29514 2009-09-18 22:00:05 -0700 Web Inspector: Crash When Logging an Element Before Opening Inspector 2009-09-21 14:29:38 -0700 1 1 1 Unclassified WebKit Web Inspector (Deprecated) 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 joepeck pfeldman aroben joepeck pfeldman pmuellr rik timothy oldest_to_newest 148458 0 39811 joepeck 2009-09-18 22:00:05 -0700 Created attachment 39811 [REDUCTION] Test Page Causing Crash This is a regression. The attached file crashes WebKit (r48518) but not Safari 4.0.3. Safari exhibits the expected behavior. Steps to Reproduce: 1. Open the Attached Reduction 2. Click the button on the screen 3. Open the Web Inspector in any way (this will cause the browser to crash) Notes: - The <form> tag is required in order for the x variable in the onclick handler to refer to the <input name="x"> 148459 1 39812 joepeck 2009-09-18 22:20:11 -0700 Created attachment 39812 [REDUCTION] More Generic Test Page Causing Crash After further investigation I found its not specific to form elements. Instead, if you attempt to console.log ANY element before opening the inspector, and then you open the inspector, it causes a crash. With this new test case the only user action required is opening the inspector, which will cause the crash. 148734 2 pmuellr 2009-09-21 10:35:25 -0700 Built a debug version of WebKit, debugged under XCode. EXC_BAD_ACCESS signal generated, stack trace below. in stack frame #6, the following code is executed: m_frontend->setDocument(buildObjectForNode(document, 2, &m_documentNodeToIdMap)); at that point, document is 0x0, which causes the eventual signal. Implies that also at stack frame #6, the call to mainFrameDocument() returns 0x0. At this point, I'm lost, assume pfeldman will have a handle on this, not investigating any further. #0 0x03f55954 in WTF::HashTable<WTF::RefPtr<WebCore::Node>, std::pair<WTF::RefPtr<WebCore::Node>, long>, WTF::PairFirstExtractor<std::pair<WTF::RefPtr<WebCore::Node>, long> >, WTF::PtrHash<WTF::RefPtr<WebCore::Node> >, WTF::PairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Node> >, WTF::HashTraits<long> >, WTF::HashTraits<WTF::RefPtr<WebCore::Node> > >::checkKey<WebCore::Node*, WTF::RefPtrHashMapRawKeyTranslator<WebCore::Node*, std::pair<WTF::RefPtr<WebCore::Node>, long>, WTF::PairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Node> >, WTF::HashTraits<long> >, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > > > at HashTable.h:455 #1 0x03f55a37 in WTF::HashTable<WTF::RefPtr<WebCore::Node>, std::pair<WTF::RefPtr<WebCore::Node>, long>, WTF::PairFirstExtractor<std::pair<WTF::RefPtr<WebCore::Node>, long> >, WTF::PtrHash<WTF::RefPtr<WebCore::Node> >, WTF::PairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Node> >, WTF::HashTraits<long> >, WTF::HashTraits<WTF::RefPtr<WebCore::Node> > >::lookup<WebCore::Node*, WTF::RefPtrHashMapRawKeyTranslator<WebCore::Node*, std::pair<WTF::RefPtr<WebCore::Node>, long>, WTF::PairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Node> >, WTF::HashTraits<long> >, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > > > at HashTable.h:469 #2 0x03f55b08 in WTF::HashMap<WTF::RefPtr<WebCore::Node>, long, WTF::PtrHash<WTF::RefPtr<WebCore::Node> >, WTF::HashTraits<WTF::RefPtr<WebCore::Node> >, WTF::HashTraits<long> >::inlineGet at RefPtrHashMap.h:270 #3 0x03f55b42 in WTF::HashMap<WTF::RefPtr<WebCore::Node>, long, WTF::PtrHash<WTF::RefPtr<WebCore::Node> >, WTF::HashTraits<WTF::RefPtr<WebCore::Node> >, WTF::HashTraits<long> >::get at RefPtrHashMap.h:280 #4 0x03f52411 in WebCore::InspectorDOMAgent::bind at InspectorDOMAgent.cpp:207 #5 0x03f52e3f in WebCore::InspectorDOMAgent::buildObjectForNode at InspectorDOMAgent.cpp:383 #6 0x03f53293 in WebCore::InspectorDOMAgent::pushDocumentToFrontend at InspectorDOMAgent.cpp:245 #7 0x03f53313 in WebCore::InspectorDOMAgent::pushNodePathToFrontend at InspectorDOMAgent.cpp:292 #8 0x03f3968d in WebCore::InspectorBackend::pushNodePathToFrontend at InspectorBackend.cpp:482 #9 0x0408d9d3 in WebCore::JSInspectorBackend::pushNodePathToFrontend at JSInspectorBackendCustom.cpp:328 #10 0x040891b5 in WebCore::jsInspectorBackendPrototypeFunctionPushNodePathToFrontend at JSInspectorBackend.cpp:988 #11 0x189cd166 in ?? #12 0x006e93a5 in JSC::JITCode::execute at JITCode.h:79 #13 0x006d53c1 in JSC::Interpreter::execute at Interpreter.cpp:721 #14 0x0063d815 in JSC::JSFunction::call at JSFunction.cpp:120 #15 0x0063d8f1 in JSC::call at CallData.cpp:39 #16 0x04376103 in WebCore::ScriptFunctionCall::call at ScriptFunctionCall.cpp:126 #17 0x03f3a3bc in WebCore::InspectorBackend::dispatchOnInjectedScript at InspectorBackend.cpp:418 #18 0x04089b13 in WebCore::jsInspectorBackendPrototypeFunctionDispatchOnInjectedScript at JSInspectorBackend.cpp:891 #19 0x189cd166 in ?? #20 0x006e93a5 in JSC::JITCode::execute at JITCode.h:79 #21 0x006d53c1 in JSC::Interpreter::execute at Interpreter.cpp:721 #22 0x0063d815 in JSC::JSFunction::call at JSFunction.cpp:120 #23 0x0063d8f1 in JSC::call at CallData.cpp:39 #24 0x04376103 in WebCore::ScriptFunctionCall::call at ScriptFunctionCall.cpp:126 #25 0x043761d2 in WebCore::ScriptFunctionCall::call at ScriptFunctionCall.cpp:141 #26 0x03f5fe21 in WebCore::InspectorFrontend::addMessageToConsole at InspectorFrontend.cpp:88 #27 0x03baf6ff in WebCore::ConsoleMessage::addToConsole at ConsoleMessage.cpp:93 #28 0x03f3f605 in WebCore::InspectorController::populateScriptObjects at InspectorController.cpp:652 #29 0x03f4167d in WebCore::InspectorController::setWindowVisible at InspectorController.cpp:316 #30 0x003560bd in -[WebInspectorWindowController showWindow:] at WebInspectorClient.mm:354 #31 0x00356284 in WebInspectorClient::showWindow at WebInspectorClient.mm:109 #32 0x03f40ebf in WebCore::InspectorController::showWindow at InspectorController.cpp:624 #33 0x03f43186 in WebCore::InspectorController::scriptObjectReady at InspectorController.cpp:540 #34 0x03f39e3e in WebCore::InspectorBackend::loaded at InspectorBackend.cpp:200 #35 0x0408c59d in WebCore::jsInspectorBackendPrototypeFunctionLoaded at JSInspectorBackend.cpp:260 #36 0x189cd166 in ?? #37 0x006e93a5 in JSC::JITCode::execute at JITCode.h:79 #38 0x006d53c1 in JSC::Interpreter::execute at Interpreter.cpp:721 #39 0x0063d815 in JSC::JSFunction::call at JSFunction.cpp:120 #40 0x0063d8f1 in JSC::call at CallData.cpp:39 #41 0x04008b2a in WebCore::JSEventListener::handleEvent at JSEventListener.cpp:120 #42 0x041e9284 in WebCore::Node::handleLocalEvents at Node.cpp:2463 #43 0x041eb525 in WebCore::Node::dispatchGenericEvent at Node.cpp:2590 #44 0x041ebac1 in WebCore::Node::dispatchEvent at Node.cpp:2517 #45 0x041e934f in WebCore::Node::dispatchEvent at Node.cpp:2905 #46 0x03ed6a9c in WebCore::HTMLScriptElement::dispatchLoadEvent at HTMLScriptElement.cpp:225 #47 0x043704ed in WebCore::ScriptElementData::execute at ScriptElement.cpp:202 #48 0x03cb7007 in WebCore::Document::executeScriptSoonTimerFired at Document.cpp:4324 #49 0x03cca827 in WebCore::Timer<WebCore::Document>::fired at Timer.h:98 #50 0x044aa13f in WebCore::ThreadTimers::sharedTimerFiredInternal at ThreadTimers.cpp:112 #51 0x044aa289 in WebCore::ThreadTimers::sharedTimerFired at ThreadTimers.cpp:90 #52 0x043995ba in WebCore::timerFired at SharedTimerMac.mm:86 #53 0x961308f5 in CFRunLoopRunSpecific #54 0x96130aa8 in CFRunLoopRunInMode #55 0x90bd52ac in RunCurrentEventLoopInMode #56 0x90bd50c5 in ReceiveNextEventCommon #57 0x90bd4f39 in BlockUntilNextEventMatchingListInMode #58 0x96cb06d5 in _DPSNextEvent #59 0x96caff88 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #60 0x0000c303 in ?? #61 0x96ca8f9f in -[NSApplication run] #62 0x96c761d8 in NSApplicationMain 148754 3 39862 pfeldman 2009-09-21 11:58:05 -0700 Created attachment 39862 patch 148827 4 pfeldman 2009-09-21 14:29:38 -0700 Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/inspector/InspectorController.cpp Committed r48600 39811 2009-09-18 22:00:05 -0700 2009-09-18 22:00:05 -0700 [REDUCTION] Test Page Causing Crash crash.html text/html 119 joepeck PGZvcm0+PGlucHV0IG5hbWU9IngiIHR5cGU9ImJ1dHRvbiIgdmFsdWU9IkNsaWNrIE1lIEZpcnN0 LCBUaGVuIE9wZW4gdGhlIEluc3BlY3RvciEiIG9uY2xpY2s9ImNvbnNvbGUubG9nKHgpIiAvPjwv Zm9ybT4= 39812 2009-09-18 22:20:11 -0700 2009-09-18 22:20:11 -0700 [REDUCTION] More Generic Test Page Causing Crash crash.html text/html 97 joepeck PHNwYW4gaWQ9IngiPkp1c3QgT3BlbmluZyB0aGUgSW5zcGVjdG9yIFdpbGwgQ2F1c2UgYSBDcmFz aDwvc3Bhbj4KPHNjcmlwdD5jb25zb2xlLmxvZyh4KTwvc2NyaXB0Pg== 39862 2009-09-21 11:58:05 -0700 2009-09-21 12:59:22 -0700 patch node_crash text/plain 1569 pfeldman ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg NTIxMzVlMS4uMGEwNzFkMCAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2Vi Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNCBAQAorMjAwOS0wOS0yMSAgUGF2ZWwgRmVsZG1h biAgPHBmZWxkbWFuQGNocm9taXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBUaW1vdGh5 IEhhdGNoZXIuCisKKyAgICAgICAgV2ViIEluc3BlY3RvcjogQ3Jhc2ggV2hlbiBMb2dnaW5nIGFu IEVsZW1lbnQgQmVmb3JlIE9wZW5pbmcgSW5zcGVjdG9yCisKKyAgICAgICAgaHR0cHM6Ly9idWdz LndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI5NTE0CisKKyAgICAgICAgKiBpbnNwZWN0b3Iv SW5zcGVjdG9yQ29udHJvbGxlci5jcHA6CisgICAgICAgIChXZWJDb3JlOjpJbnNwZWN0b3JDb250 cm9sbGVyOjpwb3B1bGF0ZVNjcmlwdE9iamVjdHMpOgorCiAyMDA5LTA5LTIwICBBZGFtIEJhcnRo ICA8YWJhcnRoQHdlYmtpdC5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgTWFjaWVqIFN0YWNo b3dpYWsuCmRpZmYgLS1naXQgYS9XZWJDb3JlL2luc3BlY3Rvci9JbnNwZWN0b3JDb250cm9sbGVy LmNwcCBiL1dlYkNvcmUvaW5zcGVjdG9yL0luc3BlY3RvckNvbnRyb2xsZXIuY3BwCmluZGV4IGM2 OWMzMjQuLmQzNTA5ZDEgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvaW5zcGVjdG9yL0luc3BlY3RvckNv bnRyb2xsZXIuY3BwCisrKyBiL1dlYkNvcmUvaW5zcGVjdG9yL0luc3BlY3RvckNvbnRyb2xsZXIu Y3BwCkBAIC02NDMsNiArNjQzLDEwIEBAIHZvaWQgSW5zcGVjdG9yQ29udHJvbGxlcjo6cG9wdWxh dGVTY3JpcHRPYmplY3RzKCkKICAgICBpZiAoIW1fZnJvbnRlbmQpCiAgICAgICAgIHJldHVybjsK IAorICAgIC8vIEluaXRpYWxpemUgZG9tIGFnZW50IGFuZCByZXNldCBpbmplY3RlZCBzY3JpcHQg c3RhdGUgZmlyc3QuCisgICAgaWYgKG1fZG9tQWdlbnQtPnNldERvY3VtZW50KG1faW5zcGVjdGVk UGFnZS0+bWFpbkZyYW1lKCktPmRvY3VtZW50KCkpKQorICAgICAgICByZXNldEluamVjdGVkU2Ny aXB0KCk7CisKICAgICBSZXNvdXJjZXNNYXA6Oml0ZXJhdG9yIHJlc291cmNlc0VuZCA9IG1fcmVz b3VyY2VzLmVuZCgpOwogICAgIGZvciAoUmVzb3VyY2VzTWFwOjppdGVyYXRvciBpdCA9IG1fcmVz b3VyY2VzLmJlZ2luKCk7IGl0ICE9IHJlc291cmNlc0VuZDsgKytpdCkKICAgICAgICAgaXQtPnNl Y29uZC0+Y3JlYXRlU2NyaXB0T2JqZWN0KG1fZnJvbnRlbmQuZ2V0KCkpOwpAQCAtNjYyLDggKzY2 Niw2IEBAIHZvaWQgSW5zcGVjdG9yQ29udHJvbGxlcjo6cG9wdWxhdGVTY3JpcHRPYmplY3RzKCkK ICAgICAgICAgKCppdCktPmJpbmQobV9mcm9udGVuZC5nZXQoKSk7CiAjZW5kaWYKIAotICAgIGlm IChtX2RvbUFnZW50LT5zZXREb2N1bWVudChtX2luc3BlY3RlZFBhZ2UtPm1haW5GcmFtZSgpLT5k b2N1bWVudCgpKSkKLSAgICAgICAgcmVzZXRJbmplY3RlZFNjcmlwdCgpOwogICAgIG1fZnJvbnRl bmQtPnBvcHVsYXRlSW50ZXJmYWNlKCk7CiB9CiAK