r32601 debug build: ASSERTION FAILED: A wrapper that was not from the inspected page and is not an Inspector callback was passed to a JSInspectedObjectWrapper wrapper->inherits(&JSInspectorCallbackWrapper::s_info) (/Users/matt/Code/WebKit/WebCore/bindings/js/JSInspectedObjectWrapper.cpp:97 virtual KJS::JSValue* WebCore::JSInspectedObjectWrapper::prepareIncomingValue(KJS::ExecState*, KJS::JSValue*) const) Thread 0 Crashed: 0 com.apple.WebCore 0x0232da6a WebCore::JSInspectedObjectWrapper::prepareIncomingValue(KJS::ExecState*, KJS::JSValue*) const + 414 (JSInspectedObjectWrapper.cpp:97) 1 com.apple.WebCore 0x0232fc59 WebCore::JSQuarantinedObjectWrapper::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 81 (JSQuarantinedObjectWrapper.cpp:251) 2 com.apple.JavaScriptCore 0x0042b082 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:101) 3 com.apple.JavaScriptCore 0x004839dc KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 802 (nodes.cpp:1495) 4 com.apple.JavaScriptCore 0x00442112 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1501) 5 com.apple.JavaScriptCore 0x0043311a KJS::AssignLocalVarNode::evaluate(KJS::ExecState*) + 144 (nodes.cpp:3554) 6 com.apple.JavaScriptCore 0x0043255b KJS::VarStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:4010) 7 com.apple.JavaScriptCore 0x00415865 KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3946) 8 com.apple.JavaScriptCore 0x004158d6 KJS::CaseClauseNode::executeStatements(KJS::ExecState*) + 26 (nodes.cpp:4405) 9 com.apple.JavaScriptCore 0x004327a9 KJS::CaseBlockNode::executeBlock(KJS::ExecState*, KJS::JSValue*) + 161 (nodes.cpp:4445) 10 com.apple.JavaScriptCore 0x00432a28 KJS::SwitchNode::execute(KJS::ExecState*) + 124 (nodes.cpp:4508) Safari 3.1.1 does not crash on this page.

Created attachment 20852 [details] Full crash log

We're crashing when calling getAttribute on a node from the inspected page: var idAttribute = current.getAttribute("id"); <http://trac.webkit.org/browser/trunk/WebCore/page/inspector/ElementsPanel.js#L382> The assertion is happening when trying to prepare the "this" object (i.e., `current`). It looks like we've just traversed from one frame to another via _parentNodeOrFrameElement, and the wrappers are not handling this case correctly. The message in the assertion is misleading in this case; we are in fact passing a wrapped object (i.e., `current` is in fact wrapped), but the wrapped object has a different global object from the one we were expecting. I think we can take 3 actions in response to this: 1. Make the wrappers able to handle this frame traversal (which should fix the assertion). 2. Return jsUndefined() instead of 0 from prepareIncomingValue when we hit an unexpected condition so that we will throw a JS exception instead of crashing. 3. Make the assertion message clearer about what's happening in this case.

Reduction at http://www.dynamiko.net/users/simonh/reduwojs.html (I frame links to empty html document http://www.dynamiko.net/users/simonh/redu1.html - I also made one that fits all on one page, http://www.dynamiko.net/users/simonh/reduwjs.html but I'm not as sure if the JS is 'syntaxically correct' or whatever, so I'd rather use the HTML one for now ;)

(In reply to comment #4) > Reduction at http://www.dynamiko.net/users/simonh/reduwojs.html (I frame links > to empty html document http://www.dynamiko.net/users/simonh/redu1.html - I also > made one that fits all on one page, > http://www.dynamiko.net/users/simonh/reduwjs.html but I'm not as sure if the JS > is 'syntaxically correct' or whatever, so I'd rather use the HTML one for now > ;) > I forgot to mention what to do! Just right click in the iFrame and try to 'inspect element' on it.

*** Bug 18902 has been marked as a duplicate of this bug. ***

<rdar://problem/5914471>

Fixed in r33414.