124864 2013-11-25 15:05:32 -0800 Web Inspector: Crash when starting the Inspector 2014-02-13 03:46:42 -0800 1 1 1 Unclassified WebKit Web Inspector 528+ (Nightly build) All All RESOLVED INVALID InRadar P2 Normal --- 1 achicu achicu andersca bburg graouts joepeck sam timothy webkit-bug-importer oldest_to_newest 954118 0 achicu 2013-11-25 15:05:32 -0800 Go to any page. Open the Web Inspector. 0 com.apple.WebCore 0x00000001148a7af3 WebCore::Page::setGroupName(WTF::String const&) + 51 (RefPtr.h:66) 1 com.apple.WebKit2 0x000000011342ac3f WebKit::WebPage::WebPage(unsigned long long, WebKit::WebPageCreationParameters const&) + 2049 (WebPage.cpp:355) 2 com.apple.WebKit2 0x000000011342a400 WebKit::WebPage::create(unsigned long long, WebKit::WebPageCreationParameters const&) + 52 (RefPtr.h:57) 3 com.apple.WebKit2 0x0000000113481b10 WebKit::WebProcess::createWebPage(unsigned long long, WebKit::WebPageCreationParameters const&) + 112 (PassRefPtr.h:90) 4 com.apple.WebKit2 0x000000011341892c WebKit::WebInspector::createInspectorPage() + 292 (WebInspector.cpp:90) 5 com.apple.WebKit2 0x0000000113419cce WebKit::WebInspectorClient::openInspectorFrontend(WebCore::InspectorController*) + 26 (WebInspectorClient.cpp:50) 6 com.apple.WebCore 0x00000001144f5206 WebCore::InspectorController::show() + 54 (InspectorController.cpp:263) 7 com.apple.WebKit2 0x000000011341a37f WebKit::WebInspector::didReceiveWebInspectorMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 83 (HandleMessage.h:14) 8 com.apple.WebKit2 0x0000000113365c9d CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 125 (MessageReceiverMap.cpp:86) 9 com.apple.WebKit2 0x0000000113481c9a WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 28 (WebProcess.cpp:638) 10 com.apple.WebKit2 0x00000001133386b4 CoreIPC::Connection::dispatchMessage(std::__1::unique_ptr<CoreIPC::MessageDecoder, std::__1::default_delete<CoreIPC::MessageDecoder> >) + 94 (memory:2665) 11 com.apple.WebKit2 0x000000011333a52a CoreIPC::Connection::dispatchOneMessage() + 106 (memory:2684) 12 com.apple.JavaScriptCore 0x0000000113d68525 WTF::RunLoop::performWork() + 421 (RunLoop.cpp:106) 13 com.apple.JavaScriptCore 0x0000000113d68c02 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 14 com.apple.CoreFoundation 0x00007fff88eb18f1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 15 com.apple.CoreFoundation 0x00007fff88ea3062 __CFRunLoopDoSources0 + 242 16 com.apple.CoreFoundation 0x00007fff88ea27ef __CFRunLoopRun + 831 17 com.apple.CoreFoundation 0x00007fff88ea2275 CFRunLoopRunSpecific + 309 18 com.apple.HIToolbox 0x00007fff8be6df0d RunCurrentEventLoopInMode + 226 19 com.apple.HIToolbox 0x00007fff8be6dcb7 ReceiveNextEventCommon + 479 20 com.apple.HIToolbox 0x00007fff8be6dabc _BlockUntilNextEventMatchingListInModeWithFilter + 65 21 com.apple.AppKit 0x00007fff8c12128e _DPSNextEvent + 1434 22 com.apple.AppKit 0x00007fff8c1208db -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 23 com.apple.AppKit 0x00007fff8c1149cc -[NSApplication run] + 553 24 com.apple.AppKit 0x00007fff8c0ff803 NSApplicationMain + 940 25 com.apple.XPCService 0x00007fff8d4f3c0f _xpc_main + 385 26 libxpc.dylib 0x00007fff8b361b2e xpc_main + 399 27 com.apple.WebKit.WebContent.Development 0x000000010d4416a0 main + 16 (XPCServiceMain.Development.mm:91) 28 libdyld.dylib 0x00007fff929255fd start + 1 954126 1 achicu 2013-11-25 15:12:27 -0800 The issue is simple, but I don't know how it didn't reproduce so far: WebInspector::createInspectorPage() sends Messages::WebInspectorProxy::CreateInspectorPage and waits in sync mode. WebInspectorProxy::CreateInspectorPage will send back two messages + the sync reply: 1. Messages::WebProcess::CreateWebPageGroup. 2. Messages::WebProcess::CreateWebPage. WebInspector::createInspectorPage wakes up when it receives the reply, but the two messages from the WebInspectorProxy::CreateInspectorPage are still pending to execute. The problem is that WebInspector::createInspectorPage forces the call to WebProcess::shared().createWebPage using the data in the sync reply. That's even though there's a pending message that will creating anyway. The crash happens when the page tries to use the PageGroup that has not been created yet. The page group creation message didn't had a chance to process. 954133 2 achicu 2013-11-25 15:24:53 -0800 It seems like a simple fix would be to replace the following line in WebPageProxy::initializeWebPage() m_process->send(Messages::WebProcess::CreateWebPageGroup(m_pageGroup->pageGroupID(), m_pageGroup->data()), 0); should be: m_process->send(Messages::WebProcess::CreateWebPageGroup(m_pageGroup->pageGroupID(), m_pageGroup->data()), 0, CoreIPC::DispatchMessageEvenWhenWaitingForSyncReply); 954146 3 217842 achicu 2013-11-25 16:00:05 -0800 Created attachment 217842 Patch V1 954148 4 achicu 2013-11-25 16:07:41 -0800 The patch that introduced the initial crash was rolled out :) https://bugs.webkit.org/show_bug.cgi?id=124859 972046 5 webkit-bug-importer 2014-01-25 14:42:54 -0800 <rdar://problem/15909846> 980214 6 217842 ossy 2014-02-13 03:46:42 -0800 Comment on attachment 217842 Patch V1 Cleared review? from attachment 217842 so that this bug does not appear in http://webkit.org/pending-review. If you would like this patch reviewed, please attach it to a new bug (or re-open this bug before marking it for review again). 217842 2013-11-25 16:00:05 -0800 2014-02-13 03:46:41 -0800 Patch V1 bug124864.v1.patch text/plain 2469 achicu ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQyL0No YW5nZUxvZwppbmRleCAzOGY2YTYyLi45MjNmNDRiIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViS2l0 Mi9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYktpdDIvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjcg QEAKKzIwMTMtMTEtMjUgIEFsZXhhbmRydSBDaGljdWxpdGEgIDxhY2hpY3VAYWRvYmUuY29tPgor CisgICAgICAgIFdlYiBJbnNwZWN0b3I6IENyYXNoIHdoZW4gc3RhcnRpbmcgdGhlIEluc3BlY3Rv cgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTI0ODY0 CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2ViSW5z cGVjdG9yOjpjcmVhdGVJbnNwZWN0b3JQYWdlKCkgc2VuZHMgYSBzeW5jIE1lc3NhZ2VzOjpXZWJJ bnNwZWN0b3JQcm94eTo6Q3JlYXRlSW5zcGVjdG9yUGFnZS4KKworICAgICAgICBXZWJJbnNwZWN0 b3JQcm94eTo6Q3JlYXRlSW5zcGVjdG9yUGFnZSB3aWxsIHRoZW4gc2VuZCBiYWNrIHR3byBtZXNz YWdlcywgcGx1cyB0aGUgc3luYyByZXBseToKKyAgICAgICAgMS4gTWVzc2FnZXM6OldlYlByb2Nl c3M6OkNyZWF0ZVdlYlBhZ2VHcm91cC4KKyAgICAgICAgMi4gTWVzc2FnZXM6OldlYlByb2Nlc3M6 OkNyZWF0ZVdlYlBhZ2UuCisKKyAgICAgICAgV2ViSW5zcGVjdG9yOjpjcmVhdGVJbnNwZWN0b3JQ YWdlIHdha2VzIHVwIHdoZW4gaXQgcmVjZWl2ZXMgdGhlIHN5bmMgcmVwbHksIGJ1dCB0aGUgdHdv IG1lc3NhZ2VzIGZyb20gdGhlCisgICAgICAgIFdlYkluc3BlY3RvclByb3h5OjpDcmVhdGVJbnNw ZWN0b3JQYWdlIGFyZSBzdGlsbCBwZW5kaW5nIHRvIGV4ZWN1dGUuCisKKyAgICAgICAgVGhlIGNy YXNoIGhhcHBlbnMgd2hlbiBXZWJJbnNwZWN0b3I6OmNyZWF0ZUluc3BlY3RvclBhZ2UgZm9yY2Vz IHRoZSBjYWxsIHRvIFdlYlByb2Nlc3M6OnNoYXJlZCgpLmNyZWF0ZVdlYlBhZ2UKKyAgICAgICAg dXNpbmcgdGhlIGRhdGEgZnJvbSB0aGUgc3luYyByZXBseS4gVGhhdCdzIGJlY2F1c2UgdGhlIHBh Z2UgdHJpZXMgdG8gdXNlIHRoZSBQYWdlR3JvdXAgdGhhdCBoYXMgbm90IGJlZW4gY3JlYXRlZCB5 ZXQsIGFzCisgICAgICAgIHRoZSBwYWdlIGdyb3VwIGNyZWF0aW9uIG1lc3NhZ2UgZGlkbid0IGhh ZCBhIGNoYW5jZSB0byBwcm9jZXNzLgorCisgICAgICAgICogVUlQcm9jZXNzL1dlYlBhZ2VQcm94 eS5jcHA6CisgICAgICAgIChXZWJLaXQ6OldlYlBhZ2VQcm94eTo6aW5pdGlhbGl6ZVdlYlBhZ2Up OiBBZGRlZCBDb3JlSVBDOjpEaXNwYXRjaE1lc3NhZ2VFdmVuV2hlbldhaXRpbmdGb3JTeW5jUmVw bHkgb24gdGhlCisgICAgICAgIE1lc3NhZ2VzOjpXZWJQcm9jZXNzOjpDcmVhdGVXZWJQYWdlR3Jv dXAgbWVzc2FnZSB0byBmb3JjZSBpdCBleGVjdXRlIGJlZm9yZSB3ZSByZWNlaXZlIHRoZSBzeW5j IHJlc3VsdC4KKwogMjAxMy0xMS0yNSAgRGFuIEJlcm5zdGVpbiAgPG1pdHpAYXBwbGUuY29tPgog CiAgICAgICAgIFtDb2NvYV0gUHV0IG1vc3Qgb2YgdGhlIENvY29hIEFQSSBiZWhpbmQgV0tfQVBJ X0VOQUJMRUQgZ3VhcmRzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9VSVByb2Nlc3MvV2Vi UGFnZVByb3h5LmNwcCBiL1NvdXJjZS9XZWJLaXQyL1VJUHJvY2Vzcy9XZWJQYWdlUHJveHkuY3Bw CmluZGV4IDU2YWU1NDkuLmU2ZGI0YWMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQyL1VJUHJv Y2Vzcy9XZWJQYWdlUHJveHkuY3BwCisrKyBiL1NvdXJjZS9XZWJLaXQyL1VJUHJvY2Vzcy9XZWJQ YWdlUHJveHkuY3BwCkBAIC01MjYsNyArNTI2LDggQEAgdm9pZCBXZWJQYWdlUHJveHk6OmluaXRp YWxpemVXZWJQYWdlKCkKIAogICAgIGlmIChtX3BhZ2VHcm91cC0+YWRkUHJvY2VzcygqbV9wcm9j ZXNzKSkgewogICAgICAgICBtX3Byb2Nlc3MtPmFkZFdlYlBhZ2VHcm91cCgqbV9wYWdlR3JvdXAp OwotICAgICAgICBtX3Byb2Nlc3MtPnNlbmQoTWVzc2FnZXM6OldlYlByb2Nlc3M6OkNyZWF0ZVdl YlBhZ2VHcm91cChtX3BhZ2VHcm91cC0+cGFnZUdyb3VwSUQoKSwgbV9wYWdlR3JvdXAtPmRhdGEo KSksIDApOworICAgICAgICAvLyBXZWJJbnNwZWN0b3I6OmNyZWF0ZUluc3BlY3RvclBhZ2UgaXMg ZXhwZWN0aW5nIHRoZSBQYWdlR3JvdXAgbWVzc2FnZSB0byBiZSBwcm9jZXNzZWQgYmVmb3JlIGl0 IHJlY2VpdmVzIHRoZSBzeW5jIHJlc3VsdC4KKyAgICAgICAgbV9wcm9jZXNzLT5zZW5kKE1lc3Nh Z2VzOjpXZWJQcm9jZXNzOjpDcmVhdGVXZWJQYWdlR3JvdXAobV9wYWdlR3JvdXAtPnBhZ2VHcm91 cElEKCksIG1fcGFnZUdyb3VwLT5kYXRhKCkpLCAwLCBDb3JlSVBDOjpEaXNwYXRjaE1lc3NhZ2VF dmVuV2hlbldhaXRpbmdGb3JTeW5jUmVwbHkpOwogICAgIH0KIAogICAgIGluaXRpYWxpemVDcmVh dGlvblBhcmFtZXRlcnMoKTsK