| Summary: | REGRESSION (r163011-r163031): Web Inspector: Latest nightly crashes when showing the Web Inspector | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Recep ASLANTAS <recpp> | ||||||||||
| Component: | Web Inspector | Assignee: | Michael Saboff <msaboff> | ||||||||||
| Status: | RESOLVED FIXED | ||||||||||||
| Severity: | Normal | CC: | fpizlo, ggaren, graouts, joepeck, msaboff, phiw2, timothy, webkit-bug-importer | ||||||||||
| Priority: | P2 | Keywords: | InRadar, Regression | ||||||||||
| Version: | 528+ (Nightly build) | ||||||||||||
| Hardware: | Mac (Intel) | ||||||||||||
| OS: | OS X 10.9 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Recep ASLANTAS
2014-01-30 02:54:51 PST
Created attachment 222655 [details]
Crash report
When I trying show web inspector, webkit.app has crashing and show the crash report...
Please attach the text content of the crash, not a screenshot. Created attachment 222700 [details]
Crash report
Reproduces if you show the Inspector on http://nightly.webkit.org/start/. JSC C Stack regression from the merge in r163027? Created attachment 222708 [details]
The crash report
I have tried show web inspector on http://apple.com and http://google.com and http://recp.me BUT WebKit.app still crashing when web inspector is showing... Should I redownload WebKit.app? My Mac OS X is beta (OS X 10.9.2 (latest)). May the beta version of OS X cause the crash? I do not think it is OS X ver I using: OS X 10.9.2 (13C44) *** Bug 128038 has been marked as a duplicate of this bug. *** It appears that when we get to shouldBypassMainWorldContentSecurityPolicy(), it appears that VM::topCallFrame is stale. The memory pointed to by callFrame doesn't look like a callFrame. frame #8: 0x000000010d546608 WebCore`WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy(this=0x00007fb190846f20) + 72 at ScriptController.cpp:474 471 CallFrame* callFrame = JSDOMWindow::commonVM()->topCallFrame; 472 if (callFrame == CallFrame::noCaller()) 473 return false; -> 474 DOMWrapperWorld& domWrapperWorld = currentWorld(callFrame); 475 if (domWrapperWorld.isNormal()) 476 return false; 477 return true; (lldb) p callFrame (CallFrame *) $451 = 0x00007fff5b250870 (lldb) mem read -f p -c 40 callFrame 0x7fff5b250870: 0x00007fb19110eb10 0x000000011323d3f0 0x000000011323d3f0 0x00007fb18a6300b0 0x7fff5b250890: 0x000000011323d3f0 0x000000011323d3f0 0x00007fff5b250940 0x000000011323d3f0 0x7fff5b2508b0: 0x00007fff5b250940 0x00004cb01721ae3a 0x00007fb18a844618 0x0000000113236f30 0x7fff5b2508d0: 0x00007fff00000000 0x0000000113236f30 0x00007fff5b250940 0x00004cb0172ae653 0x7fff5b2508f0: 0x00007fb18a4c6100 0x000000011506f470 0x000000011480adf0 0x8000000100000003 0x7fff5b250910: 0x000000011506f470 0x0000000113236f30 0x000000011323d3f0 0x000000011506f470 0x7fff5b250930: 0x000000000000000a 0x000000000000000a 0x00007fff5b2509c0 0x00004cb017381312 0x7fff5b250950: 0x00007fb191321120 0x000000011506f470 0x000000011480d6b0 0x0000015300000002 0x7fff5b250970: 0x000000011506f470 0x00000001133fee70 0x00007fff5b2509c0 0x000000011480d6b0 0x7fff5b250990: 0x00007fff5b2509b0 0x000000000000000a 0x000000000000000a 0x000000000000000a (lldb) The backtrace is below. The execState in frame 38 is quite near the VM::topCallFrame at the point of failure.
(lldb) bt
* thread #1: tid = 0x5d40c, 0x000000010bd3ec6c WebCore`JSC::Structure::classInfo(this=0x0000000c00000014) const + 12 at Structure.h:310, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xc0000004c)
frame #0: 0x000000010bd3ec6c WebCore`JSC::Structure::classInfo(this=0x0000000c00000014) const + 12 at Structure.h:310
frame #1: 0x000000010bd3eeab WebCore`JSC::JSCell::classInfo(this=0x00007fb18a6300b0) const + 91 at JSDestructibleObject.h:37
frame #2: 0x000000010bd3ee39 WebCore`JSC::JSCell::inherits(this=0x00007fb18a6300b0, info=0x000000010ae9e1e0) const + 25 at JSCellInlines.h:167
frame #3: 0x000000010bdd5fa3 WebCore`JSC::JSScope* JSC::jsCast<JSC::JSScope*>(from=JSValue at 0x00007fff5b2481c8) + 67 at JSCell.h:187
frame #4: 0x000000010bdd5f52 WebCore`JSC::Register::scope(this=0x00007fff5b250888) const + 34 at JSScope.h:237
frame #5: 0x000000010bdd5e35 WebCore`JSC::ExecState::scope(this=0x00007fff5b250870) const + 37 at CallFrame.h:49
frame #6: 0x000000010bdd5df5 WebCore`JSC::ExecState::lexicalGlobalObject(this=0x00007fff5b250870) const + 21 at JSScope.h:248
frame #7: 0x000000010bde27d5 WebCore`WebCore::currentWorld(exec=0x00007fff5b250870) + 21 at DOMWrapperWorld.h:77
frame #8: 0x000000010d546608 WebCore`WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy(this=0x00007fb190846f20) + 72 at ScriptController.cpp:474
frame #9: 0x000000010be0d7e9 WebCore`WebCore::CachedResourceLoader::canRequest(this=0x00007fb190b23d20, type=ImageResource, url=0x00007fff5b2485f0, options=0x00007fff5b248928, forPreload=false) + 249 at CachedResourceLoader.cpp:299
frame #10: 0x000000010be0de16 WebCore`WebCore::CachedResourceLoader::requestResource(this=0x00007fb190b23d20, type=ImageResource, request=0x00007fff5b248848) + 470 at CachedResourceLoader.cpp:419
frame #11: 0x000000010be0d6b4 WebCore`WebCore::CachedResourceLoader::requestImage(this=0x00007fb190b23d20, request=0x00007fff5b248848) + 388 at CachedResourceLoader.cpp:163
frame #12: 0x000000010bfef0c9 WebCore`WebCore::CSSImageValue::cachedImage(this=0x00007fb190df4660, loader=0x00007fb190b23d20, options=0x000000010e64ef88) + 441 at CSSImageValue.cpp:90
frame #13: 0x000000010d6e92ba WebCore`WebCore::StyleResolver::loadPendingImage(this=0x00007fb192129fd0, pendingImage=0x00007fb1908401c0, options=0x000000010e64ef88) + 122 at StyleResolver.cpp:3546
frame #14: 0x000000010d6e9474 WebCore`WebCore::StyleResolver::loadPendingImage(this=0x00007fb192129fd0, pendingImage=0x00007fb1908401c0) + 68 at StyleResolver.cpp:3566
frame #15: 0x000000010d6e9972 WebCore`WebCore::StyleResolver::loadPendingImages(this=0x00007fb192129fd0) + 1058 at StyleResolver.cpp:3611
frame #16: 0x000000010d6e416e WebCore`WebCore::StyleResolver::loadPendingResources(this=0x00007fb192129fd0) + 174 at StyleResolver.cpp:3699
frame #17: 0x000000010d6dcfbc WebCore`WebCore::StyleResolver::applyMatchedProperties(this=0x00007fb192129fd0, matchResult=0x00007fff5b24f878, element=0x00007fb1915f8460, shouldUseMatchedPropertiesCache=UseMatchedPropertiesCache) + 1740 at StyleResolver.cpp:1800
frame #18: 0x000000010d6da82f WebCore`WebCore::StyleResolver::styleForElement(this=0x00007fb192129fd0, element=0x00007fb1915f8460, defaultParent=0x0000000000000000, sharingBehavior=AllowStyleSharing, matchingBehavior=MatchAllRules, regionForStyling=0x0000000000000000) + 1263 at StyleResolver.cpp:853
frame #19: 0x000000010c356535 WebCore`WebCore::Element::styleForRenderer(this=0x00007fb1915f8460) + 293 at Element.cpp:1458
frame #20: 0x000000010be8ff8f WebCore`WebCore::Style::createRendererIfNeeded(element=0x00007fb1915f8460, resolvedStyle=0x00007fff5b250160) + 223 at StyleResolveTree.cpp:215
frame #21: 0x000000010be8fd29 WebCore`WebCore::Style::attachRenderTree(current=0x00007fb1915f8460, resolvedStyle=0x00007fff5b250198) + 121 at StyleResolveTree.cpp:538
frame #22: 0x000000010be904d4 WebCore`WebCore::Style::attachChildren(current=0x00007fb1915f8200) + 324 at StyleResolveTree.cpp:463
frame #23: 0x000000010be8fdf8 WebCore`WebCore::Style::attachRenderTree(current=0x00007fb1915f8200, resolvedStyle=0x00007fff5b250298) + 328 at StyleResolveTree.cpp:554
frame #24: 0x000000010be8f3f2 WebCore`WebCore::Style::resolveLocal(current=0x00007fb1915f8200, inheritedChange=NoChange) + 322 at StyleResolveTree.cpp:678
frame #25: 0x000000010be8ed30 WebCore`WebCore::Style::resolveTree(current=0x00007fb1915f8200, change=NoChange) + 336 at StyleResolveTree.cpp:832
frame #26: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb190b987e0, change=NoChange) + 784 at StyleResolveTree.cpp:864
frame #27: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb191262250, change=NoChange) + 784 at StyleResolveTree.cpp:864
frame #28: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb1912b7fb0, change=NoChange) + 784 at StyleResolveTree.cpp:864
frame #29: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb1910a5350, change=NoChange) + 784 at StyleResolveTree.cpp:864
frame #30: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb1910a56f0, change=NoChange) + 784 at StyleResolveTree.cpp:864
frame #31: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb1910a4720, change=NoChange) + 784 at StyleResolveTree.cpp:864
frame #32: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb18a4c0900, change=NoChange) + 784 at StyleResolveTree.cpp:864
frame #33: 0x000000010be8ebd1 WebCore`WebCore::Style::resolveTree(document=0x00007fb18d80d400, change=NoChange) + 497 at StyleResolveTree.cpp:906
frame #34: 0x000000010c1b7416 WebCore`WebCore::Document::recalcStyle(this=0x00007fb18d80d400, change=NoChange) + 470 at Document.cpp:1733
frame #35: 0x000000010c1b3c4f WebCore`WebCore::Document::updateStyleIfNeeded(this=0x00007fb18d80d400) + 431 at Document.cpp:1781
frame #36: 0x000000010c1b49c4 WebCore`WebCore::Document::updateLayout(this=0x00007fb18d80d400) + 244 at Document.cpp:1800
frame #37: 0x000000010c1b7cbf WebCore`WebCore::Document::updateLayoutIgnorePendingStylesheets(this=0x00007fb18d80d400) + 207 at Document.cpp:1841
frame #38: 0x000000010c352837 WebCore`WebCore::Element::offsetHeight(this=0x00007fb19110eb10) + 39 at Element.cpp:712
frame #39: 0x000000010caf0818 WebCore`WebCore::jsElementOffsetHeight(exec=0x00007fff5b250940, slotBase=4616082416, thisValue=4616082416, =PropertyName at 0x00007fff5b250888) + 104 at JSElement.cpp:386
frame #40: 0x00004cb01721ae3a
frame #41: 0x00004cb017381312
frame #42: 0x00004cb0172be2d4
frame #43: 0x000000010aa3d9bb JavaScriptCore`llint_op_call + 262
I think that means that the optimized call out to jsElementOffsetHeight neglected to set topCallFrame. Created attachment 223039 [details]
Patch
Comment on attachment 223039 [details]
Patch
r=me
Would be nice to have a test case for this.
Committed r163342: <http://trac.webkit.org/changeset/163342> |