http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK2%20(Tests)/r164696%20(2899)/inspector-protocol/page/deny-X-FrameOption-crash-log.txt ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() /Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/heap/MarkedAllocator.cpp(149) : void *JSC::MarkedAllocator::allocateSlowCase(size_t) 1 0x1106508d0 WTFCrash 2 0x110474955 JSC::MarkedAllocator::allocateSlowCase(unsigned long) 3 0x11189f7af JSC::MarkedAllocator::allocate(unsigned long) 4 0x11189f649 JSC::MarkedSpace::allocateWithImmortalStructureDestructor(unsigned long) 5 0x11189f5b6 JSC::Heap::allocateWithImmortalStructureDestructor(unsigned long) 6 0x11189f487 void* JSC::allocateCell<JSC::Structure>(JSC::Heap&, unsigned long) 7 0x11189f05f void* JSC::allocateCell<JSC::Structure>(JSC::Heap&) 8 0x11189eddf JSC::Structure::create(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::TypeInfo const&, JSC::ClassInfo const*, unsigned char, unsigned int) 9 0x1124cc810 WebCore::JSCommandLineAPIHostPrototype::createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue) 10 0x1124cb769 WebCore::JSCommandLineAPIHost::createPrototype(JSC::VM&, JSC::JSGlobalObject*) ...
<rdar://problem/16170264>
Actually, there are lots of inspector tests failing with this assertion, probably should file a bug about each one. Also: inspector-protocol/debugger/nested-inspectors.html inspector-protocol/dom-debugger/node-removed.html
(In reply to comment #2) > Actually, there are lots of inspector tests failing with this assertion, probably should file a bug about each one. > > Also: > > inspector-protocol/debugger/nested-inspectors.html > inspector-protocol/dom-debugger/node-removed.html They are probably due to the same root cause though. I'm investigating.
*** Bug 129360 has been marked as a duplicate of this bug. ***
The test failure is intermittent because it depends on an GC / allocation activity happening at exactly the right moment. That is why I don't see the failures when I run it on my machine. However, there is an easy way to get an equivalent reproduction case i.e. by adding the following assertion to JSC::Structure::create(): ASSERT(vm.currentThreadIsHoldingAPILock()); With that I can get the inspector-protocol tests to fail all the time. The failure is because InjectedScriptModule::ensureInjected() isn't using an APIEntryShim before it started calling functions that enter the VM. The fix is to use the shim here. Patch coming soon.
Created attachment 225235 [details] the patch.
Created attachment 225237 [details] patch 2: added a comment.
Comment on attachment 225237 [details] patch 2: added a comment. Clearing flags on attachment: 225237 Committed r164717: <http://trac.webkit.org/changeset/164717>
All reviewed patches have been landed. Closing bug.