[Webkit-unassigned] [Bug 208642] REGRESSION: (r257905) [ Mac wk2 Debug ] ASSERTION FAILED: !m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 6 00:34:27 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=208642

--- Comment #19 from Yusuke Suzuki <ysuzuki at apple.com> ---
(In reply to Ryosuke Niwa from comment #18)
> (In reply to Yusuke Suzuki from comment #17)
> > (In reply to Yusuke Suzuki from comment #16)
> > > 2. So far, this looks like an existing bug due to
> > > https://bugs.webkit.org/show_bug.cgi?id=165713. By using IsoSubspace, we
> > > start putting some lower-tier cells in PreciseAllocation, and reuse them.
> > > This makes GC behavior different, and exposing the existing bug: we should
> > > re-register root if we changed the root after we register the root. I could
> > > create a test case which reproduces this assertion failure without my patch.
> > 
> > Let's describe what is happening.
> > 
> > 1. HTMLVideoElement is created in the test under the current Document. So
> > root is Document.
> > 2. Concurrent GC starts working.
> > 3. Marking (1)'s HTMLVideoElement and registering Document as a root.
> > 4. The executed code removes HTMLVideoElement from Document.
> > 5. HTMLVideoTrackList in HTMLVideoElement queries the opaque root. Since the
> > root of HTMLVideoElement is changed to itself, HTMLVideoTrackList says "I'm
> > live if the root set includes HTMLVideoElement". But this is not included
> > since HTMLVideoElement registers Document as a root. And after the root is
> > changed, it is not re-registering the new root.
> > 6. HTMLVideoTrackList is saying I'm not reachable.
> 
> In this scenario, HTMLVideoElement needs to have a pending activity in
> ActiveDOMObjet while HTMLVideoTrackList/HTMLVideoElement sits in
> GenericEventQueue. That would prevent GC from collecting the JS wrapper
> since it would be reachableFromOpaqueRoot regardless of where it is.

No, it does not fix the issue unfortunately :(
Even if HTMLVideoElement is live, HTMLVideoTrackList goes away since HTMLVideoTrackList is live only if it can find an opaque root, which is not properly registered by HTMLVideoElement due to race condition.
Fundamental fix should be, in some way, re-registering an root & saying "Marking" happens if the root is changed. This is some form of write-barrier.

This issue itself exists for 4 years, and this issue is hidden by this wrong assertion I think (this happens frequently for HTMLVideoElement, but this assertion does not hit due to `m_jsFunction` check and world-is-normal check since this pattern is used in non-normal world (media controls).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200306/3bff7d26/attachment.htm>

More information about the webkit-unassigned mailing list