[Webkit-unassigned] [Bug 119108] New: ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 25 14:54:02 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=119108

           Summary: ASSERT(m_vm->apiLock().currentThreadIsHoldingLock());
                    fails for Safari on current ToT
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mark.lam at apple.com
                CC: ggaren at apple.com, barraclough at apple.com,
                    mhahnenberg at apple.com, mark.lam at apple.com


Here's the back trace:

(gdb) bt
#0  WTFCrash () at /Volumes/Data/ws6/OpenSource/Source/WTF/wtf/Assertions.cpp:339
#1  0x000000010732e094 in JSC::Heap::protect (this=0x7f827a04a418, k={u = {asInt64 = 4627690608, ptr = 0x113d4f470, asBits = {payload = 332723312, tag = 1}}}) at /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/heap/Heap.cpp:337
#2  0x00000001073bf333 in JSC::gcProtect (val=0x113d4f470) at Protect.h:32
#3  0x00000001073be9b9 in JSGlobalContextRetain (ctx=0x113d4f4e0) at /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/API/JSContextRef.cpp:158
#4  0x00000001109d8822 in WBSJSController::setContext (this=0x7f827b860690, context=0x113d4f4e0) at /Volumes/Data/ws6/Internal/SafariShared/WBSJSController.mm:107
#5  0x00000001109d8c50 in WBSJSController::scriptObjectReady (this=0x7f827b860690, ctx=0x113d4f4e0) at /Volumes/Data/ws6/Internal/SafariShared/WBSJSController.mm:64
…

The rest of the stack trace shows this initiated from Reader.  I saw this assertion failure crash by launching a debug build of ToT (r153339) with the Safari set to load "http://www.zazzle.com/vintage_zebra_blue_mojo_pillow-189636972500458458" on launch.

Per our conversation, it looks like the assertion is failing because of the recent added code to check for "vm.exclusiveThread".  gdb confirms that this code was active in this case.  Here are the gdb details:

(gdb) frame 3      
#3  0x00000001073be9b9 in JSGlobalContextRetain (ctx=0x113d4f4e0) at /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/API/JSContextRef.cpp:158
158        gcProtect(exec->dynamicGlobalObject());
(gdb) list
153    {
154        ExecState* exec = toJS(ctx);
155        APIEntryShim entryShim(exec);
156    
157        VM& vm = exec->vm();
158        gcProtect(exec->dynamicGlobalObject());
159        vm.ref();
160        return ctx;
161    }
162    
(gdb) p vm.exclusiveThread
$1 = 1

Based on the APIEntryShim code, this means that it does not acquire the VM lock on allocation of the shim.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list