19038 – Crash in JavaScriptDebugServer::returnEvent when inspecting an attached Inspector

RESOLVED FIXED 19038

Crash in JavaScriptDebugServer::returnEvent when inspecting an attached Inspector

https://bugs.webkit.org/show_bug.cgi?id=19038

Summary Crash in JavaScriptDebugServer::returnEvent when inspecting an attached Inspe...

Adam Roben (:aroben)

Reported 2008-05-13 16:35:05 PDT

I'm seeing a crash in JavaScriptDebugServer::returnEvent when inspecting an Inspector that is attached as a debugger. Steps to reproduce: 1. Go to any page 2. Open the Inspector and attach its debugger 3. Right-click in the Inspector and choose Inspect Element m_currentCallFrame is 0. > WebKit_debug.dll!WebCore::JavaScriptCallFrame::invalidate() Line 42 + 0x11 bytes C++ WebKit_debug.dll!WebCore::JavaScriptDebugServer::returnEvent(KJS::ExecState * exec=0x0012f104, int sourceID=120, int lineNumber=265, KJS::JSObject * __formal=0x05c06600) Line 455 C++ WebKit_debug.dll!KJS::FunctionBodyNodeWithDebuggerHooks::execute(KJS::ExecState * exec=0x0012f104) Line 4912 + 0x2e bytes C++ WebKit_debug.dll!KJS::FunctionImp::callAsFunction(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06900, const KJS::List & args={...}) Line 78 + 0x21 bytes C++ WebKit_debug.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06900, const KJS::List & args={...}) Line 99 + 0x1b bytes C++ WebKit_debug.dll!KJS::functionProtoFuncApply(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06600, const KJS::List & args={...}) Line 107 + 0x14 bytes C++ WebKit_debug.dll!KJS::PrototypeFunction::callAsFunction(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06600, const KJS::List & args={...}) Line 905 + 0x16 bytes C++ WebKit_debug.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0012f3ac, KJS::JSObject * thisObj=0x05c06600, const KJS::List & args={...}) Line 99 + 0x1b bytes C++ WebKit_debug.dll!KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState * exec=0x0012f3ac) Line 1495 + 0x14 bytes C++ WebKit_debug.dll!KJS::FunctionCallDotNode::evaluate(KJS::ExecState * exec=0x0012f3ac) Line 1501 C++ WebKit_debug.dll!KJS::ReturnNode::execute(KJS::ExecState * exec=0x0012f3ac) Line 4354 + 0x21 bytes C++ WebKit_debug.dll!KJS::BreakpointCheckStatement::execute(KJS::ExecState * exec=0x0012f3ac) Line 420 + 0x21 bytes C++ WebKit_debug.dll!KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>,0> & statements={...}, KJS::ExecState * exec=0x0012f3ac) Line 3946 + 0x29 bytes C++ WebKit_debug.dll!KJS::BlockNode::execute(KJS::ExecState * exec=0x0012f3ac) Line 3971 + 0x10 bytes C++ WebKit_debug.dll!KJS::FunctionBodyNode::execute(KJS::ExecState * exec=0x0012f3ac) Line 4891 C++ WebKit_debug.dll!KJS::FunctionBodyNodeWithDebuggerHooks::execute(KJS::ExecState * exec=0x0012f3ac) Line 4907 + 0xc bytes C++ WebKit_debug.dll!KJS::FunctionImp::callAsFunction(KJS::ExecState * exec=0x0795b3d0, KJS::JSObject * thisObj=0x072f6140, const KJS::List & args={...}) Line 78 + 0x21 bytes C++ WebKit_debug.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0795b3d0, KJS::JSObject * thisObj=0x072f6140, const KJS::List & args={...}) Line 99 + 0x1b bytes C++ WebKit_debug.dll!WebCore::JSAbstractEventListener::handleEvent(WebCore::Event * ele=0x0804c240, bool isWindowEvent=false) Line 100 + 0x14 bytes C++ WebKit_debug.dll!WebCore::EventTarget::handleLocalEvents(WebCore::EventTargetNode * referenceNode=0x07c31de0, WebCore::Event * evt=0x0804c240, bool useCapture=false) Line 314 + 0x2e bytes C++ WebKit_debug.dll!WebCore::EventTargetNode::handleLocalEvents(WebCore::Event * evt=0x0804c240, bool useCapture=false) Line 106 C++ WebKit_debug.dll!WebCore::EventTarget::dispatchGenericEvent(WebCore::EventTargetNode * referenceNode=0x07c31de0, WTF::PassRefPtr<WebCore::Event> e={...}, int & __formal=0, bool tempEvent=true) Line 212 + 0x1d bytes C++ WebKit_debug.dll!WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event> e={...}, int & ec=0, bool tempEvent=true) Line 121 + 0x1e bytes C++ WebKit_debug.dll!WebCore::EventTargetNode::dispatchHTMLEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false) Line 358 C++ WebKit_debug.dll!WebCore::HTMLScriptElement::notifyFinished(WebCore::CachedResource * o=0x078b2fe8) Line 167 C++ WebKit_debug.dll!WebCore::CachedScript::checkNotify() Line 95 + 0x13 bytes C++ WebKit_debug.dll!WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer> data={...}, bool allDataReceived=true) Line 86 C++ WebKit_debug.dll!WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader * loader=0x0804b620) Line 269 C++ WebKit_debug.dll!WebCore::SubresourceLoader::didFinishLoading() Line 193 + 0x21 bytes C++ WebKit_debug.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x07b08198) Line 389 + 0xf bytes C++ WebKit_debug.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x07c753f8, const void * clientInfo=0x07b08198) Line 117 + 0x1e bytes C++

Attachments
testcase (554 bytes, text/html) 2008-05-14 14:31 PDT, Adam Roben (:aroben)	no flags	Details
Proposed patch (10.46 KB, patch) 2008-05-14 18:42 PDT, Timothy Hatcher	kmccullough: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2008-05-13 16:36:17 PDT

<rdar://problem/5933443>

Timothy Hatcher

Comment 2 2008-05-13 18:36:23 PDT

The callEvent and returnEvent calls seem to unbalanced.

Adam Roben (:aroben)

Comment 3 2008-05-14 14:31:33 PDT

Created attachment 21137 [details] testcase

Timothy Hatcher

Comment 4 2008-05-14 18:42:04 PDT

Created attachment 21149 [details] Proposed patch

Timothy Hatcher

Comment 5 2008-05-14 18:59:58 PDT

Landed in r33473.

Adam Roben (:aroben)

Comment 6 2008-05-14 21:47:56 PDT

Comment on attachment 21149 [details] Proposed patch @@ -457,9 +530,8 @@ bool JavaScriptDebugServer::returnEvent(ExecState* exec, int sourceID, int lineN { if (m_paused) return true; + updateCurrentCallFrame(m_currentCallFrame, exec, sourceID, lineNumber, m_pauseOnExecState); pauseIfNeeded(exec, sourceID, lineNumber); - m_currentCallFrame->invalidate(); - m_currentCallFrame = m_currentCallFrame->caller(); return true; } Doesn't this change reintroduce the bug that was fixed by r33453? <http://trac.webkit.org/changeset/33453>

Adam Roben (:aroben)

Comment 7 2008-05-14 21:48:40 PDT

(In reply to comment #6) > (From update of attachment 21149 [details] [edit]) > @@ -457,9 +530,8 @@ bool JavaScriptDebugServer::returnEvent(ExecState* exec, > int sourceID, int lineN > { > if (m_paused) > return true; > + updateCurrentCallFrame(m_currentCallFrame, exec, sourceID, lineNumber, > m_pauseOnExecState); > pauseIfNeeded(exec, sourceID, lineNumber); > - m_currentCallFrame->invalidate(); > - m_currentCallFrame = m_currentCallFrame->caller(); > return true; > } > > Doesn't this change reintroduce the bug that was fixed by r33453? > <http://trac.webkit.org/changeset/33453> (We really need a testcase for that bug, btw!)

Timothy Hatcher

Comment 8 2008-05-14 22:25:26 PDT

I doesn't reintroduce that bug because things are updated more with atStatement.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component Web Inspector (Deprecated)

Assignee

Timothy Hatcher

Reported

2008-05-13 16:35 PDT

Modified

2008-05-14 22:25 PDT History

CC List

3 users Show

URL

Keywords HasReduction, InRadar

Depends on

Blocks