RESOLVED FIXED 18371
Crash in KJS::JSValue::toObject closing Safari with Inspector open 
https://bugs.webkit.org/show_bug.cgi?id=18371
Summary Crash in KJS::JSValue::toObject closing Safari with Inspector open
Matt Lilek
Reported 2008-04-08 16:18:24 PDT
Closing Safari with the new inspector open causes the browser to crash: Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x0047d805 KJS::JSValue::toObject(KJS::ExecState*) const + 57 (value.h:458) 1 com.apple.JavaScriptCore 0x0047e926 KJS::DotAccessorNode::inlineEvaluate(KJS::ExecState*) + 108 (nodes.cpp:961) 2 com.apple.JavaScriptCore 0x004340e4 KJS::DotAccessorNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:967) 3 com.apple.JavaScriptCore 0x004316ea KJS::AssignLocalVarNode::evaluate(KJS::ExecState*) + 144 (nodes.cpp:3559) 4 com.apple.JavaScriptCore 0x00430b2b KJS::VarStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:4015) 5 com.apple.JavaScriptCore 0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951) 6 com.apple.JavaScriptCore 0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977) 7 com.apple.JavaScriptCore 0x00421f5a KJS::FunctionBodyNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4896) 8 com.apple.JavaScriptCore 0x0042266a KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 (function.cpp:77) 9 com.apple.JavaScriptCore 0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96) 10 com.apple.JavaScriptCore 0x0047fe5a KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 800 (nodes.cpp:1500) 11 com.apple.JavaScriptCore 0x0044118e KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1506) 12 com.apple.JavaScriptCore 0x00430b95 KJS::ExprStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:3998) 13 com.apple.JavaScriptCore 0x00430ae3 KJS::IfNode::execute(KJS::ExecState*) + 121 (nodes.cpp:4035) 14 com.apple.JavaScriptCore 0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951) 15 com.apple.JavaScriptCore 0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977) 16 com.apple.JavaScriptCore 0x004302d0 KJS::ForInNode::execute(KJS::ExecState*) + 1686 (nodes.cpp:4297) 17 com.apple.JavaScriptCore 0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951) 18 com.apple.JavaScriptCore 0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977) 19 com.apple.JavaScriptCore 0x00421f5a KJS::FunctionBodyNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4896) 20 com.apple.JavaScriptCore 0x0042266a KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 (function.cpp:77) 21 com.apple.JavaScriptCore 0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96) 22 com.apple.JavaScriptCore 0x0048d643 JSObjectCallAsFunction + 179 (JSObjectRef.cpp:295) 23 com.apple.WebCore 0x01df9fec WebCore::InspectorController::callSimpleFunction(OpaqueJSContext const*, OpaqueJSValue*, char const*) const + 408 (InspectorController.cpp:92) 24 com.apple.WebCore 0x01dfa1ab WebCore::InspectorController::resetScriptObjects() + 371 (InspectorController.cpp:1561) 25 com.apple.WebCore 0x01dfe47a WebCore::InspectorController::setWindowVisible(bool) + 178 (InspectorController.cpp:856) 26 com.apple.WebKit 0x001eaff2 -[WebInspectorWindowController close] + 92 (WebInspectorClient.mm:272) 27 com.apple.WebKit 0x001e8d79 WebInspectorClient::closeWindow() + 49 (WebInspectorClient.mm:113) 28 com.apple.WebCore 0x01df6aab WebCore::InspectorController::close() + 59 (InspectorController.cpp:1016) 29 com.apple.WebCore 0x01df6b85 WebCore::unloading(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 53 (InspectorController.cpp:471) 30 com.apple.JavaScriptCore 0x00482361 KJS::JSCallbackFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 241 (JSCallbackFunction.cpp:65) 31 com.apple.JavaScriptCore 0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96) 32 com.apple.JavaScriptCore 0x0047fe5a KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 800 (nodes.cpp:1500) 33 com.apple.JavaScriptCore 0x0044118e KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1506) 34 com.apple.JavaScriptCore 0x00430b95 KJS::ExprStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:3998) 35 com.apple.JavaScriptCore 0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951) 36 com.apple.JavaScriptCore 0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977) 37 com.apple.JavaScriptCore 0x00421f5a KJS::FunctionBodyNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4896) 38 com.apple.JavaScriptCore 0x0042266a KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 (function.cpp:77) 39 com.apple.JavaScriptCore 0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96) 40 com.apple.JavaScriptCore 0x0042c45e KJS::functionProtoFuncApply(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 440 (function_object.cpp:107) 41 com.apple.JavaScriptCore 0x00408866 KJS::PrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 34 (function.cpp:889) 42 com.apple.JavaScriptCore 0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96) 43 com.apple.JavaScriptCore 0x0047fe5a KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 800 (nodes.cpp:1500) 44 com.apple.JavaScriptCore 0x0044118e KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1506) 45 com.apple.JavaScriptCore 0x0042fbf0 KJS::ReturnNode::execute(KJS::ExecState*) + 148 (nodes.cpp:4359) 46 com.apple.JavaScriptCore 0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951) 47 com.apple.JavaScriptCore 0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977) 48 com.apple.JavaScriptCore 0x00421f5a KJS::FunctionBodyNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4896) 49 com.apple.JavaScriptCore 0x0042266a KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 (function.cpp:77) 50 com.apple.JavaScriptCore 0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96) 51 com.apple.WebCore 0x0217a432 WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 662 (kjs_events.cpp:101) 52 com.apple.WebCore 0x01caba65 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 281 (Document.cpp:2586) 53 com.apple.WebCore 0x01cf75fc WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 288 (EventTargetNode.cpp:144) 54 com.apple.WebCore 0x01d368ad WebCore::FrameLoader::stopLoading(bool) + 291 (FrameLoader.cpp:588) 55 com.apple.WebCore 0x01d36f2c WebCore::FrameLoader::closeURL() + 36 (FrameLoader.cpp:659) 56 com.apple.WebCore 0x01d36f6e WebCore::FrameLoader::detachFromParent() + 38 (FrameLoader.cpp:3358) 57 com.apple.WebKit 0x0022884c -[WebView(WebPrivate) _close] + 108 (WebView.mm:695) 58 com.apple.WebKit 0x00219992 -[WebView close] + 36 (WebView.mm:2010) 59 com.apple.WebKit 0x001e8d29 WebInspectorClient::inspectorDestroyed() + 71 (WebInspectorClient.mm:85) 60 com.apple.WebCore 0x01dfbbdb WebCore::InspectorController::~InspectorController() + 37 (InspectorController.cpp:711) 61 com.apple.WebCore 0x01f2b979 void WTF::deleteOwnedPtr<WebCore::InspectorController>(WebCore::InspectorController*) + 29 (OwnPtr.h:52) 62 com.apple.WebCore 0x01f2b99f WTF::OwnPtr<WebCore::InspectorController>::~OwnPtr() + 19 (OwnPtr.h:70) 63 com.apple.WebCore 0x01f295de WebCore::Page::~Page() + 438 64 com.apple.WebKit 0x002289da -[WebView(WebPrivate) _close] + 506 (WebView.mm:718) 65 com.apple.Safari 0x0003bde6 0x1000 + 241126 66 com.apple.Safari 0x0003b9b0 0x1000 + 240048 67 com.apple.WebKit 0x00219992 -[WebView close] + 36 (WebView.mm:2010) 68 com.apple.Safari 0x0003b7c3 0x1000 + 239555 69 com.apple.Safari 0x0003b669 0x1000 + 239209 70 com.apple.AppKit 0x908e7da9 -[NSWindowController _windowDidClose] + 220 71 com.apple.Safari 0x0003b074 0x1000 + 237684 72 com.apple.Safari 0x0003afd2 0x1000 + 237522 73 com.apple.CoreFoundation 0x91367d85 -[NSArray makeObjectsPerformSelector:] + 565 74 com.apple.AppKit 0x909192af -[NSApplication _deallocHardCore:] + 433 75 com.apple.AppKit 0x90917fce -[NSApplication terminate:] + 742 76 com.apple.AppKit 0x90838e56 -[NSApplication sendAction:to:from:] + 112 77 com.apple.Safari 0x0002ce08 0x1000 + 179720 78 com.apple.AppKit 0x908e77cc -[NSMenu performActionForItemAtIndex:] + 493 79 com.apple.AppKit 0x908e74d1 -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 220 80 com.apple.AppKit 0x908e7157 -[NSMenu performKeyEquivalent:] + 866 81 com.apple.AppKit 0x908e59fd -[NSApplication _handleKeyEquivalent:] + 492 82 com.apple.AppKit 0x90802b36 -[NSApplication sendEvent:] + 3838 83 com.apple.Safari 0x0002af88 0x1000 + 171912 84 com.apple.AppKit 0x907600f9 -[NSApplication run] + 847 85 com.apple.AppKit 0x9072d30a NSApplicationMain + 574 86 com.apple.Safari 0x000b9a76 0x1000 + 756342
Attachments
Crash log (32.43 KB, text/plain)
2008-04-08 16:22 PDT, Matt Lilek 		no flags
Details
Patch (3.17 KB, patch)
2008-04-08 16:55 PDT, Timothy Hatcher 		aroben: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Matt Lilek
Comment 1 2008-04-08 16:22:28 PDT
Created attachment 20414 [details] Crash log Crash log for easier reading
Adam Roben (:aroben)
Comment 2 2008-04-08 16:37:21 PDT
I get this crash on Windows as well.
Adam Roben (:aroben)
Comment 3 2008-04-08 16:38:44 PDT
Looks like we're crashing inside a call to panel.reset() http://trac.webkit.org/projects/webkit/browser/trunk/WebCore/page/inspector/inspector.js#L624
Adam Roben (:aroben)
Comment 4 2008-04-08 16:39:46 PDT
Here's the crashing line: http://trac.webkit.org/projects/webkit/browser/trunk/WebCore/page/inspector/ElementsPanel.js#L129 var inspectedRootDocument = InspectorController.inspectedWindow().document;
Timothy Hatcher
Comment 5 2008-04-08 16:55:40 PDT
Created attachment 20415 [details] Patch
Adam Roben (:aroben)
Comment 6 2008-04-08 16:57:36 PDT
Comment on attachment 20415 [details] Patch 130 if (!inspectedWindow) { 131 this.rootDOMNode = null; 132 this.focusedDOMNode = null; 133 } I think you need to return after setting focusedDOMNode here. Otherwise you'll get an exception later when you access inspectedWindow.document. r=me
Timothy Hatcher
Comment 7 2008-04-08 17:09:00 PDT
Comment on attachment 20415 [details] Patch Landed in r31743.
Note You need to log in before you can comment on or make changes to this bug.