136034 2014-08-17 18:24:20 -0700 REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active 2014-08-20 13:31:43 -0700 1 1 1 Unclassified WebKit WebCore JavaScript 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 burg msaboff ggaren joepeck mark.lam msaboff timothy oldest_to_newest 1029691 0 burg 2014-08-17 18:24:20 -0700 Steps to reproduce: 1. Navigate to apple.com 2. Open the Web Inspector 3. Start timelines recording from the Timelines panel 4. Reload the inspected page Looks like we try to walk the stack when creating a new profile but one of the call frames is bogus. Possibly, because this is evaluating script inside a <script> tag. However, this code has not changed in the Inspector side since January so maybe it's fallout from the ftlopt merge. Would appreciate it if others could bisect. Stack trace: #0 0x0000000109e51319 in JSC::VMEntryRecord::prevTopVMEntryFrame() [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/VMEntryRecord.h:47 #1 0x0000000109e51319 in JSC::ExecState::callerFrame(void*&) at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/CallFrame.cpp:143 #2 0x000000010a252fbf in JSC::StackVisitor::readNonInlinedFrame(JSC::ExecState*, JSC::CodeOrigin*) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/StackVisitor.cpp:112 #3 0x000000010a252fa3 in JSC::StackVisitor::readFrame(JSC::ExecState*) at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/StackVisitor.cpp:77 #4 0x000000010a222c8c in void JSC::StackVisitor::visit<JSC::AddParentForConsoleStartFunctor>(JSC::ExecState*, JSC::AddParentForConsoleStartFunctor&) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/StackVisitor.h:125 #5 0x000000010a222c84 in void JSC::ExecState::iterate<JSC::AddParentForConsoleStartFunctor>(JSC::AddParentForConsoleStartFunctor&) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/CallFrame.h:260 #6 0x000000010a222c84 in JSC::ProfileGenerator::addParentForConsoleStart(JSC::ExecState*) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/ProfileGenerator.cpp:99 #7 0x000000010a222c60 in ProfileGenerator at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/ProfileGenerator.cpp:55 #8 0x000000010a222ac8 in WTF::RefCounted<JSC::ProfileGenerator>::operator new(unsigned long) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/ProfileGenerator.cpp:56 #9 0x000000010a222aaf in JSC::ProfileGenerator::create(JSC::ExecState*, WTF::String const&, unsigned int) at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/ProfileGenerator.cpp:44 #10 0x000000010a14c24b in JSC::LegacyProfiler::startProfiling(JSC::ExecState*, WTF::String const&) at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/LegacyProfiler.cpp:77 #11 0x000000010ab993fa in WebCore::startProfiling(JSC::ExecState*, WTF::String const&) [inlined] at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorTimelineAgent.cpp:162 #12 0x000000010ab993e7 in WebCore::startProfiling(WebCore::Frame*, WTF::String const&) [inlined] at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorTimelineAgent.cpp:172 #13 0x000000010ab993cc in WebCore::InspectorTimelineAgent::willEvaluateScript(WTF::String const&, int, WebCore::Frame*) at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorTimelineAgent.cpp:410 #14 0x000000010ab6af3b in WebCore::InspectorInstrumentation::willEvaluateScriptImpl(WebCore::InstrumentingAgents*, WTF::String const&, int, WebCore::Frame*) at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorInstrumentation.cpp:396 #15 0x000000010b1b6322 in WebCore::InspectorInstrumentation::willEvaluateScript(WebCore::Frame*, WTF::String const&, int) [inlined] at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorInstrumentation.h:973 #16 0x000000010b1b62fa in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) at /Users/burg/repos/webkit-dev/Source/WebCore/bindings/js/ScriptController.cpp:148 #17 0x000000010b1b6379 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) at /Users/burg/repos/webkit-dev/Source/WebCore/bindings/js/ScriptController.cpp:168 #18 0x000000010b1bc017 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) at /Users/burg/repos/webkit-dev/Source/WebCore/dom/ScriptElement.cpp:301 #19 0x000000010aa95dd3 in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) at /Users/burg/repos/webkit-dev/Source/WebCore/html/parser/HTMLScriptRunner.cpp:144 #20 0x000000010aa95cc9 in WebCore::HTMLScriptRunner::executeParsingBlockingScript() at /Users/burg/repos/webkit-dev/Source/WebCore/html/parser/HTMLScriptRunner.cpp:120 #21 0x000000010aa9641f in WebCore::HTMLScriptRunner::executeParsingBlockingScripts() at /Users/burg/repos/webkit-dev/Source/WebCore/html/parser/HTMLScriptRunner.cpp:195 #22 0x000000010aa43e0a in WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) at /Users/burg/repos/webkit-dev/Source/WebCore/html/parser/HTMLDocumentParser.cpp:585 #23 0x000000010a6f7955 in WebCore::CachedResource::switchClientsToRevalidatedResource() at /Users/burg/repos/webkit-dev/Source/WebCore/loader/cache/CachedResource.cpp:708 #24 0x000000010af8b02d in WebCore::MemoryCache::revalidationSucceeded(WebCore::CachedResource*, WebCore::ResourceResponse const&) at /Users/burg/repos/webkit-dev/Source/WebCore/loader/cache/MemoryCache.cpp:173 #25 0x000000010b284ede in WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) at /Users/burg/repos/webkit-dev/Source/WebCore/loader/SubresourceLoader.cpp:203 #26 0x0000000109487fb8 in WebKit::WebResourceLoader::didReceiveResponseWithCertificateInfo(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool) at /Users/burg/repos/webkit-dev/Source/WebKit2/WebProcess/Network/WebResourceLoader.cpp:131 #27 0x000000010948891b in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool), std::__1::tuple<WebCore::ResourceResponse, WebCore::CertificateInfo, bool>, 0ul, 1ul, 2ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool), std::__1::tuple<WebCore::ResourceResponse, WebCore::CertificateInfo, bool>&&, std::index_sequence<0ul, 1ul, 2ul>) [inlined] at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/HandleMessage.h:16 #28 0x00000001094888f1 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool), std::__1::tuple<WebCore::ResourceResponse, WebCore::CertificateInfo, bool>, std::make_index_sequence<3ul> >(std::__1::tuple<WebCore::ResourceResponse, WebCore::CertificateInfo, bool>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool)) [inlined] at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/HandleMessage.h:22 #29 0x00000001094888f1 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveResponseWithCertificateInfo, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool)) at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/HandleMessage.h:120 #30 0x0000000109488571 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection*, IPC::MessageDecoder&) at /Users/burg/repos/webkit-dev/WebKitBuild/Release/DerivedSources/WebKit2/WebResourceLoaderMessageReceiver.cpp:64 #31 0x00000001092c9ece in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) [inlined] at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/Connection.cpp:809 #32 0x00000001092c9ec1 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/Connection.cpp:828 #33 0x00000001092cc03a in IPC::Connection::dispatchOneMessage() at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/Connection.cpp:856 #34 0x000000010a2ddfa3 in std::__1::function<void ()>::operator()() const [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/c++/v1/functional:1755 #35 0x000000010a2ddf99 in WTF::RunLoop::performWork() at /Users/burg/repos/webkit-dev/Source/WTF/wtf/RunLoop.cpp:104 #36 0x000000010a2de682 in WTF::RunLoop::performWork(void*) at /Users/burg/repos/webkit-dev/Source/WTF/wtf/cf/RunLoopCF.cpp:38 #37 0x00007fff96b0e5b1 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ () #38 0x00007fff96affd29 in __CFRunLoopDoSources0 () #39 0x00007fff96aff3ef in __CFRunLoopRun () #40 0x00007fff96afee75 in CFRunLoopRunSpecific () #41 0x00007fff8ba39a0d in RunCurrentEventLoopInMode () #42 0x00007fff8ba397b7 in ReceiveNextEventCommon () #43 0x00007fff8ba395bc in _BlockUntilNextEventMatchingListInModeWithFilter () #44 0x00007fff8e4c424e in _DPSNextEvent () #45 0x00007fff8e4c389b in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #46 0x00007fff8e4b799c in -[NSApplication run] () #47 0x00007fff8e4a2783 in NSApplicationMain () #48 0x00007fff91e97c0f in _xpc_main () #49 0x00007fff8cc80bde in xpc_main () #50 0x0000000105411630 in main at /Users/burg/repos/webkit-dev/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.Development.mm:164 1030175 1 msaboff 2014-08-19 18:23:21 -0700 Found the issue. DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle of the stack. After https://trac.webkit.org/changeset/163179, Stack visiting needs to start at the top of the stack. Patch in progress. 1030362 2 236891 msaboff 2014-08-20 12:59:16 -0700 Created attachment 236891 Patch 1030365 3 236891 mark.lam 2014-08-20 13:02:46 -0700 Comment on attachment 236891 Patch r=me 1030368 4 mark.lam 2014-08-20 13:06:06 -0700 (In reply to comment #1) > Found the issue. DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle of the stack. After https://trac.webkit.org/changeset/163179, Stack visiting needs to start at the top of the stack. Forgot to suggest that you add the above comment into the ChangeLog to explain why the change fixes the crash. Please add it. Thanks. 1030375 5 msaboff 2014-08-20 13:28:44 -0700 Committed r172807: <http://trac.webkit.org/changeset/172807> 1030376 6 msaboff 2014-08-20 13:31:43 -0700 (In reply to comment #4) > (In reply to comment #1) > > Found the issue. DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle of the stack. After https://trac.webkit.org/changeset/163179, Stack visiting needs to start at the top of the stack. > > Forgot to suggest that you add the above comment into the ChangeLog to explain why the change fixes the crash. Please add it. Thanks. I added the second sentence to ChangeLog before landing. 236891 2014-08-20 12:59:16 -0700 2014-08-20 13:02:45 -0700 Patch 136034.patch text/plain 1775 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTcyODA1KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBA CisyMDE0LTA4LTIwICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIFJFR1JFU1NJT046IFdlYiBJbnNwZWN0b3IgY3Jhc2hlcyB3aGVuIHJlbG9hZGluZyBhcHBs ZS5jb20gd2l0aCBUaW1lbGluZSByZWNvcmRpbmcgYWN0aXZlCisgICAgICAgIGh0dHBzOi8vYnVn cy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMzYwMzQKKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBIYXJkZW5lZCBTdGFja1Zpc2l0b3IgdG8gc2tp cCBvdmVyIHRoZSBmcmFtZXMgYmV0d2VlbiB0aGUgY3VycmVudCB0b3AgZnJhbWUgYW5kIHRoZSBy ZXF1ZXN0ZWQKKyAgICAgICAgc3RhcnQgZnJhbWUuCisKKyAgICAgICAgKiBpbnRlcnByZXRlci9T dGFja1Zpc2l0b3IuY3BwOgorICAgICAgICAoSlNDOjpTdGFja1Zpc2l0b3I6OlN0YWNrVmlzaXRv cik6CisKIDIwMTQtMDgtMjAgIEJyZW50IEZ1bGdoYW0gIDxiZnVsZ2hhbUBhcHBsZS5jb20+CiAK ICAgICAgICAgW1dpbl0gSmF2YVNjcmlwdENvcmUuZGxsIGlzIG1pc3NpbmcgdmVyc2lvbiBpbmZv cm1hdGlvbi4KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9TdGFja1Zp c2l0b3IuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRl ci9TdGFja1Zpc2l0b3IuY3BwCShyZXZpc2lvbiAxNzI3OTIpCisrKyBTb3VyY2UvSmF2YVNjcmlw dENvcmUvaW50ZXJwcmV0ZXIvU3RhY2tWaXNpdG9yLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMzgs MTIgKzM4LDIwIEBAIG5hbWVzcGFjZSBKU0MgewogU3RhY2tWaXNpdG9yOjpTdGFja1Zpc2l0b3Io Q2FsbEZyYW1lKiBzdGFydEZyYW1lKQogewogICAgIG1fZnJhbWUubV9pbmRleCA9IDA7Ci0gICAg aWYgKHN0YXJ0RnJhbWUpCisgICAgQ2FsbEZyYW1lKiB0b3BGcmFtZTsKKyAgICBpZiAoc3RhcnRG cmFtZSkgewogICAgICAgICBtX2ZyYW1lLm1fVk1FbnRyeUZyYW1lID0gc3RhcnRGcmFtZS0+dm0o KS50b3BWTUVudHJ5RnJhbWU7Ci0gICAgZWxzZQorICAgICAgICB0b3BGcmFtZSA9IHN0YXJ0RnJh bWUtPnZtKCkudG9wQ2FsbEZyYW1lOworICAgIH0gZWxzZSB7CiAgICAgICAgIG1fZnJhbWUubV9W TUVudHJ5RnJhbWUgPSAwOworICAgICAgICB0b3BGcmFtZSA9IDA7CisgICAgfQogICAgIG1fZnJh bWUubV9jYWxsZXJJc1ZNRW50cnlGcmFtZSA9IGZhbHNlOwotICAgIHJlYWRGcmFtZShzdGFydEZy YW1lKTsKKyAgICByZWFkRnJhbWUodG9wRnJhbWUpOworCisgICAgLy8gRmluZCB0aGUgZnJhbWUg dGhlIGNhbGxlciB3YW50cyB0byBzdGFydCB1bndpbmRpbmcgZnJvbS4KKyAgICB3aGlsZSAobV9m cmFtZS5jYWxsRnJhbWUoKSAmJiBtX2ZyYW1lLmNhbGxGcmFtZSgpICE9IHN0YXJ0RnJhbWUpCisg ICAgICAgIGdvdG9OZXh0RnJhbWUoKTsKIH0KIAogdm9pZCBTdGFja1Zpc2l0b3I6OmdvdG9OZXh0 RnJhbWUoKQo=