RESOLVED FIXED302904
[WebXR] imported/w3c/web-platform-tests/webxr/xrWebGLLayer_constructor.https.html is randomly crashing recently : ASSERTION FAILED: vm().heap.mutatorState() != MutatorState::Sweeping || !vm().currentThreadIsHoldingAPILock() 
https://bugs.webkit.org/show_bug.cgi?id=302904
Summary [WebXR] imported/w3c/web-platform-tests/webxr/xrWebGLLayer_constructor.https....
Fujii Hironori
Reported 2025-11-20 16:39:52 PST
[WebXR] imported/w3c/web-platform-tests/webxr/xrWebGLLayer_constructor.https.html is randomly crashing recently : ASSERTION FAILED: vm().heap.mutatorState() != MutatorState::Sweeping || !vm().currentThreadIsHoldingAPILock() Buildbot: Apple-visionOS-26-Simulator-Debug-WK2-Tests/804 : 303000@main https://build.webkit.org/#/builders/1705/builds/804 ASSERTION FAILED: vm().heap.mutatorState() != MutatorState::Sweeping || !vm().currentThreadIsHoldingAPILock() /Volumes/Data/worker/Apple-visionOS-26-Simulator-Debug-Build/build/Source/JavaScriptCore/runtime/JSCellInlines.h(383) : const ClassInfo *JSC::JSCell::classInfo() const 1 0x13088c494 JSC::JSCell::classInfo() const 2 0x1310b787c JSC::JSCell::inherits(JSC::ClassInfo const*) const 3 0x1308a13d0 JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(JSC::JSCell*) 4 0x1308329cc JSC::asObject(JSC::JSCell*) 5 0x1312ec978 JSC::asObject(JSC::JSValue) 6 0x1308bf494 JSC::Register::object() const 7 0x1312ecf00 JSC::CallFrame::jsCallee() const 8 0x130e2c530 JSC::CallFrame::isZombieFrame() const 9 0x130e2c3d4 JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&, bool) 10 0x130e2c95c JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&, bool) 11 0x130dab1bc void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, Inspector::CreateScriptCallStackFunctor>(JSC::CallFrame*, JSC::VM&, Inspector::CreateScriptCallStackFunctor const&, bool) 12 0x130dab0e8 Inspector::createScriptCallStack(JSC::JSGlobalObject*, unsigned long) 13 0x14bd3bd34 WebCore::WebGLRenderingContextBase::printToConsole(JSC::MessageLevel, WTF::String&&) 14 0x14bd291d4 WebCore::WebGLRenderingContextBase::synthesizeGLError(unsigned int, WTF::ASCIILiteral, WTF::ASCIILiteral) 15 0x14bd2e6fc WebCore::WebGLRenderingContextBase::deleteFramebuffer(WebCore::WebGLFramebuffer*) 16 0x14def6ea0 WebCore::WebXROpaqueFramebuffer::~WebXROpaqueFramebuffer() 17 0x14df047f4 WebCore::WebXRWebGLLayer::~WebXRWebGLLayer() 18 0x14df048c4 WebCore::WebXRWebGLLayer::~WebXRWebGLLayer() 19 0x131346ef8 JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const 20 0x13135ed30 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const 21 0x131354850 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) 22 0x131346e88 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) 23 0x131346d24 JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) const 24 0x130c6b57c JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) 25 0x130c0d3f0 JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) 26 0x130bf5efc JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*, unsigned long) 27 0x130bf5b04 JSC::LocalAllocator::tryAllocateWithoutCollecting(unsigned long) 28 0x130bf558c JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) 29 0x14ad5ed44 void* JSC::tryAllocateCellHelper<WebCore::JSWebXRWebGLLayer, (JSC::AllocationFailureMode)0>(JSC::VM&, unsigned long, JSC::GCDeferralContext*) 30 0x14ad5e9ac WebCore::JSWebXRWebGLLayer::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::WebXRWebGLLayer, WTF::RawPtrTraits<WebCore::WebXRWebGLLayer>, WTF::DefaultRefDerefTraits<WebCore::WebXRWebGLLayer>>&&) 31 0x14ad0838c WebCore::JSDOMWrapperConverterTraits<WebCore::WebXRWebGLLayer>::WrapperClass* WebCore::createWrapper<WebCore::WebXRWebGLLayer, WebCore::WebXRWebGLLayer>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::WebXRWebGLLayer, WTF::RawPtrTraits<WebCore::WebXRWebGLLayer>, WTF::DefaultRefDerefTraits<WebCore::WebXRWebGLLayer>>&&) com.apple.WebKit.WebContent.Development terminated (pid 10226) for reason: crash
Attachments
Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 2 2025-11-20 18:44:47 PST
Pull request: https://github.com/WebKit/WebKit/pull/54289
EWS
Comment 3 2025-11-25 05:20:33 PST
Committed 303535@main (586f410cbf17): <https://commits.webkit.org/303535@main> Reviewed commits have been landed. Closing PR #54289 and removing active labels.
Radar WebKit Bug Importer
Comment 4 2025-11-25 05:21:12 PST
<rdar://problem/165396531>
Note You need to log in before you can comment on or make changes to this bug.