Bug 127738

Summary:

Web Inspector: CRASH when debugger closes remote inspecting JSContext

Product:

WebKit

Reporter:

Joseph Pecoraro <joepeck>

Component:

Web Inspector

Assignee:

Joseph Pecoraro <joepeck>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, graouts, joepeck, timothy, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
[PATCH] Proposed Fix	none

Description Joseph Pecoraro 2014-01-27 17:20:26 PST

* SUMMARY
JSContext hosting application crashes when a remote debugger disconnects during inspection.

* STEPS TO REPRODUCE
1. Launch JSContextTester application
2. Inspect JSContext from remote debugger
3. Close remote debugger
  => CRASH

* NOTES
It looks like RemoteInspectorXPCConnection may be handling an event on a background dispatch_queue at the same time that the main queue releases the RemoteInspectorXPCConnection. The dispatch_queue is passed a "weakThis" pointer, which is wrong.

* CRASH

void RemoteInspectorXPCConnection::handleEvent(xpc_object_t object)
{
    if (!m_connection)
        return;

    if (xpc_get_type(object) == XPC_TYPE_ERROR) {
        if (m_client)
            m_client->xpcConnectionFailed(this); // <-- CRASH EXC_BAD_ACCESS
        return;
    }
...
}

(lldb) bt
* thread #4: tid = 0x1292ba, 0x00000001003a11ab JavaScriptCore`Inspector::RemoteInspectorXPCConnection::handleEvent(this=0x00000001099333e0, object=<unavailable>) + 155 at RemoteInspectorXPCConnection.mm:112, queue = 'com.apple.JavaScriptCore.remote-inspector-xpc-connection, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00000001003a11ab JavaScriptCore`Inspector::RemoteInspectorXPCConnection::handleEvent(this=0x00000001099333e0, object=<unavailable>) + 155 at RemoteInspectorXPCConnection.mm:112
    frame #1: 0x00007fff8bb645cc libxpc.dylib`_xpc_connection_call_event_handler + 58
    frame #2: 0x00007fff8bb62dcb libxpc.dylib`_xpc_connection_mach_event + 1080
    frame #3: 0x00007fff8d745afe libdispatch.dylib`_dispatch_client_callout4 + 9
    frame #4: 0x00007fff8d74865c libdispatch.dylib`_dispatch_mach_cancel_invoke + 50
    frame #5: 0x00007fff8d745860 libdispatch.dylib`_dispatch_mach_invoke + 604
    frame #6: 0x00007fff8d744633 libdispatch.dylib`_dispatch_queue_drain + 359
    frame #7: 0x00007fff8d7459dd libdispatch.dylib`_dispatch_queue_invoke + 110
    frame #8: 0x00007fff8d743fa3 libdispatch.dylib`_dispatch_root_queue_drain + 75
    frame #9: 0x00007fff8d745193 libdispatch.dylib`_dispatch_worker_thread2 + 40
    frame #10: 0x00007fff8f33cef8 libsystem_pthread.dylib`_pthread_wqthread + 314
    frame #11: 0x00007fff8f33ffb9 libsystem_pthread.dylib`start_wqthread + 13

Comment 1 Joseph Pecoraro 2014-01-27 17:21:43 PST

I'm going to look into changing RemoteInspectorXPCConnection from OwnPtr to a ThreadSafeRefPtr. In the old iOS inspector this used to be a retained NSObject in the block, where the "weakThis" is now not keeping the object alive.

Comment 2 Radar WebKit Bug Importer 2014-01-27 17:24:34 PST

<rdar://problem/15921226>

Comment 3 Joseph Pecoraro 2014-01-27 19:44:33 PST

Created attachment 222397 [details]
[PATCH] Proposed Fix

Comment 4 WebKit Commit Bot 2014-01-27 20:51:23 PST

Comment on attachment 222397 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 222397

Committed r162910: <http://trac.webkit.org/changeset/162910>

Comment 5 WebKit Commit Bot 2014-01-27 20:51:25 PST

All reviewed patches have been landed.  Closing bug.