In a debug build (r48097), interacting with the web inspector causes an assertion failure in JSC::MarkStack::append ASSERTION FAILED: !m_isCheckingForDefaultMarkViolation (/Users/jessieberlin/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/JSCell.h:329 void JSC::MarkStack::append(JSC::JSCell*)) Steps to reproduce: 1. Make sure the Develop menu is showing in the menu bar. 2. Navigate to a web page (e.g. webkit.org) 3. Inspect any element on the page. 4. Interact with the Web Inspector (e.g. expand or collapse "Computed Style") 5. Note that safari crashes with the assertion above. Possibly related to http://trac.webkit.org/changeset/48068
(gdb) bt #0 0x00000001019b338e in JSC::MarkStack::append (this=0x117826ba0, cell=0x1085aff80) at JSCell.h:329 #1 0x0000000101ad8661 in WebCore::JSQuarantinedObjectWrapper::markChildren (this=0x119f03fc0, markStack=@0x117826ba0) at WebCore/bindings/js/JSQuarantinedObjectWrapper.cpp:99 #2 0x0000000100b42359 in JSC::MarkStack::markChildren (this=0x117826ba0, cell=0x119f03fc0) at JSArray.h:166 #3 0x0000000100b42687 in JSC::MarkStack::drain (this=0x117826ba0) at JSArray.h:215
JSQuarantinedObjectWrapper overrides markChildren, therefore needs to have a structure without the HasDefaultMark flag set. I can fix this on Tuesday, but if someone else wants to tackle it before then it should be similar to the fix in <http://trac.webkit.org/changeset/48079>. Another alternative would be to turn off the JavaScriptCore assertion by removing it for now. The garbage collection bug will remain, but the inconvenient assertion will be gone for the time being.
JSQuarantinedObjectWrapper does have a structure without HasDefaultMark set (per its implementation of createStructure in JSQuarantinedObjectWrapper.h). The problematic object appears to be an instance of JSInspectorCallbackWrapper. The structure seems to be passed in to the JSInspectorCallbackWrapper constructor, and sometimes ends up being the result of a call to asObject(wrap(unwrappedExec, prototype))->inheritorID() (<http://trac.webkit.org/browser/trunk/WebCore/bindings/js/JSInspectorCallbackWrapper.cpp#L76>). JSObject::inheritorID() seems to call JSObject::createStructure itself if there is no inheritor ID set, which results in HasDefaultMark being set on the structure.
(In reply to comment #3) Oliver's in the middle of a fix.
(In reply to comment #4) (Changing the call to inheritorID() to a call to createStructure(), since inheritorID() is only appropriate for vanilla JavaScript objects.)
Created attachment 39200 [details] Patch v1
Comment on attachment 39200 [details] Patch v1 Please revert changes to b/WebCore/WebCore.xcodeproj/project.pbxproj. r=me
Committed r48172