Drosera crashes Safari when it tries to access the scope chain. This is happening because the WebCoreScriptDebugger and one of the WebCoreScriptCallFrames is holding on to an old WebScriptObject for the frame's window. The window object is cleared each time a page loads, so the debugger needs to be detached and reattached when this happens.
Created attachment 9195 [details] Patch to fix the crash
Comment on attachment 9195 [details] Patch to fix the crash Sounds wrong to me. The window object is cleared, yes, but it is the same window object. Why do we need to create a new WebScriptObject each time when it's the same window object?
Comment on attachment 9195 [details] Patch to fix the crash I talked to Tim and made it clear this is not a fix, but rather a workaround, for whatever bug he's run into. He's going to investigate further.
Turns out this crash is the same root cause of <rdar://problem/4608404> WebScriptObject's _executionContext has no ownership policy. Here is what Goeff had to say in the radar. "Whenever the current page changes, FrameMac::setView calls FrameMac::cleanupPluginRootObjects() (WebCore/bridge/mac/FrameMac.mm), which calls removeAllNativeReferences(), which unprotects all JSObjects that have been bound to wrappers in other languages (Java, C, Objc). The assumption in this code is that JSObjects only get bound to wrappers belonging to plug-ins, and that plug-ins go away when the page changes. This assumption is incorrect. WebKit's WebScriptObject API allows an app to embed a WebView and access its data through WebScriptObject wrappers. As long as those wrappers are alive, the data they bind should remain alive, too." I do not understand the design well enough to fix cleanupPluginRootObjects, I will leave it to Geoff. Can my patch land with a FIXME until <rdar://problem/4608404> is fixed? This fix will unblock bug 9597, and bug 9598.
Comment on attachment 9195 [details] Patch to fix the crash r=me
Landed in r15159. The [_frame _detachScriptDebugger] line can be rolled out once <rdar://problem/4608404> is fixed.
Closing since Drosera has been replaced by the new Web Inspector debugger. Moving to the New Bugs component so the Drosera component can be closed and removed.