RESOLVED FIXED304954
REGRESSION(305023@main): cannot jsCast during destroy 
https://bugs.webkit.org/show_bug.cgi?id=304954
Summary REGRESSION(305023@main): cannot jsCast during destroy
Jonathan Bedard
Reported 2026-01-05 14:25:50 PST
After 305023@main, many tests are failing with assertions on WebKitLegacy. History: https://results.webkit.org/?suite=layout-tests&test=accessibility%2Fmac%2Fselect-text%2Fselect-text-6.html Example build: https://build.webkit.org/#/builders/1224/builds/3647 Reproduction: run-webkit-tests --no-build --no-retry --no-show-results --exit-after-n-failures=1 --expect-pass --iterations=1000 --force -1 --debug accessibility/mac/select-text/select-text-6.html
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-01-05 14:26:06 PST
<rdar://problem/167574965>
Alexey Proskuryakov
Comment 2 2026-01-05 14:34:27 PST
stderr: ASSERTION FAILED: vm().heap.mutatorState() != MutatorState::Sweeping || !vm().currentThreadIsHoldingAPILock() /Volumes/Data/worker/Apple-Sequoia-Debug-Build/build/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/JSCellInlines.h(383) : const ClassInfo *JSC::JSCell::classInfo() const 1 0x174e804d1 JSC::JSCell::classInfo() const 2 0x174e80429 JSC::JSCell::inherits(JSC::ClassInfo const*) const 3 0x1795b4cbc JSC::Bindings::RuntimeObject* JSC::jsCast<JSC::Bindings::RuntimeObject*, JSC::JSCell>(JSC::JSCell*) 4 0x1795b3c85 JSC::Bindings::RuntimeObject::destroy(JSC::JSCell*) 5 0x122487a12 JSC::IsoHeapCellType::destroy(JSC::VM&, JSC::JSCell*) const 6 0x122524f6a JSC::Subspace::destroy(JSC::VM&, JSC::JSCell*) 7 0x1224a2201 JSC::PreciseAllocation::sweep() 8 0x1224a2080 JSC::MarkedSpace::sweepPreciseAllocations() 9 0x1223ed100 JSC::Heap::sweepInFinalize() 10 0x1223ecd0e JSC::Heap::finalize() 11 0x1223ec577 JSC::Heap::handleNeedFinalize(unsigned int) 12 0x1223eb5b4 JSC::Heap::handleNeedFinalize() 13 0x1223e6fa9 JSC::Heap::finishChangingPhase(JSC::GCConductor) 14 0x1223e8f3a JSC::Heap::changePhase(JSC::GCConductor, JSC::CollectorPhase) 15 0x1223e8ec1 JSC::Heap::runEndPhase(JSC::GCConductor) 16 0x1223e68c9 JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) 17 0x12244638a JSC::Heap::collectInMutatorThread()::$_0::operator()(JSC::CurrentThreadState&) const 18 0x122446321 WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&) 19 0x12248b741 void WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const 20 0x12248b6ee JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) 21 0x1223ec62f JSC::Heap::collectInMutatorThread() 22 0x1223ec432 JSC::Heap::stopIfNecessarySlow(unsigned int) 23 0x1223ec1f1 JSC::Heap::stopIfNecessarySlow() 24 0x1223e6109 JSC::Heap::stopIfNecessary() 25 0x1223e2c8e JSC::Heap::collectIfNecessaryOrDefer(JSC::GCDeferralContext*) 26 0x1223e2a98 JSC::Heap::reportExtraMemoryAllocatedSlowCase(JSC::GCDeferralContext*, JSC::JSCell const*, unsigned long) 27 0x122c461bb JSC::Heap::reportExtraMemoryAllocated(JSC::JSCell const*, unsigned long) 28 0x122be16c6 JSC::JSArrayBufferView::ConstructionContext::ConstructionContext(JSC::VM&, JSC::Structure*, unsigned long, unsigned int, JSC::JSArrayBufferView::ConstructionContext::InitializationMode) 29 0x122be183d JSC::JSArrayBufferView::ConstructionContext::ConstructionContext(JSC::VM&, JSC::Structure*, unsigned long, unsigned int, JSC::JSArrayBufferView::ConstructionContext::InitializationMode) 30 0x1221fc6b7 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::create(JSC::JSGlobalObject*, JSC::Structure*, unsigned long) 31 0x1220d86cf JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>>(JSC::JSGlobalObject*, JSC::Structure*, JSC::JSValue, unsigned long, std::__1::optional<unsigned long>)
Anne van Kesteren
Comment 3 2026-01-05 23:37:32 PST
Pull request: https://github.com/WebKit/WebKit/pull/56129
EWS
Comment 4 2026-01-06 06:14:11 PST
Committed 305154@main (81bef3abc278): <https://commits.webkit.org/305154@main> Reviewed commits have been landed. Closing PR #56129 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.