just for our destructor.

We know that there is an entryScope because otherwise m_currentCallFrame would be null.
Comment 9 Keith Miller 2017-02-16 13:35:50 PST 
Reopening to attach new patch.
Comment 10 Keith Miller 2017-02-16 13:35:53 PST 
Created attachment 301814 [details]
Patch
Comment 11 Geoffrey Garen 2017-02-16 13:36:30 PST 
Comment on attachment 301814 [details]
Patch

r=me
Comment 12 Build Bot 2017-02-16 15:28:53 PST 
Comment on attachment 301814 [details]
Patch

Attachment 301814 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3135127

New failing tests:
imported/w3c/web-platform-tests/resource-timing/rt-resource-ignored.html
Comment 13 Build Bot 2017-02-16 15:28:57 PST 
Created attachment 301841 [details]
Archive of layout-test-results from ews116 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews116  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 14 Keith Miller 2017-02-16 15:43:56 PST 
Comment on attachment 301814 [details]
Patch

I highly doubt I actually broke that test. It's broken on the bots.
Comment 15 Joseph Pecoraro 2017-02-16 15:50:50 PST 
> I highly doubt I actually broke that test. It's broken on the bots.

Correct. This is the other assert that I filed a bug about. It should have been skipped for Debug though...
Comment 16 WebKit Commit Bot 2017-02-16 16:10:19 PST 
Comment on attachment 301814 [details]
Patch

Clearing flags on attachment: 301814

Committed r212483: <http://trac.webkit.org/changeset/212483>
Comment 17 WebKit Commit Bot 2017-02-16 16:10:25 PST 
All reviewed patches have been landed.  Closing bug.
Comment 18 youenn fablet 2017-02-16 20:27:56 PST 
*** Bug 167955 has been marked as a duplicate of this bug. ***