Bug 28997 - Web Inspector assertion failure related to marking
Summary: Web Inspector assertion failure related to marking
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (Deprecated) (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.5
: P2 Normal
Assignee: Darin Adler
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-05 17:57 PDT by Jessie Berlin
Modified: 2009-09-08 12:02 PDT (History)
4 users (show)

See Also:


Attachments
Patch v1 (4.94 KB, patch)
2009-09-08 11:56 PDT, Oliver Hunt
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jessie Berlin 2009-09-05 17:57:52 PDT
In a debug build (r48097), interacting with the web inspector causes an assertion failure in JSC::MarkStack::append

ASSERTION FAILED: !m_isCheckingForDefaultMarkViolation
(/Users/jessieberlin/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/JSCell.h:329 void JSC::MarkStack::append(JSC::JSCell*))

Steps to reproduce:

1. Make sure the Develop menu is showing in the menu bar.
2. Navigate to a web page (e.g. webkit.org)
3. Inspect any element on the page.
4. Interact with the Web Inspector (e.g. expand or collapse "Computed Style")
5. Note that safari crashes with the assertion above.

Possibly related to http://trac.webkit.org/changeset/48068
Comment 1 Mark Rowe (bdash) 2009-09-05 18:00:20 PDT
(gdb) bt
#0  0x00000001019b338e in JSC::MarkStack::append (this=0x117826ba0, cell=0x1085aff80) at JSCell.h:329
#1  0x0000000101ad8661 in WebCore::JSQuarantinedObjectWrapper::markChildren (this=0x119f03fc0, markStack=@0x117826ba0) at WebCore/bindings/js/JSQuarantinedObjectWrapper.cpp:99
#2  0x0000000100b42359 in JSC::MarkStack::markChildren (this=0x117826ba0, cell=0x119f03fc0) at JSArray.h:166
#3  0x0000000100b42687 in JSC::MarkStack::drain (this=0x117826ba0) at JSArray.h:215
Comment 2 Darin Adler 2009-09-05 21:05:18 PDT
JSQuarantinedObjectWrapper overrides markChildren, therefore needs to have a structure without the HasDefaultMark flag set. I can fix this on Tuesday, but if someone else wants to tackle it before then it should be similar to the fix in <http://trac.webkit.org/changeset/48079>.

Another alternative would be to turn off the JavaScriptCore assertion by removing it for now. The garbage collection bug will remain, but the inconvenient assertion will be gone for the time being.
Comment 3 Mark Rowe (bdash) 2009-09-06 06:03:07 PDT
JSQuarantinedObjectWrapper does have a structure without HasDefaultMark set (per its implementation of createStructure in JSQuarantinedObjectWrapper.h).  The problematic object appears to be an instance of JSInspectorCallbackWrapper.  The structure seems to be passed in to the JSInspectorCallbackWrapper constructor, and sometimes ends up being the result of a call to asObject(wrap(unwrappedExec, prototype))->inheritorID() (<http://trac.webkit.org/browser/trunk/WebCore/bindings/js/JSInspectorCallbackWrapper.cpp#L76>).  JSObject::inheritorID() seems to call JSObject::createStructure itself if there is no inheritor ID set, which results in HasDefaultMark being set on the structure.
Comment 4 Geoffrey Garen 2009-09-08 11:09:54 PDT
(In reply to comment #3)
Oliver's in the middle of a fix.
Comment 5 Geoffrey Garen 2009-09-08 11:11:02 PDT
(In reply to comment #4)
(Changing the call to inheritorID() to a call to createStructure(), since inheritorID() is only appropriate for vanilla JavaScript objects.)
Comment 6 Oliver Hunt 2009-09-08 11:56:41 PDT
Created attachment 39200 [details]
Patch v1
Comment 7 Geoffrey Garen 2009-09-08 11:59:11 PDT
Comment on attachment 39200 [details]
Patch v1

Please revert changes to b/WebCore/WebCore.xcodeproj/project.pbxproj.

r=me
Comment 8 Oliver Hunt 2009-09-08 12:02:38 PDT
Committed r48172