9731 2006-07-04 12:56:11 -0700 [Drosera] crash when trying to access the scope chain 2008-05-17 09:55:53 -0700 1 1 1 Unclassified WebKit New Bugs 420+ Mac OS X 10.4 CLOSED FIXED P2 Major --- 9597 9598 1 timothy timothy oldest_to_newest 48188 0 timothy 2006-07-04 12:56:11 -0700 Drosera crashes Safari when it tries to access the scope chain. This is happening because the WebCoreScriptDebugger and one of the WebCoreScriptCallFrames is holding on to an old WebScriptObject for the frame's window. The window object is cleared each time a page loads, so the debugger needs to be detached and reattached when this happens. 48191 1 9195 timothy 2006-07-04 13:06:02 -0700 Created attachment 9195 Patch to fix the crash 48194 2 9195 darin 2006-07-04 14:37:21 -0700 Comment on attachment 9195 Patch to fix the crash Sounds wrong to me. The window object is cleared, yes, but it is the same window object. Why do we need to create a new WebScriptObject each time when it's the same window object? 48200 3 9195 darin 2006-07-04 14:52:07 -0700 Comment on attachment 9195 Patch to fix the crash I talked to Tim and made it clear this is not a fix, but rather a workaround, for whatever bug he's run into. He's going to investigate further. 48303 4 timothy 2006-07-04 22:39:59 -0700 Turns out this crash is the same root cause of <rdar://problem/4608404> WebScriptObject's _executionContext has no ownership policy. Here is what Goeff had to say in the radar. "Whenever the current page changes, FrameMac::setView calls FrameMac::cleanupPluginRootObjects() (WebCore/bridge/mac/FrameMac.mm), which calls removeAllNativeReferences(), which unprotects all JSObjects that have been bound to wrappers in other languages (Java, C, Objc). The assumption in this code is that JSObjects only get bound to wrappers belonging to plug-ins, and that plug-ins go away when the page changes. This assumption is incorrect. WebKit's WebScriptObject API allows an app to embed a WebView and access its data through WebScriptObject wrappers. As long as those wrappers are alive, the data they bind should remain alive, too." I do not understand the design well enough to fix cleanupPluginRootObjects, I will leave it to Geoff. Can my patch land with a FIXME until <rdar://problem/4608404> is fixed? This fix will unblock bug 9597, and bug 9598. 48305 5 9195 mjs 2006-07-04 22:59:28 -0700 Comment on attachment 9195 Patch to fix the crash r=me 48306 6 timothy 2006-07-04 23:13:01 -0700 Landed in r15159. The [_frame _detachScriptDebugger] lineĀ can be rolled out onceĀ <rdar://problem/4608404> is fixed. 80742 7 timothy 2008-05-17 09:55:53 -0700 Closing since Drosera has been replaced by the new Web Inspector debugger. Moving to the New Bugs component so the Drosera component can be closed and removed. 9195 2006-07-04 13:06:02 -0700 2006-07-04 22:59:28 -0700 Patch to fix the crash 9731.patch text/plain 2064 timothy SW5kZXg6IENoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBDaGFuZ2VMb2cJKHJldmlzaW9uIDE1MTUw KQorKysgQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjIgQEAKKzIwMDYtMDct MDQgIFRpbW90aHkgSGF0Y2hlciAgPHRpbW90aHlAYXBwbGUuY29tPgorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEJ1ZyA5NzMxOiBbRHJvc2VyYV0gY3Jh c2ggd2hlbiB0cnlpbmcgdG8gYWNjZXNzIHRoZSBzY29wZSBjaGFpbgorICAgICAgICBodHRwOi8v YnVnemlsbGEub3BlbmRhcndpbi5vcmcvc2hvd19idWcuY2dpP2lkPTk3MzEKKworICAgICAgICBE cm9zZXJhIHdpbGwgY3Jhc2ggU2FmYXJpIHdoZW4gdHJ5aW5nIHRvIGFjY2VzcyB0aGUgc2NvcGUg Y2hhaW4uCisgICAgICAgIFRoaXMgaGFwcGVucyBiZWNhdXNlIHRoZSBXZWJDb3JlU2NyaXB0RGVi dWdnZXIgYW5kIG9uZSBvZiB0aGUKKyAgICAgICAgV2ViQ29yZVNjcmlwdENhbGxGcmFtZXMgaXMg aG9sZGluZyBvbiB0byBhbiBvbGQgV2ViU2NyaXB0T2JqZWN0CisgICAgICAgIGZvciB0aGUgZnJh bWUncyB3aW5kb3cgb2JqZWN0LiBUaGUgd2luZG93IG9iamVjdCBpcyBjbGVhcmVkIGVhY2gKKyAg ICAgICAgdGltZSBhIHBhZ2UgbG9hZHMsIHNvIHRoZSBkZWJ1Z2dlciBuZWVkcyB0byBiZSBkZXRh Y2hlZCBhbmQKKyAgICAgICAgcmVhdHRhY2hlZCB3aGVuIHRoaXMgaGFwcGVucy4gVGhpcyBjaGFu Z2UgYWxzbyBhdHRhY2hlcyB0aGUgZGVidWdnZXIKKyAgICAgICAgYmVmb3JlIHdlIGNhbGwgdGhl IHdpbmRvd1NjcmlwdE9iamVjdEF2YWlsYWJsZTogZGVsZWdhdGUgbWV0aG9kLAorICAgICAgICBz byB0aGUgZGVidWdnZXIgaXMgcmVhZHkgYmVmb3JlIGFueW9uZSBtaWdodCB1c2UgdGhlIHdpbmRv dyBvYmplY3QuCisKKyAgICAgICAgKiBXZWJDb3JlU3VwcG9ydC9XZWJGcmFtZUJyaWRnZS5tOgor ICAgICAgICAoLVtXZWJGcmFtZUJyaWRnZSB3aW5kb3dPYmplY3RDbGVhcmVkXSk6CisKIDIwMDYt MDctMDQgIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEBueXBvcC5jb20+CiAKICAgICAgICAgUmV2 aWV3ZWQgYnkgTWFjaWVqLgpJbmRleDogV2ViQ29yZVN1cHBvcnQvV2ViRnJhbWVCcmlkZ2UubQo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBXZWJDb3JlU3VwcG9ydC9XZWJGcmFtZUJyaWRnZS5tCShyZXZpc2lvbiAx NTE1MCkKKysrIFdlYkNvcmVTdXBwb3J0L1dlYkZyYW1lQnJpZGdlLm0JKHdvcmtpbmcgY29weSkK QEAgLTE0OTQsOSArMTQ5NCwxMSBAQCBzdGF0aWMgaWQgPFdlYkZvcm1EZWxlZ2F0ZT4gZm9ybURl bGVnYXRlCiAtICh2b2lkKXdpbmRvd09iamVjdENsZWFyZWQKIHsKICAgICBXZWJWaWV3ICp3diA9 IFtzZWxmIHdlYlZpZXddOwotICAgIFtbd3YgX2ZyYW1lTG9hZERlbGVnYXRlRm9yd2FyZGVyXSB3 ZWJWaWV3Ond2IHdpbmRvd1NjcmlwdE9iamVjdEF2YWlsYWJsZTpbc2VsZiB3aW5kb3dTY3JpcHRP YmplY3RdXTsKLSAgICBpZiAoW3d2IHNjcmlwdERlYnVnRGVsZWdhdGVdIHx8IFtXZWJTY3JpcHRE ZWJ1Z1NlcnZlciBsaXN0ZW5lckNvdW50XSkKKyAgICBpZiAoW3d2IHNjcmlwdERlYnVnRGVsZWdh dGVdIHx8IFtXZWJTY3JpcHREZWJ1Z1NlcnZlciBsaXN0ZW5lckNvdW50XSkgeworICAgICAgICBb X2ZyYW1lIF9kZXRhY2hTY3JpcHREZWJ1Z2dlcl07IC8vIGRldGFjaCB0aGUgb2xkIGRlYnVnZ2Vy IHRoYXQgaG9sZHMgYSByZWZlcmVuY2UgdG8gdGhlIG9sZCB3aW5kb3cgb2JqZWN0CiAgICAgICAg IFtfZnJhbWUgX2F0dGFjaFNjcmlwdERlYnVnZ2VyXTsKKyAgICB9CisgICAgW1t3diBfZnJhbWVM b2FkRGVsZWdhdGVGb3J3YXJkZXJdIHdlYlZpZXc6d3Ygd2luZG93U2NyaXB0T2JqZWN0QXZhaWxh YmxlOltzZWxmIHdpbmRvd1NjcmlwdE9iamVjdF1dOwogfQogCiAtIChpbnQpc3BlbGxDaGVja2Vy RG9jdW1lbnRUYWcK