199340 – DataCue destructor calls JSC::gcUnprotect() without holding JSLock.

RESOLVED DUPLICATE of bug 201170 199340

DataCue destructor calls JSC::gcUnprotect() without holding JSLock.

https://bugs.webkit.org/show_bug.cgi?id=199340

Summary DataCue destructor calls JSC::gcUnprotect() without holding JSLock.

Mark Lam

Reported 2019-06-28 17:13:27 PDT

You repro this with a debug build as follows: $ VM=WebKitBuild/Debug && DYLD_FRAMEWORK_PATH=$VM JSC_slowPathAllocsBetweenGCs=10 $VM/DumpRenderTree LayoutTests/media/track/track-in-band-metadata-display-order.html ASSERTION FAILED: m_vm->currentThreadIsHoldingAPILock() ./heap/Heap.cpp(583) : bool JSC::Heap::unprotect(JSC::JSValue) 1 0x1011974f9 WTFCrash 2 0x10119a2ab WTFCrashWithInfo(int, char const*, char const*, int) 3 0x102146a0d JSC::Heap::unprotect(JSC::JSValue) 4 0x110686873 JSC::gcUnprotect(JSC::JSCell*) 5 0x1106857b9 JSC::gcUnprotect(JSC::JSValue) 6 0x110685728 WebCore::DataCue::~DataCue() 7 0x110685875 WebCore::DataCue::~DataCue() 8 0x110685899 WebCore::DataCue::~DataCue() 9 0x110688acf WTF::RefCounted<WebCore::TextTrackCue>::deref() const 10 0x110785545 void WTF::derefIfNotNull<WebCore::TextTrackCue>(WebCore::TextTrackCue*) 11 0x110785509 WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >::~RefPtr() 12 0x110778595 WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >::~RefPtr() 13 0x11082bdbf WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> > >::destruct(WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*) 14 0x11082bd1d WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> > >::destruct(WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*) 15 0x11082bce0 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, 16ul>::~Vector() 16 0x11082a6f5 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, 16ul>::~Vector() 17 0x11082bfa3 WebCore::TextTrackCueList::~TextTrackCueList() 18 0x11082bf45 WebCore::TextTrackCueList::~TextTrackCueList() 19 0x11082bf17 WTF::RefCounted<WebCore::TextTrackCueList>::deref() const 20 0x11082c061 void WTF::derefIfNotNull<WebCore::TextTrackCueList>(WebCore::TextTrackCueList*) 21 0x11082c029 WTF::RefPtr<WebCore::TextTrackCueList, WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr() 22 0x11082bfd5 WTF::RefPtr<WebCore::TextTrackCueList, WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr() 23 0x11098081f WebCore::TextTrack::~TextTrack() 24 0x110980975 WebCore::TextTrack::~TextTrack() 25 0x1109809d9 WebCore::TextTrack::~TextTrack() 26 0x1105f3c5f WTF::RefCounted<WebCore::TrackBase>::deref() const 27 0x1109aa505 void WTF::derefIfNotNull<WebCore::TrackBase>(WebCore::TrackBase*) 28 0x1109aa4c9 WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr() 29 0x1109aa495 WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr() 30 0x1109aa45f WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> > >::destruct(WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*) 31 0x1109aa3cd WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> > >::destruct(WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*)

Attachments
Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2019-08-28 08:24:58 PDT

Is this fixed by https://trac.webkit.org/changeset/249133?

Yusuke Suzuki

Comment 2 2019-08-28 10:38:08 PDT

(In reply to Ryosuke Niwa from comment #1) > Is this fixed by https://trac.webkit.org/changeset/249133? Yes, this is fixed in that change. Closing.

Yusuke Suzuki

Comment 3 2019-08-28 10:38:37 PDT

*** This bug has been marked as a duplicate of bug 201170 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 201170

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Media

Assignee

Nobody

Reported

2019-06-28 17:13 PDT

Modified

2019-08-28 10:38 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks