Changeset 202443 in webkit

Timestamp:

Jun 24, 2016 1:30:04 PM (8 years ago)

Author:

BJ Burg

Message:

Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
​https://bugs.webkit.org/show_bug.cgi?id=159075
<rdar://problem/26094341>

Reviewed by Joseph Pecoraro.

Move the asynchronous work to a task class that can be cancelled when the
heap agent is reset, disabled or destroyed.

• inspector/agents/InspectorHeapAgent.cpp:

(Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
(Inspector::SendGarbageCollectionEventsTask::addGarbageCollection):
(Inspector::SendGarbageCollectionEventsTask::reset):
(Inspector::SendGarbageCollectionEventsTask::timerFired):
Added. This holds onto GarbageCollection objects that need to be sent asynchronously.
It uses the RunLoop variant of Timer and can queue multiple pending objects to be sent.

(Inspector::InspectorHeapAgent::InspectorHeapAgent):
(Inspector::InspectorHeapAgent::~InspectorHeapAgent):
(Inspector::InspectorHeapAgent::disable):
Reset the task when disabling or tearing down the agent so the timer doesn't fire after destruction.

(Inspector::InspectorHeapAgent::didGarbageCollect):
Send the object to the task to be dispatched asynchronously.

• inspector/agents/InspectorHeapAgent.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• inspector/agents/InspectorHeapAgent.cpp (modified) (6 diffs)
• inspector/agents/InspectorHeapAgent.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-06-24  Brian Burg  <bburg@apple.com>
+
+        Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
+        https://bugs.webkit.org/show_bug.cgi?id=159075
+        <rdar://problem/26094341>
+
+        Reviewed by Joseph Pecoraro.
+
+        Move the asynchronous work to a task class that can be cancelled when the
+        heap agent is reset, disabled or destroyed.
+
+        * inspector/agents/InspectorHeapAgent.cpp:
+        (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
+        (Inspector::SendGarbageCollectionEventsTask::addGarbageCollection):
+        (Inspector::SendGarbageCollectionEventsTask::reset):
+        (Inspector::SendGarbageCollectionEventsTask::timerFired):
+        Added. This holds onto GarbageCollection objects that need to be sent asynchronously.
+        It uses the RunLoop variant of Timer and can queue multiple pending objects to be sent.
+
+        (Inspector::InspectorHeapAgent::InspectorHeapAgent):
+        (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
+        (Inspector::InspectorHeapAgent::disable):
+        Reset the task when disabling or tearing down the agent so the timer doesn't fire after destruction.
+
+        (Inspector::InspectorHeapAgent::didGarbageCollect):
+        Send the object to the task to be dispatched asynchronously.
+
+        * inspector/agents/InspectorHeapAgent.h:
+
 2016-06-24  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/JavaScriptCore/inspector/agents/InspectorHeapAgent.cpp

@@ -40 +40 @@
 namespace Inspector {
 
+class SendGarbageCollectionEventsTask {
+public:
+    SendGarbageCollectionEventsTask(HeapFrontendDispatcher&);
+    void addGarbageCollection(RefPtr<Inspector::Protocol::Heap::GarbageCollection>&&);
+    void reset();
+private:
+    void timerFired();
+
+    HeapFrontendDispatcher& m_frontendDispatcher;
+    Vector<RefPtr<Inspector::Protocol::Heap::GarbageCollection>> m_garbageCollections;
+    RunLoop::Timer<SendGarbageCollectionEventsTask> m_timer;
+};
+
+SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask(HeapFrontendDispatcher& frontendDispatcher)
+    : m_frontendDispatcher(frontendDispatcher)
+    , m_timer(RunLoop::current(), this, &SendGarbageCollectionEventsTask::timerFired)
+{
+}
+
+void SendGarbageCollectionEventsTask::addGarbageCollection(RefPtr<Inspector::Protocol::Heap::GarbageCollection>&& garbageCollection)
+{
+    m_garbageCollections.append(WTFMove(garbageCollection));
+
+    if (!m_timer.isActive())
+        m_timer.startOneShot(0);
+}
+
+void SendGarbageCollectionEventsTask::reset()
+{
+    m_timer.stop();
+    m_garbageCollections.clear();
+}
+
+void SendGarbageCollectionEventsTask::timerFired()
+{
+    // The timer is stopped on agent destruction, so this method will never be called after agent has been destroyed.
+    for (auto& event : m_garbageCollections)
+        m_frontendDispatcher.garbageCollected(event);
+
+    m_garbageCollections.clear();
+}
+
 InspectorHeapAgent::InspectorHeapAgent(AgentContext& context)
     : InspectorAgentBase(ASCIILiteral("Heap"))
@@ -46 +88 @@
     , m_backendDispatcher(HeapBackendDispatcher::create(context.backendDispatcher, this))
     , m_environment(context.environment)
+    , m_sendGarbageCollectionEventsTask(std::make_unique<SendGarbageCollectionEventsTask>(*m_frontendDispatcher))
 {
 }
@@ -51 +94 @@
 InspectorHeapAgent::~InspectorHeapAgent()
 {
+    m_sendGarbageCollectionEventsTask->reset();
 }
 
@@ -82 +126 @@
 
     m_environment.vm().heap.removeObserver(this);
+    m_sendGarbageCollectionEventsTask->reset();
 
     clearHeapSnapshots();
@@ -277 +322 @@
     // FIXME: Include number of bytes freed by collection.
 
-    double startTime = m_gcStartTime;
-    double endTime = m_environment.executionStopwatch()->elapsedTime();
-
     // Dispatch the event asynchronously because this method may be
     // called between collection and sweeping and we don't want to
@@ -287 +329 @@
     // VM as the inspected page.
 
-    RunLoop::current().dispatch([this, startTime, endTime, operation]() {
-        auto collection = Inspector::Protocol::Heap::GarbageCollection::create()
-            .setType(protocolTypeForHeapOperation(operation))
-            .setStartTime(startTime)
-            .setEndTime(endTime)
-            .release();
-
-        m_frontendDispatcher->garbageCollected(WTFMove(collection));
-    });
+    m_sendGarbageCollectionEventsTask->addGarbageCollection(Inspector::Protocol::Heap::GarbageCollection::create()
+        .setType(protocolTypeForHeapOperation(operation))
+        .setStartTime(m_gcStartTime)
+        .setEndTime(m_environment.executionStopwatch()->elapsedTime())
+        .release());
 
     m_gcStartTime = NAN;

trunk/Source/JavaScriptCore/inspector/agents/InspectorHeapAgent.h

@@ -38 +38 @@
 
 class InjectedScriptManager;
+class SendGarbageCollectionEventsTask;
 typedef String ErrorString;
 
@@ -74 +75 @@
     InspectorEnvironment& m_environment;
 
+    std::unique_ptr<SendGarbageCollectionEventsTask> m_sendGarbageCollectionEventsTask;
+
     bool m_enabled { false };
     bool m_tracking { false };