[prev in list] [next in list] [prev in thread] [next in thread]
List: webkit-unassigned
Subject: [Webkit-unassigned] [Bug 199340] New: DataCue destructor calls JSC::gcUnprotect() without holding JS
From: bugzilla-daemon () webkit ! org
Date: 2019-06-29 0:13:27
Message-ID: bug-199340-2851 () https ! bugs ! webkit ! org/
[Download RAW message or body]
--1561767213.6c32D4cc6.14187
Date: Fri, 28 Jun 2019 17:13:33 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.webkit.org/
Auto-Submitted: auto-generated
https://bugs.webkit.org/show_bug.cgi?id=199340
Bug ID: 199340
Summary: DataCue destructor calls JSC::gcUnprotect() without
holding JSLock.
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Media
Assignee: webkit-unassigned@lists.webkit.org
Reporter: mark.lam@apple.com
You repro this with a debug build as follows:
$ VM=WebKitBuild/Debug && DYLD_FRAMEWORK_PATH=$VM JSC_slowPathAllocsBetweenGCs=10 \
$VM/DumpRenderTree LayoutTests/media/track/track-in-band-metadata-display-order.html
ASSERTION FAILED: m_vm->currentThreadIsHoldingAPILock()
./heap/Heap.cpp(583) : bool JSC::Heap::unprotect(JSC::JSValue)
1 0x1011974f9 WTFCrash
2 0x10119a2ab WTFCrashWithInfo(int, char const*, char const*, int)
3 0x102146a0d JSC::Heap::unprotect(JSC::JSValue)
4 0x110686873 JSC::gcUnprotect(JSC::JSCell*)
5 0x1106857b9 JSC::gcUnprotect(JSC::JSValue)
6 0x110685728 WebCore::DataCue::~DataCue()
7 0x110685875 WebCore::DataCue::~DataCue()
8 0x110685899 WebCore::DataCue::~DataCue()
9 0x110688acf WTF::RefCounted<WebCore::TextTrackCue>::deref() const
10 0x110785545 void \
WTF::derefIfNotNull<WebCore::TextTrackCue>(WebCore::TextTrackCue*) 11 0x110785509 \
WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> \
>::~RefPtr() 12 0x110778595 WTF::RefPtr<WebCore::TextTrackCue, \
> WTF::DumbPtrTraits<WebCore::TextTrackCue> >::~RefPtr()
13 0x11082bdbf WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> > \
>::destruct(WTF::RefPtr<WebCore::TextTrackCue, \
> WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, WTF::RefPtr<WebCore::TextTrackCue, \
> WTF::DumbPtrTraits<WebCore::TextTrackCue> >*)
14 0x11082bd1d WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> > \
>::destruct(WTF::RefPtr<WebCore::TextTrackCue, \
> WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, WTF::RefPtr<WebCore::TextTrackCue, \
> WTF::DumbPtrTraits<WebCore::TextTrackCue> >*)
15 0x11082bce0 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, \
16ul>::~Vector() 16 0x11082a6f5 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, \
16ul>::~Vector() 17 0x11082bfa3 WebCore::TextTrackCueList::~TextTrackCueList()
18 0x11082bf45 WebCore::TextTrackCueList::~TextTrackCueList()
19 0x11082bf17 WTF::RefCounted<WebCore::TextTrackCueList>::deref() const
20 0x11082c061 void \
WTF::derefIfNotNull<WebCore::TextTrackCueList>(WebCore::TextTrackCueList*) 21 \
0x11082c029 WTF::RefPtr<WebCore::TextTrackCueList, \
WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr() 22 0x11082bfd5 \
WTF::RefPtr<WebCore::TextTrackCueList, WTF::DumbPtrTraits<WebCore::TextTrackCueList> \
>::~RefPtr() 23 0x11098081f WebCore::TextTrack::~TextTrack()
24 0x110980975 WebCore::TextTrack::~TextTrack()
25 0x1109809d9 WebCore::TextTrack::~TextTrack()
26 0x1105f3c5f WTF::RefCounted<WebCore::TrackBase>::deref() const
27 0x1109aa505 void WTF::derefIfNotNull<WebCore::TrackBase>(WebCore::TrackBase*)
28 0x1109aa4c9 WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr() 29 0x1109aa495 \
WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr() \
30 0x1109aa45f WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> > >::destruct(WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> >*, WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> >*) 31 0x1109aa3cd \
WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> > >::destruct(WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> >*, WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> >*)
--
You are receiving this mail because:
You are the assignee for the bug.
--1561767213.6c32D4cc6.14187
Date: Fri, 28 Jun 2019 17:13:33 -0700
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.webkit.org/
Auto-Submitted: auto-generated
<html>
<head>
<base href="https://bugs.webkit.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - DataCue destructor calls JSC::gcUnprotect() without holding JSLock."
href="https://bugs.webkit.org/show_bug.cgi?id=199340">199340</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>DataCue destructor calls JSC::gcUnprotect() without holding JSLock.
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>Media
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mark.lam@apple.com
</td>
</tr></table>
<p>
<div>
<pre>You repro this with a debug build as follows:
$ VM=WebKitBuild/Debug && DYLD_FRAMEWORK_PATH=$VM \
JSC_slowPathAllocsBetweenGCs=10 $VM/DumpRenderTree \
LayoutTests/media/track/track-in-band-metadata-display-order.html
ASSERTION FAILED: m_vm->currentThreadIsHoldingAPILock()
./heap/Heap.cpp(583) : bool JSC::Heap::unprotect(JSC::JSValue)
1 0x1011974f9 WTFCrash
2 0x10119a2ab WTFCrashWithInfo(int, char const*, char const*, int)
3 0x102146a0d JSC::Heap::unprotect(JSC::JSValue)
4 0x110686873 JSC::gcUnprotect(JSC::JSCell*)
5 0x1106857b9 JSC::gcUnprotect(JSC::JSValue)
6 0x110685728 WebCore::DataCue::~DataCue()
7 0x110685875 WebCore::DataCue::~DataCue()
8 0x110685899 WebCore::DataCue::~DataCue()
9 0x110688acf WTF::RefCounted<WebCore::TextTrackCue>::deref() const
10 0x110785545 void \
WTF::derefIfNotNull<WebCore::TextTrackCue>(WebCore::TextTrackCue*) 11 \
0x110785509 WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> >::~RefPtr() 12 0x110778595 \
WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> \
>::~RefPtr() 13 0x11082bdbf WTF::VectorDestructor<true, \
WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> \
> >::destruct(WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, \
WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> \
>*) 14 0x11082bd1d \
WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> > \
>::destruct(WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> >*, \
WTF::RefPtr<WebCore::TextTrackCue, WTF::DumbPtrTraits<WebCore::TextTrackCue> \
>*) 15 0x11082bce0 WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, \
16ul>::~Vector() 16 0x11082a6f5 \
WTF::Vector<WTF::RefPtr<WebCore::TextTrackCue, \
WTF::DumbPtrTraits<WebCore::TextTrackCue> >, 0ul, WTF::CrashOnOverflow, \
16ul>::~Vector() 17 0x11082bfa3 WebCore::TextTrackCueList::~TextTrackCueList()
18 0x11082bf45 WebCore::TextTrackCueList::~TextTrackCueList()
19 0x11082bf17 WTF::RefCounted<WebCore::TextTrackCueList>::deref() const
20 0x11082c061 void \
WTF::derefIfNotNull<WebCore::TextTrackCueList>(WebCore::TextTrackCueList*) 21 \
0x11082c029 WTF::RefPtr<WebCore::TextTrackCueList, \
WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr() 22 0x11082bfd5 \
WTF::RefPtr<WebCore::TextTrackCueList, \
WTF::DumbPtrTraits<WebCore::TextTrackCueList> >::~RefPtr() 23 0x11098081f \
WebCore::TextTrack::~TextTrack() 24 0x110980975 WebCore::TextTrack::~TextTrack()
25 0x1109809d9 WebCore::TextTrack::~TextTrack()
26 0x1105f3c5f WTF::RefCounted<WebCore::TrackBase>::deref() const
27 0x1109aa505 void \
WTF::derefIfNotNull<WebCore::TrackBase>(WebCore::TrackBase*) 28 0x1109aa4c9 \
WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> \
>::~RefPtr() 29 0x1109aa495 WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> >::~RefPtr() 30 0x1109aa45f \
WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> > \
>::destruct(WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> >*, \
WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> \
>*) 31 0x1109aa3cd \
WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> > \
>::destruct(WTF::RefPtr<WebCore::TrackBase, \
WTF::DumbPtrTraits<WebCore::TrackBase> >*, \
WTF::RefPtr<WebCore::TrackBase, WTF::DumbPtrTraits<WebCore::TrackBase> \
>*)</pre> </div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>
--1561767213.6c32D4cc6.14187--
[Attachment #3 (text/plain)]
_______________________________________________
webkit-unassigned mailing list
webkit-unassigned@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-unassigned
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic