[Webkit-unassigned] [Bug 199340] New: DataCue destructor calls JSC::gcUnprotect() without holding JSLock.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 28 17:13:27 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199340

            Bug ID: 199340
           Summary: DataCue destructor calls JSC::gcUnprotect() without
                    holding JSLock.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Media
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

You repro this with a debug build as follows:

$ VM=WebKitBuild/Debug && DYLD_FRAMEWORK_PATH=$VM JSC_slowPathAllocsBetweenGCs=10 $VM/DumpRenderTree LayoutTests/media/track/track-in-band-metadata-display-order.html

ASSERTION FAILED: m_vm->currentThreadIsHoldingAPILock()
./heap/Heap.cpp(583) : bool JSC::Heap::unprotect(JSC::JSValue)
1   0x1011974f9 WTFCrash
2   0x10119a2ab WTFCrashWithInfo(int, char const*, char const*, int)
3   0x102146a0d JSC::Heap::unprotect(JSC::JSValue)
4   0x110686873 JSC::gcUnprotect(JSC::JSCell*)
5   0x1106857b9 JSC::gcUnprotect(JSC::JSValue)
6   0x110685728 WebCore::DataCue::~DataCue()
7   0x110685875 WebCore::DataCue::~DataCue()
8   0x110685899 WebCore::DataCue::~DataCue()
9   0x110688acf WTF::RefCounted<WebCore::TextTrackCue>::deref() const
10  0x110785545 void WTF::derefIfNotNull<WebCore::TextTrackCue>(WebCore::TextTrackCue*)
11  0x110785509 WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >::~RefPtr()
12  0x110778595 WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >::~RefPtr()
13  0x11082bdbf WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> > >::destruct(WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*)
14  0x11082bd1d WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> > >::destruct(WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >*)
15  0x11082bce0 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, 16ul>::~Vector()
16  0x11082a6f5 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, 16ul>::~Vector()
17  0x11082bfa3 WebCore::TextTrackCueList::~TextTrackCueList()
18  0x11082bf45 WebCore::TextTrackCueList::~TextTrackCueList()
19  0x11082bf17 WTF::RefCounted<WebCore::TextTrackCueList>::deref() const
20  0x11082c061 void WTF::derefIfNotNull<WebCore::TextTrackCueList>(WebCore::TextTrackCueList*)
21  0x11082c029 WTF::RefPtr<WebCore::TextTrackCueList, WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr()
22  0x11082bfd5 WTF::RefPtr<WebCore::TextTrackCueList, WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr()
23  0x11098081f WebCore::TextTrack::~TextTrack()
24  0x110980975 WebCore::TextTrack::~TextTrack()
25  0x1109809d9 WebCore::TextTrack::~TextTrack()
26  0x1105f3c5f WTF::RefCounted<WebCore::TrackBase>::deref() const
27  0x1109aa505 void WTF::derefIfNotNull<WebCore::TrackBase>(WebCore::TrackBase*)
28  0x1109aa4c9 WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr()
29  0x1109aa495 WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr()
30  0x1109aa45f WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> > >::destruct(WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*)
31  0x1109aa3cd WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> > >::destruct(WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*, WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >*)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190629/108697f9/attachment-0001.html>

More information about the webkit-unassigned mailing list