FastMalloc.h specifies you need to annotate each derived class with WTF_MAKE_ISO_ALLOCATED if your base class is annotated with WTF_MAKE_ISO_ALLOCATED. After doing this, the crash in WebCore::Event::operator new(unsigned long) is no longer happening.
<rdar://problem/71708005>
Created attachment 449701 [details] Patch
The proposed patch exposed an assertion being hit in mac-debug-wk1 Application Specific Information: CRASHING TEST: webxr/xr-reference-space-event-crash.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000004a2540f4e WTFCrash + 14 1 com.apple.WebCore 0x000000047cc6a2bb WTFCrashWithInfo(int, char const*, char const*, int) + 27 2 com.apple.WebCore 0x000000047f8197ea WebCore::XRReferenceSpaceEvent::XRReferenceSpaceEvent(WTF::AtomString const&, WebCore::XRReferenceSpaceEvent::Init const&, WebCore::EventIsTrusted) + 362 3 com.apple.WebCore 0x000000047f819673 WebCore::XRReferenceSpaceEvent::XRReferenceSpaceEvent(WTF::AtomString const&, WebCore::XRReferenceSpaceEvent::Init const&, WebCore::EventIsTrusted) + 51 4 com.apple.WebCore 0x000000047f81961b WebCore::XRReferenceSpaceEvent::create(WTF::AtomString const&, WebCore::XRReferenceSpaceEvent::Init const&, WebCore::EventIsTrusted) + 75 5 com.apple.WebCore 0x000000047ebaaa90 WebCore::JSDOMConstructor<WebCore::JSXRReferenceSpaceEvent>::construct(JSC::JSGlobalObject*, JSC::CallFrame*) + 1184 I am taking a look.
Created attachment 450065 [details] Patch
Comment on attachment 450065 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450065&action=review The changes look good but I think the test should be improved. > LayoutTests/webxr/xr-reference-space-event-crash.html:3 > + navigator.xr.requestSession('inline') Looks like this test is doing work asynchronously, therefore, I would: > LayoutTests/webxr/xr-reference-space-event-crash.html:6 > + new XRReferenceSpaceEvent('', {referenceSpace}) call this right after: ``` if (window.testRunner) testRunner.notifyDone(); ``` Also, I recommend adding some validation of the event. In particular, make sure that event.referenceSpace is referenceSpace and that event.transform is null. > LayoutTests/webxr/xr-reference-space-event-crash.html:10 > + testRunner.dumpAsText(); call testRunner.waitUntilDone() too
Created attachment 450074 [details] Patch
Comment on attachment 450074 [details] Patch r=me
Committed r288672 (246478@main): <https://commits.webkit.org/246478@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450074 [details].