144636 2015-05-05 13:35:53 -0700 Web Inspector: Crash under WebCore::domWindowFromExecState reloading page with inspector open 2015-05-05 20:03:31 -0700 1 1 1 Unclassified WebKit Web Inspector 528+ (Nightly build) All All RESOLVED FIXED DoNotImportToRadar, InRadar P2 Normal --- 1 joepeck joepeck ap commit-queue graouts joepeck jonowells mark.lam mattbaker nvasilyev timothy webkit-bug-importer oldest_to_newest 1091857 0 joepeck 2015-05-05 13:35:53 -0700 * SUMMARY Crash under WebCore::domWindowFromExecState reloading page with inspector open. * STEPS TO REPRODUCE: 1. Open SkyDrive live.com Excel spreadsheet 2. Open Inspector 3. Cmd+R to reload => likely crash * CRASH Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000011024260a WTFCrash + 42 (Assertions.cpp:321) 1 com.apple.WebCore 0x0000000113e4c7e1 JSC::asObject(JSC::JSCell*) + 65 (JSObject.h:1190) 2 com.apple.WebCore 0x0000000113e4c790 JSC::asObject(JSC::JSValue) + 32 (JSObject.h:1196) 3 com.apple.WebCore 0x0000000113e4cb95 JSC::Register::function() const + 85 (JSObject.h:1473) 4 com.apple.WebCore 0x0000000113e4cafc JSC::ExecState::callee() const + 28 (CallFrame.h:46) 5 com.apple.WebCore 0x0000000113f41f75 JSC::ExecState::lexicalGlobalObject() const + 21 (JSScope.h:244) 6 com.apple.WebCore 0x00000001157de565 WebCore::domWindowFromExecState(JSC::ExecState*) + 21 (ScriptState.cpp:52) 7 com.apple.WebCore 0x0000000115cfa608 WebCore::WebInjectedScriptManager::discardInjectedScriptsFor(WebCore::DOMWindow*) + 664 (WebInjectedScriptManager.cpp:76) 8 com.apple.WebCore 0x0000000115cc8613 WebCore::WebConsoleAgent::frameWindowDiscarded(WebCore::DOMWindow*) + 259 (WebConsoleAgent.cpp:68) 9 com.apple.WebCore 0x0000000114a83938 WebCore::InspectorInstrumentation::frameWindowDiscardedImpl(WebCore::InstrumentingAgents&, WebCore::DOMWindow*) + 56 (InspectorInstrumentation.cpp:191) 10 com.apple.WebCore 0x00000001143e4d58 WebCore::InspectorInstrumentation::frameWindowDiscarded(WebCore::Frame*, WebCore::DOMWindow*) + 56 (InspectorInstrumentation.h:547) 11 com.apple.WebCore 0x0000000114615ee4 WebCore::FrameLoader::clear(WebCore::Document*, bool, bool, bool) + 324 (FrameLoader.cpp:628) 12 com.apple.WebCore 0x0000000114347252 WebCore::DocumentWriter::begin(WebCore::URL const&, bool, WebCore::Document*) + 498 (DocumentWriter.cpp:142) 1091858 1 joepeck 2015-05-05 13:35:59 -0700 Here we are in frameWindowDiscarded, trying to remove certain (globalExec) ExecStates from our table, but the JSGlobalObject that ExecState is tied to was already destroyed. 1091859 2 joepeck 2015-05-05 13:37:11 -0700 <rdar://problem/15811895> 1091881 3 252405 joepeck 2015-05-05 14:17:24 -0700 Created attachment 252405 [PATCH] Proposed Fix I was unable to create a reduction/regression test for this, but seeing as this was caught by running tests in the past I think that is fine. In general we should cleanup our management of InjectedScript/ExecutionContextIdentifiers instead of always making an InjectedScript like we do here. I'd like to do that cleanup in a separate change and address the crash now. 1091905 4 252405 mark.lam 2015-05-05 15:17:49 -0700 Comment on attachment 252405 [PATCH] Proposed Fix r=me 1091932 5 252405 commit-queue 2015-05-05 16:09:31 -0700 Comment on attachment 252405 [PATCH] Proposed Fix Clearing flags on attachment: 252405 Committed r183838: <http://trac.webkit.org/changeset/183838> 1091933 6 commit-queue 2015-05-05 16:09:35 -0700 All reviewed patches have been landed. Closing bug. 1092015 7 ap 2015-05-05 20:03:31 -0700 > this was caught by running tests in the past I think that is fine Should any test expectations be updated now? This was seen on tests, but only because the crash was misattributed sometimes. Looking at the fix, I'm puzzled about why this is Yosemite only. # Also, these tests are flaky in Debug/Release builds, <https://bugs.webkit.org/show_bug.cgi?id=138636> # and <https://bugs.webkit.org/show_bug.cgi?id=129817>. [ Yosemite+ ] inspector/css/matched-style-properties.html [ Pass Timeout ] [ Yosemite+ ] inspector/css/pseudo-element-matches.html [ Pass Timeout ] [ Yosemite+ ] inspector/css/selector-specificity.html [ Pass Timeout Crash ] [ Yosemite+ ] inspector/dom/content-flow-content-removal.html [ Skip ] [ Yosemite+ ] inspector/dom/content-flow-list.html [ Skip ] [ Yosemite+ ] inspector/model/parse-script-syntax-tree.html [ Pass Timeout ] [ Yosemite+ ] inspector/test-harness-trivially-works.html [ Skip ] 252405 2015-05-05 14:17:24 -0700 2015-05-05 16:09:31 -0700 [PATCH] Proposed Fix domWindowFromExecState.patch text/plain 2560 joepeck Y29tbWl0IGQ4YTg5OTNlNDRiNDExM2I0ZGNiMTY1MGJhNGExNWRiMDVkMTc4OGUKQXV0aG9yOiBK b3NlcGggUGVjb3Jhcm8gPHBlY29yYXJvQGFwcGxlLmNvbT4KRGF0ZTogICBUdWUgTWF5IDUgMTM6 NDc6MzAgMjAxNSAtMDcwMAoKICAgIFdlYiBJbnNwZWN0b3I6IENyYXNoIHVuZGVyIFdlYkNvcmU6 OmRvbVdpbmRvd0Zyb21FeGVjU3RhdGUgcmVsb2FkaW5nIHBhZ2Ugd2l0aCBpbnNwZWN0b3Igb3Bl bgogICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE0NDYzNgogICAg CiAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KICAgIAogICAgVGhpcyBlbnN1cmVzIHdl IGNyZWF0ZSBhbiBJbmplY3RlZFNjcmlwdCBmb3IgdGhlIGV4ZWN1dGlvbiBjb250ZXh0CiAgICAo ZnJhbWUpIHByZXZlbnRpbmcgdGhlIGdsb2JhbCBvYmplY3QgLyBleGVjIHN0YXRlIGZyb20gZ2V0 dGluZyBnYXJiYWdlCiAgICBjb2xsZWN0ZWQgYmVmb3JlIHdlIHJlbW92ZSBpdCBmcm9tIG91ciBt YXAuCiAgICAKICAgICogaW5zcGVjdG9yL1BhZ2VSdW50aW1lQWdlbnQuY3BwOgogICAgKFdlYkNv cmU6OlBhZ2VSdW50aW1lQWdlbnQ6Om5vdGlmeUNvbnRleHRDcmVhdGVkKToKCmRpZmYgLS1naXQg YS9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5k ZXggNzhlYjlhZS4uODRiMWM5NSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9n CisrKyBiL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3IEBACisyMDE1LTA1 LTA1ICBKb3NlcGggUGVjb3Jhcm8gIDxwZWNvcmFyb0BhcHBsZS5jb20+CisKKyAgICAgICAgV2Vi IEluc3BlY3RvcjogQ3Jhc2ggdW5kZXIgV2ViQ29yZTo6ZG9tV2luZG93RnJvbUV4ZWNTdGF0ZSBy ZWxvYWRpbmcgcGFnZSB3aXRoIGluc3BlY3RvciBvcGVuCisgICAgICAgIGh0dHBzOi8vYnVncy53 ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNDQ2MzYKKworICAgICAgICBSZXZpZXdlZCBieSBO T0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUaGlzIGVuc3VyZXMgd2UgY3JlYXRlIGFuIEluamVj dGVkU2NyaXB0IGZvciB0aGUgZXhlY3V0aW9uIGNvbnRleHQKKyAgICAgICAgKGZyYW1lKSBwcmV2 ZW50aW5nIHRoZSBnbG9iYWwgb2JqZWN0IC8gZXhlYyBzdGF0ZSBmcm9tIGdldHRpbmcgZ2FyYmFn ZQorICAgICAgICBjb2xsZWN0ZWQgYmVmb3JlIHdlIHJlbW92ZSBpdCBmcm9tIG91ciBtYXAuCisK KyAgICAgICAgKiBpbnNwZWN0b3IvUGFnZVJ1bnRpbWVBZ2VudC5jcHA6CisgICAgICAgIChXZWJD b3JlOjpQYWdlUnVudGltZUFnZW50Ojpub3RpZnlDb250ZXh0Q3JlYXRlZCk6CisKIDIwMTUtMDUt MDUgIEFsZXggQ2hyaXN0ZW5zZW4gIDxhY2hyaXN0ZW5zZW5Ad2Via2l0Lm9yZz4KIAogICAgICAg ICBbQ29udGVudCBFeHRlbnNpb25zXSBDb21iaW5lIE5GQXMgcHJvcGVybHkgYW5kIGZyZWUgbWVt b3J5IGFzIHdlIGNvbXBpbGUuCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9pbnNwZWN0b3Iv UGFnZVJ1bnRpbWVBZ2VudC5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9pbnNwZWN0b3IvUGFnZVJ1bnRp bWVBZ2VudC5jcHAKaW5kZXggYzlkMzQ2ZS4uOTNkYjU3MiAxMDA2NDQKLS0tIGEvU291cmNlL1dl YkNvcmUvaW5zcGVjdG9yL1BhZ2VSdW50aW1lQWdlbnQuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3Jl L2luc3BlY3Rvci9QYWdlUnVudGltZUFnZW50LmNwcApAQCAtMTY1LDggKzE2NSwxMyBAQCB2b2lk IFBhZ2VSdW50aW1lQWdlbnQ6OnJlcG9ydEV4ZWN1dGlvbkNvbnRleHRDcmVhdGlvbigpCiB2b2lk IFBhZ2VSdW50aW1lQWdlbnQ6Om5vdGlmeUNvbnRleHRDcmVhdGVkKGNvbnN0IFN0cmluZyYgZnJh bWVJZCwgSlNDOjpFeGVjU3RhdGUqIHNjcmlwdFN0YXRlLCBTZWN1cml0eU9yaWdpbiogc2VjdXJp dHlPcmlnaW4sIGJvb2wgaXNQYWdlQ29udGV4dCkKIHsKICAgICBBU1NFUlQoc2VjdXJpdHlPcmln aW4gfHwgaXNQYWdlQ29udGV4dCk7CisKKyAgICBJbmplY3RlZFNjcmlwdCByZXN1bHQgPSBpbmpl Y3RlZFNjcmlwdE1hbmFnZXIoKS0+aW5qZWN0ZWRTY3JpcHRGb3Ioc2NyaXB0U3RhdGUpOworICAg IGlmIChyZXN1bHQuaGFzTm9WYWx1ZSgpKQorICAgICAgICByZXR1cm47CisKICAgICBpbnQgZXhl Y3V0aW9uQ29udGV4dElkID0gaW5qZWN0ZWRTY3JpcHRNYW5hZ2VyKCktPmluamVjdGVkU2NyaXB0 SWRGb3Ioc2NyaXB0U3RhdGUpOwotICAgIFN0cmluZyBuYW1lID0gc2VjdXJpdHlPcmlnaW4gPyBz ZWN1cml0eU9yaWdpbi0+dG9SYXdTdHJpbmcoKSA6ICIiOworICAgIFN0cmluZyBuYW1lID0gc2Vj dXJpdHlPcmlnaW4gPyBzZWN1cml0eU9yaWdpbi0+dG9SYXdTdHJpbmcoKSA6IFN0cmluZygpOwog ICAgIG1fZnJvbnRlbmREaXNwYXRjaGVyLT5leGVjdXRpb25Db250ZXh0Q3JlYXRlZChFeGVjdXRp b25Db250ZXh0RGVzY3JpcHRpb246OmNyZWF0ZSgpCiAgICAgICAgIC5zZXRJZChleGVjdXRpb25D b250ZXh0SWQpCiAgICAgICAgIC5zZXRJc1BhZ2VDb250ZXh0KGlzUGFnZUNvbnRleHQpCg==