134849 2014-07-11 16:57:45 -0700 Web Inspector: Crash when using a stale InspectableNode Node 2014-07-11 18:49:36 -0700 1 1 1 Unclassified WebKit Web Inspector 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 joepeck joepeck commit-queue graouts joepeck timothy webkit-bug-importer oldest_to_newest 1021938 0 joepeck 2014-07-11 16:57:45 -0700 InspectableNode has a weak pointer to a Node. It should have a RefPtr to prevent it from getting stale out from under it. Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000003394e57b Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff83201b94 WebCore::InspectorDOMAgent::nodeAsScriptValue(JSC::ExecState*, WebCore::Node*) + 132 1 com.apple.WebCore 0x00007fff8362dc18 WebCore::InspectableNode::get(JSC::ExecState*) + 24 2 com.apple.WebCore 0x00007fff832a0414 WebCore::JSCommandLineAPIHost::inspectedObject(JSC::ExecState*) + 164 3 ??? 0x0000228e27e01034 0 + 37993949696052 4 com.apple.JavaScriptCore 0x00007fff8d22b4ae llint_entry + 22744 5 com.apple.JavaScriptCore 0x00007fff8d22b678 llint_entry + 23202 6 com.apple.JavaScriptCore 0x00007fff8d2259b1 callToJavaScript + 311 ... * STEPS TO REPRODUCE 1. Inspect attached [crash-reduction.html] 2. Show DOM Tree 3. Expand <body> 4. Select the <h1> (it will be deleted in a second) 5. Trigger a garbage collection 6. js> $1 => CRASH <rdar://problem/14540951> 1021939 1 234792 joepeck 2014-07-11 16:59:15 -0700 Created attachment 234792 [PATCH] Proposed Fix If needed I could probably create a test for this. 1021945 2 234792 commit-queue 2014-07-11 18:49:34 -0700 Comment on attachment 234792 [PATCH] Proposed Fix Clearing flags on attachment: 234792 Committed r171018: <http://trac.webkit.org/changeset/171018> 1021946 3 commit-queue 2014-07-11 18:49:36 -0700 All reviewed patches have been landed. Closing bug. 234792 2014-07-11 16:59:15 -0700 2014-07-11 18:49:34 -0700 [PATCH] Proposed Fix inspectable-node.patch text/plain 1312 joepeck ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBiNTE1MjAxLi41YzBiODhiIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDUgKzEsMTQg QEAKIDIwMTQtMDctMTEgIEpvc2VwaCBQZWNvcmFybyAgPHBlY29yYXJvQGFwcGxlLmNvbT4KIAor ICAgICAgICBXZWIgSW5zcGVjdG9yOiBDcmFzaCB3aGVuIHVzaW5nIGEgc3RhbGUgSW5zcGVjdGFi bGVOb2RlIE5vZGUKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dp P2lkPTEzNDg0OQorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAg ICAgICogaW5zcGVjdG9yL1BhZ2VDb25zb2xlQWdlbnQuY3BwOgorCisyMDE0LTA3LTExICBKb3Nl cGggUGVjb3Jhcm8gIDxwZWNvcmFyb0BhcHBsZS5jb20+CisKICAgICAgICAgV2ViIEluc3BlY3Rv cjogRGVidWdnZXIgUGF1c2UgYnV0dG9uIGRvZXMgbm90IHdvcmsKICAgICAgICAgaHR0cHM6Ly9i dWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEzNDc4NQogCmRpZmYgLS1naXQgYS9Tb3Vy Y2UvV2ViQ29yZS9pbnNwZWN0b3IvUGFnZUNvbnNvbGVBZ2VudC5jcHAgYi9Tb3VyY2UvV2ViQ29y ZS9pbnNwZWN0b3IvUGFnZUNvbnNvbGVBZ2VudC5jcHAKaW5kZXggMTA1MWQ3YS4uNmYxY2MxMjMg MTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2luc3BlY3Rvci9QYWdlQ29uc29sZUFnZW50LmNw cAorKysgYi9Tb3VyY2UvV2ViQ29yZS9pbnNwZWN0b3IvUGFnZUNvbnNvbGVBZ2VudC5jcHAKQEAg LTYwLDEwICs2MCwxMCBAQCBwdWJsaWM6CiAgICAgZXhwbGljaXQgSW5zcGVjdGFibGVOb2RlKE5v ZGUqIG5vZGUpIDogbV9ub2RlKG5vZGUpIHsgfQogICAgIHZpcnR1YWwgRGVwcmVjYXRlZDo6U2Ny aXB0VmFsdWUgZ2V0KEpTQzo6RXhlY1N0YXRlKiBzdGF0ZSkgb3ZlcnJpZGUKICAgICB7Ci0gICAg ICAgIHJldHVybiBJbnNwZWN0b3JET01BZ2VudDo6bm9kZUFzU2NyaXB0VmFsdWUoc3RhdGUsIG1f bm9kZSk7CisgICAgICAgIHJldHVybiBJbnNwZWN0b3JET01BZ2VudDo6bm9kZUFzU2NyaXB0VmFs dWUoc3RhdGUsIG1fbm9kZS5nZXQoKSk7CiAgICAgfQogcHJpdmF0ZToKLSAgICBOb2RlKiBtX25v ZGU7CisgICAgUmVmUHRyPE5vZGU+IG1fbm9kZTsKIH07CiAKIHZvaWQgUGFnZUNvbnNvbGVBZ2Vu dDo6YWRkSW5zcGVjdGVkTm9kZShFcnJvclN0cmluZyogZXJyb3JTdHJpbmcsIGludCBub2RlSWQp Cg==