Bug 19038 - Crash in JavaScriptDebugServer::returnEvent when inspecting an attached Inspector
Summary: Crash in JavaScriptDebugServer::returnEvent when inspecting an attached Inspe...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (Deprecated) (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Timothy Hatcher
URL:
Keywords: HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2008-05-13 16:35 PDT by Adam Roben (:aroben)
Modified: 2008-05-14 22:25 PDT (History)
3 users (show)

See Also:


Attachments
testcase (554 bytes, text/html)
2008-05-14 14:31 PDT, Adam Roben (:aroben)
no flags Details
Proposed patch (10.46 KB, patch)
2008-05-14 18:42 PDT, Timothy Hatcher
kmccullough: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Roben (:aroben) 2008-05-13 16:35:05 PDT
I'm seeing a crash in JavaScriptDebugServer::returnEvent when inspecting an Inspector that is attached as a debugger.

Steps to reproduce:
1. Go to any page
2. Open the Inspector and attach its debugger
3. Right-click in the Inspector and choose Inspect Element

m_currentCallFrame is 0.

>	WebKit_debug.dll!WebCore::JavaScriptCallFrame::invalidate()  Line 42 + 0x11 bytes	C++
 	WebKit_debug.dll!WebCore::JavaScriptDebugServer::returnEvent(KJS::ExecState * exec=0x0012f104, int sourceID=120, int lineNumber=265, KJS::JSObject * __formal=0x05c06600)  Line 455	C++
 	WebKit_debug.dll!KJS::FunctionBodyNodeWithDebuggerHooks::execute(KJS::ExecState * exec=0x0012f104)  Line 4912 + 0x2e bytes	C++
 	WebKit_debug.dll!KJS::FunctionImp::callAsFunction(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06900, const KJS::List & args={...})  Line 78 + 0x21 bytes	C++
 	WebKit_debug.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06900, const KJS::List & args={...})  Line 99 + 0x1b bytes	C++
 	WebKit_debug.dll!KJS::functionProtoFuncApply(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06600, const KJS::List & args={...})  Line 107 + 0x14 bytes	C++
 	WebKit_debug.dll!KJS::PrototypeFunction::callAsFunction(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06600, const KJS::List & args={...})  Line 905 + 0x16 bytes	C++
 	WebKit_debug.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06600, const KJS::List & args={...})  Line 99 + 0x1b bytes	C++
 	WebKit_debug.dll!KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState * exec=0x0012f3ac)  Line 1495 + 0x14 bytes	C++
 	WebKit_debug.dll!KJS::FunctionCallDotNode::evaluate(KJS::ExecState * exec=0x0012f3ac)  Line 1501	C++
 	WebKit_debug.dll!KJS::ReturnNode::execute(KJS::ExecState * exec=0x0012f3ac)  Line 4354 + 0x21 bytes	C++
 	WebKit_debug.dll!KJS::BreakpointCheckStatement::execute(KJS::ExecState * exec=0x0012f3ac)  Line 420 + 0x21 bytes	C++
 	WebKit_debug.dll!KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>,0> & statements={...}, KJS::ExecState * exec=0x0012f3ac)  Line 3946 + 0x29 bytes	C++
 	WebKit_debug.dll!KJS::BlockNode::execute(KJS::ExecState * exec=0x0012f3ac)  Line 3971 + 0x10 bytes	C++
 	WebKit_debug.dll!KJS::FunctionBodyNode::execute(KJS::ExecState * exec=0x0012f3ac)  Line 4891	C++
 	WebKit_debug.dll!KJS::FunctionBodyNodeWithDebuggerHooks::execute(KJS::ExecState * exec=0x0012f3ac)  Line 4907 + 0xc bytes	C++
 	WebKit_debug.dll!KJS::FunctionImp::callAsFunction(KJS::ExecState * exec=0x0795b3d0, KJS::JSObject * thisObj=0x072f6140, const KJS::List & args={...})  Line 78 + 0x21 bytes	C++
 	WebKit_debug.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0795b3d0, KJS::JSObject * thisObj=0x072f6140, const KJS::List & args={...})  Line 99 + 0x1b bytes	C++
 	WebKit_debug.dll!WebCore::JSAbstractEventListener::handleEvent(WebCore::Event * ele=0x0804c240, bool isWindowEvent=false)  Line 100 + 0x14 bytes	C++
 	WebKit_debug.dll!WebCore::EventTarget::handleLocalEvents(WebCore::EventTargetNode * referenceNode=0x07c31de0, WebCore::Event * evt=0x0804c240, bool useCapture=false)  Line 314 + 0x2e bytes	C++
 	WebKit_debug.dll!WebCore::EventTargetNode::handleLocalEvents(WebCore::Event * evt=0x0804c240, bool useCapture=false)  Line 106	C++
 	WebKit_debug.dll!WebCore::EventTarget::dispatchGenericEvent(WebCore::EventTargetNode * referenceNode=0x07c31de0, WTF::PassRefPtr<WebCore::Event> e={...}, int & __formal=0, bool tempEvent=true)  Line 212 + 0x1d bytes	C++
 	WebKit_debug.dll!WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event> e={...}, int & ec=0, bool tempEvent=true)  Line 121 + 0x1e bytes	C++
 	WebKit_debug.dll!WebCore::EventTargetNode::dispatchHTMLEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false)  Line 358	C++
 	WebKit_debug.dll!WebCore::HTMLScriptElement::notifyFinished(WebCore::CachedResource * o=0x078b2fe8)  Line 167	C++
 	WebKit_debug.dll!WebCore::CachedScript::checkNotify()  Line 95 + 0x13 bytes	C++
 	WebKit_debug.dll!WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer> data={...}, bool allDataReceived=true)  Line 86	C++
 	WebKit_debug.dll!WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader * loader=0x0804b620)  Line 269	C++
 	WebKit_debug.dll!WebCore::SubresourceLoader::didFinishLoading()  Line 193 + 0x21 bytes	C++
 	WebKit_debug.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x07b08198)  Line 389 + 0xf bytes	C++
 	WebKit_debug.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x07c753f8, const void * clientInfo=0x07b08198)  Line 117 + 0x1e bytes	C++
Comment 1 Mark Rowe (bdash) 2008-05-13 16:36:17 PDT
<rdar://problem/5933443>
Comment 2 Timothy Hatcher 2008-05-13 18:36:23 PDT
The callEvent and returnEvent calls seem to unbalanced.
Comment 3 Adam Roben (:aroben) 2008-05-14 14:31:33 PDT
Created attachment 21137 [details]
testcase
Comment 4 Timothy Hatcher 2008-05-14 18:42:04 PDT
Created attachment 21149 [details]
Proposed patch
Comment 5 Timothy Hatcher 2008-05-14 18:59:58 PDT
Landed in r33473.
Comment 6 Adam Roben (:aroben) 2008-05-14 21:47:56 PDT
Comment on attachment 21149 [details]
Proposed patch

@@ -457,9 +530,8 @@ bool JavaScriptDebugServer::returnEvent(ExecState* exec, int sourceID, int lineN
 {
     if (m_paused)
         return true;
+    updateCurrentCallFrame(m_currentCallFrame, exec, sourceID, lineNumber, m_pauseOnExecState);
     pauseIfNeeded(exec, sourceID, lineNumber);
-    m_currentCallFrame->invalidate();
-    m_currentCallFrame = m_currentCallFrame->caller();
     return true;
 }
 
Doesn't this change reintroduce the bug that was fixed by r33453? <http://trac.webkit.org/changeset/33453>
Comment 7 Adam Roben (:aroben) 2008-05-14 21:48:40 PDT
(In reply to comment #6)
> (From update of attachment 21149 [details] [edit])
> @@ -457,9 +530,8 @@ bool JavaScriptDebugServer::returnEvent(ExecState* exec,
> int sourceID, int lineN
>  {
>      if (m_paused)
>          return true;
> +    updateCurrentCallFrame(m_currentCallFrame, exec, sourceID, lineNumber,
> m_pauseOnExecState);
>      pauseIfNeeded(exec, sourceID, lineNumber);
> -    m_currentCallFrame->invalidate();
> -    m_currentCallFrame = m_currentCallFrame->caller();
>      return true;
>  }
> 
> Doesn't this change reintroduce the bug that was fixed by r33453?
> <http://trac.webkit.org/changeset/33453>

(We really need a testcase for that bug, btw!)

Comment 8 Timothy Hatcher 2008-05-14 22:25:26 PDT
I doesn't reintroduce that bug because things are updated more with atStatement.