RESOLVED FIXED 180860
Add a release assert that Timer::m_wasDeleted is false in setNextFireTime 
https://bugs.webkit.org/show_bug.cgi?id=180860
Summary Add a release assert that Timer::m_wasDeleted is false in setNextFireTime
Ryosuke Niwa
Reported 2017-12-14 20:28:37 PST
In diagnose a crash which appears to come from scheduling a freed timer, we should add a release assertion on m_wasDeleted in Timer.
Attachments
Adds a relesae assert (2.35 KB, patch)
2017-12-14 20:40 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews124 for ios-simulator-wk2 (2.20 MB, application/zip)
2017-12-14 22:13 PST, EWS Watchlist 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-12-14 20:29:24 PST
<rdar://problem/36066500>
Ryosuke Niwa
Comment 2 2017-12-14 20:40:54 PST
Created attachment 329453 [details] Adds a relesae assert
EWS Watchlist
Comment 3 2017-12-14 22:13:32 PST
Comment on attachment 329453 [details] Adds a relesae assert Attachment 329453 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/5669607 New failing tests: webgl/1.0.2/conformance/context/context-release-with-workers.html
EWS Watchlist
Comment 4 2017-12-14 22:13:33 PST
Created attachment 329462 [details] Archive of layout-test-results from ews124 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
Ryosuke Niwa
Comment 5 2017-12-14 22:16:49 PST
(In reply to Build Bot from comment #3) > Comment on attachment 329453 [details] > Adds a relesae assert > > Attachment 329453 [details] did not pass ios-sim-ews (ios-simulator-wk2): > Output: http://webkit-queues.webkit.org/results/5669607 > > New failing tests: > webgl/1.0.2/conformance/context/context-release-with-workers.html I don't think a crash in RuleFeatureSet is related to this patch. CRASHING TEST: webgl/1.0.2/conformance/context/context-release-with-workers.html CoreSimulator 494.13.6 - Device: iPhone 5s WebKit Tester10 - Runtime: iOS 11.0 (15A372) - DeviceType: iPhone 5s Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000011aadbc70 WebCore::RuleFeatureSet::~RuleFeatureSet() + 240 (RefPtr.h:67) 1 com.apple.WebCore 0x000000011aaf715d WebCore::RuleSet::~RuleSet() + 29 (Vector.h:315) 2 com.apple.WebCore 0x000000011aad8657 WebCore::DocumentRuleSets::~DocumentRuleSets() + 503 (RuleSet.h:136) 3 com.apple.WebCore 0x000000011b41cb53 WebCore::Style::Scope::clearResolver() + 35 (StyleResolver.h:127) 4 com.apple.WebCore 0x000000011abaf44d WebCore::Document::~Document() + 973 (Ref.h:113) 5 com.apple.WebCore 0x000000011ad4274e WebCore::HTMLDocument::~HTMLDocument() + 14 (Node.h:81) 6 JavaScriptCore 0x00000001179e4b46 void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 198 7 JavaScriptCore 0x00000001179e346b void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const + 379 8 JavaScriptCore 0x00000001179e15bb void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 315 (MarkedBlockInlines.h:425) 9 JavaScriptCore 0x00000001179e147a JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 26 (JSDestructibleObjectHeapCellType.cpp:53)
David Kilzer (:ddkilzer)
Comment 6 2017-12-15 04:49:59 PST
Comment on attachment 329453 [details] Adds a relesae assert r=me
WebKit Commit Bot
Comment 7 2017-12-15 13:32:10 PST
Comment on attachment 329453 [details] Adds a relesae assert Clearing flags on attachment: 329453 Committed r225985: <https://trac.webkit.org/changeset/225985>
WebKit Commit Bot
Comment 8 2017-12-15 13:32:12 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.