Bug 9731 - [Drosera] crash when trying to access the scope chain
Summary: [Drosera] crash when trying to access the scope chain
Status: CLOSED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P2 Major
Assignee: Timothy Hatcher
URL:
Keywords:
Depends on:
Blocks: 9597 9598
  Show dependency treegraph
 
Reported: 2006-07-04 12:56 PDT by Timothy Hatcher
Modified: 2008-05-17 09:55 PDT (History)
0 users

See Also:

Attachments
Patch to fix the crash (2.02 KB, patch)
2006-07-04 13:06 PDT, Timothy Hatcher 		mjs: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Timothy Hatcher 2006-07-04 12:56:11 PDT 
Drosera crashes Safari when it tries to access the scope chain. This is happening because the WebCoreScriptDebugger and one of the WebCoreScriptCallFrames is holding on to an old WebScriptObject for the frame's window. The window object is cleared each time a page loads, so the debugger needs to be detached and reattached when this happens.
Comment 1 Timothy Hatcher 2006-07-04 13:06:02 PDT 
Created attachment 9195 [details]
Patch to fix the crash
Comment 2 Darin Adler 2006-07-04 14:37:21 PDT 
Comment on attachment 9195 [details]
Patch to fix the crash

Sounds wrong to me. The window object is cleared, yes, but it is the same window object. Why do we need to create a new WebScriptObject each time when it's the same window object?
Comment 3 Darin Adler 2006-07-04 14:52:07 PDT 
Comment on attachment 9195 [details]
Patch to fix the crash

I talked to Tim and made it clear this is not a fix, but rather a workaround, for whatever bug he's run into.

He's going to investigate further.
Comment 4 Timothy Hatcher 2006-07-04 22:39:59 PDT 
Turns out this crash is the same root cause of <rdar://problem/4608404> WebScriptObject's _executionContext has no ownership policy.

Here is what Goeff had to say in the radar.

"Whenever the current page changes, FrameMac::setView calls FrameMac::cleanupPluginRootObjects() (WebCore/bridge/mac/FrameMac.mm), which calls removeAllNativeReferences(), which unprotects all JSObjects that have been bound to wrappers in other languages (Java, C, Objc). The assumption in this code is that JSObjects only get bound to wrappers belonging to plug-ins, and that plug-ins go away when the page changes.

This assumption is incorrect. WebKit's WebScriptObject API allows an app to embed a WebView and access its data through WebScriptObject wrappers. As long as those wrappers are alive, the data they bind should remain alive, too."

I do not understand the design well enough to fix cleanupPluginRootObjects, I will leave it to Geoff.

Can my patch land with a FIXME until <rdar://problem/4608404> is fixed? This fix will unblock bug 9597,  and bug 9598.
Comment 5 Maciej Stachowiak 2006-07-04 22:59:28 PDT 
Comment on attachment 9195 [details]
Patch to fix the crash

r=me
Comment 6 Timothy Hatcher 2006-07-04 23:13:01 PDT 
Landed in r15159. The [_frame _detachScriptDebugger] line can be rolled out once <rdar://problem/4608404> is fixed.
Comment 7 Timothy Hatcher 2008-05-17 09:55:53 PDT 
Closing since Drosera has been replaced by the new Web Inspector debugger. Moving to the New Bugs component so the Drosera component can be closed and removed.