Bug 127901

Summary:

REGRESSION (r163011-r163031): Web Inspector: Latest nightly crashes when showing the Web Inspector

Product:

WebKit

Reporter:

Recep ASLANTAS <recpp>

Component:

Web Inspector

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

fpizlo, ggaren, graouts, joepeck, msaboff, phiw2, timothy, webkit-bug-importer

Priority:

Keywords:

InRadar, Regression

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.9

Attachments:

Description	Flags
Crash report	none
Crash report	none
The crash report	none
Patch	ggaren: review+

Recep ASLANTAS

Reported 2014-01-30 02:54:51 PST

Hi I'm using WebKit.app for testing/learning/developing/bug fixing WebKit/Safari. I was trying show web inspector, the web inspector could not show and WebKit.app has crashed permanently, when I trying re-open web inspector it has crashing... The web inspector has crashing since I updated WebKit.app. So I cannot show Web Inspector on WebKit.app but Safari.app (WebKit.app still work but web inspector cannot showing). Sincerely

Attachments
Crash report (745.56 KB, image/png) 2014-01-30 03:01 PST, Recep ASLANTAS	no flags	Details
Crash report (67.66 KB, application/octet-stream) 2014-01-30 11:36 PST, Timothy Hatcher	no flags	Details
The crash report (68.79 KB, text/plain) 2014-01-30 12:14 PST, Recep ASLANTAS	no flags	Details
Patch (1.85 KB, patch) 2014-02-03 16:27 PST, Michael Saboff	ggaren: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2014-01-30 02:55:01 PST

<rdar://problem/15945029>

Recep ASLANTAS

Comment 2 2014-01-30 03:01:53 PST

Created attachment 222655 [details] Crash report When I trying show web inspector, webkit.app has crashing and show the crash report...

Timothy Hatcher

Comment 3 2014-01-30 08:15:52 PST

Please attach the text content of the crash, not a screenshot.

Timothy Hatcher

Comment 4 2014-01-30 11:36:47 PST

Created attachment 222700 [details] Crash report

Timothy Hatcher

Comment 5 2014-01-30 11:56:22 PST

Reproduces if you show the Inspector on http://nightly.webkit.org/start/. JSC C Stack regression from the merge in r163027?

Recep ASLANTAS

Comment 6 2014-01-30 12:14:43 PST

Created attachment 222708 [details] The crash report

Recep ASLANTAS

Comment 7 2014-01-30 12:23:53 PST

I have tried show web inspector on http://apple.com and http://google.com and http://recp.me BUT WebKit.app still crashing when web inspector is showing... Should I redownload WebKit.app? My Mac OS X is beta (OS X 10.9.2 (latest)). May the beta version of OS X cause the crash? I do not think it is OS X ver I using: OS X 10.9.2 (13C44)

Recep ASLANTAS

Comment 8 2014-01-30 12:39:03 PST

I have just update (partial) WebKit.app r163069 to r163085. But WebKit.app is still crashing.

Timothy Hatcher

Comment 9 2014-01-31 23:29:57 PST

*** Bug 128038 has been marked as a duplicate of this bug. ***

Michael Saboff

Comment 10 2014-02-02 19:07:39 PST

It appears that when we get to shouldBypassMainWorldContentSecurityPolicy(), it appears that VM::topCallFrame is stale. The memory pointed to by callFrame doesn't look like a callFrame. frame #8: 0x000000010d546608 WebCore`WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy(this=0x00007fb190846f20) + 72 at ScriptController.cpp:474 471 CallFrame* callFrame = JSDOMWindow::commonVM()->topCallFrame; 472 if (callFrame == CallFrame::noCaller()) 473 return false; -> 474 DOMWrapperWorld& domWrapperWorld = currentWorld(callFrame); 475 if (domWrapperWorld.isNormal()) 476 return false; 477 return true; (lldb) p callFrame (CallFrame *) $451 = 0x00007fff5b250870 (lldb) mem read -f p -c 40 callFrame 0x7fff5b250870: 0x00007fb19110eb10 0x000000011323d3f0 0x000000011323d3f0 0x00007fb18a6300b0 0x7fff5b250890: 0x000000011323d3f0 0x000000011323d3f0 0x00007fff5b250940 0x000000011323d3f0 0x7fff5b2508b0: 0x00007fff5b250940 0x00004cb01721ae3a 0x00007fb18a844618 0x0000000113236f30 0x7fff5b2508d0: 0x00007fff00000000 0x0000000113236f30 0x00007fff5b250940 0x00004cb0172ae653 0x7fff5b2508f0: 0x00007fb18a4c6100 0x000000011506f470 0x000000011480adf0 0x8000000100000003 0x7fff5b250910: 0x000000011506f470 0x0000000113236f30 0x000000011323d3f0 0x000000011506f470 0x7fff5b250930: 0x000000000000000a 0x000000000000000a 0x00007fff5b2509c0 0x00004cb017381312 0x7fff5b250950: 0x00007fb191321120 0x000000011506f470 0x000000011480d6b0 0x0000015300000002 0x7fff5b250970: 0x000000011506f470 0x00000001133fee70 0x00007fff5b2509c0 0x000000011480d6b0 0x7fff5b250990: 0x00007fff5b2509b0 0x000000000000000a 0x000000000000000a 0x000000000000000a (lldb)

Michael Saboff

Comment 11 2014-02-02 19:19:39 PST

The backtrace is below. The execState in frame 38 is quite near the VM::topCallFrame at the point of failure. (lldb) bt * thread #1: tid = 0x5d40c, 0x000000010bd3ec6c WebCore`JSC::Structure::classInfo(this=0x0000000c00000014) const + 12 at Structure.h:310, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xc0000004c) frame #0: 0x000000010bd3ec6c WebCore`JSC::Structure::classInfo(this=0x0000000c00000014) const + 12 at Structure.h:310 frame #1: 0x000000010bd3eeab WebCore`JSC::JSCell::classInfo(this=0x00007fb18a6300b0) const + 91 at JSDestructibleObject.h:37 frame #2: 0x000000010bd3ee39 WebCore`JSC::JSCell::inherits(this=0x00007fb18a6300b0, info=0x000000010ae9e1e0) const + 25 at JSCellInlines.h:167 frame #3: 0x000000010bdd5fa3 WebCore`JSC::JSScope* JSC::jsCast<JSC::JSScope*>(from=JSValue at 0x00007fff5b2481c8) + 67 at JSCell.h:187 frame #4: 0x000000010bdd5f52 WebCore`JSC::Register::scope(this=0x00007fff5b250888) const + 34 at JSScope.h:237 frame #5: 0x000000010bdd5e35 WebCore`JSC::ExecState::scope(this=0x00007fff5b250870) const + 37 at CallFrame.h:49 frame #6: 0x000000010bdd5df5 WebCore`JSC::ExecState::lexicalGlobalObject(this=0x00007fff5b250870) const + 21 at JSScope.h:248 frame #7: 0x000000010bde27d5 WebCore`WebCore::currentWorld(exec=0x00007fff5b250870) + 21 at DOMWrapperWorld.h:77 frame #8: 0x000000010d546608 WebCore`WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy(this=0x00007fb190846f20) + 72 at ScriptController.cpp:474 frame #9: 0x000000010be0d7e9 WebCore`WebCore::CachedResourceLoader::canRequest(this=0x00007fb190b23d20, type=ImageResource, url=0x00007fff5b2485f0, options=0x00007fff5b248928, forPreload=false) + 249 at CachedResourceLoader.cpp:299 frame #10: 0x000000010be0de16 WebCore`WebCore::CachedResourceLoader::requestResource(this=0x00007fb190b23d20, type=ImageResource, request=0x00007fff5b248848) + 470 at CachedResourceLoader.cpp:419 frame #11: 0x000000010be0d6b4 WebCore`WebCore::CachedResourceLoader::requestImage(this=0x00007fb190b23d20, request=0x00007fff5b248848) + 388 at CachedResourceLoader.cpp:163 frame #12: 0x000000010bfef0c9 WebCore`WebCore::CSSImageValue::cachedImage(this=0x00007fb190df4660, loader=0x00007fb190b23d20, options=0x000000010e64ef88) + 441 at CSSImageValue.cpp:90 frame #13: 0x000000010d6e92ba WebCore`WebCore::StyleResolver::loadPendingImage(this=0x00007fb192129fd0, pendingImage=0x00007fb1908401c0, options=0x000000010e64ef88) + 122 at StyleResolver.cpp:3546 frame #14: 0x000000010d6e9474 WebCore`WebCore::StyleResolver::loadPendingImage(this=0x00007fb192129fd0, pendingImage=0x00007fb1908401c0) + 68 at StyleResolver.cpp:3566 frame #15: 0x000000010d6e9972 WebCore`WebCore::StyleResolver::loadPendingImages(this=0x00007fb192129fd0) + 1058 at StyleResolver.cpp:3611 frame #16: 0x000000010d6e416e WebCore`WebCore::StyleResolver::loadPendingResources(this=0x00007fb192129fd0) + 174 at StyleResolver.cpp:3699 frame #17: 0x000000010d6dcfbc WebCore`WebCore::StyleResolver::applyMatchedProperties(this=0x00007fb192129fd0, matchResult=0x00007fff5b24f878, element=0x00007fb1915f8460, shouldUseMatchedPropertiesCache=UseMatchedPropertiesCache) + 1740 at StyleResolver.cpp:1800 frame #18: 0x000000010d6da82f WebCore`WebCore::StyleResolver::styleForElement(this=0x00007fb192129fd0, element=0x00007fb1915f8460, defaultParent=0x0000000000000000, sharingBehavior=AllowStyleSharing, matchingBehavior=MatchAllRules, regionForStyling=0x0000000000000000) + 1263 at StyleResolver.cpp:853 frame #19: 0x000000010c356535 WebCore`WebCore::Element::styleForRenderer(this=0x00007fb1915f8460) + 293 at Element.cpp:1458 frame #20: 0x000000010be8ff8f WebCore`WebCore::Style::createRendererIfNeeded(element=0x00007fb1915f8460, resolvedStyle=0x00007fff5b250160) + 223 at StyleResolveTree.cpp:215 frame #21: 0x000000010be8fd29 WebCore`WebCore::Style::attachRenderTree(current=0x00007fb1915f8460, resolvedStyle=0x00007fff5b250198) + 121 at StyleResolveTree.cpp:538 frame #22: 0x000000010be904d4 WebCore`WebCore::Style::attachChildren(current=0x00007fb1915f8200) + 324 at StyleResolveTree.cpp:463 frame #23: 0x000000010be8fdf8 WebCore`WebCore::Style::attachRenderTree(current=0x00007fb1915f8200, resolvedStyle=0x00007fff5b250298) + 328 at StyleResolveTree.cpp:554 frame #24: 0x000000010be8f3f2 WebCore`WebCore::Style::resolveLocal(current=0x00007fb1915f8200, inheritedChange=NoChange) + 322 at StyleResolveTree.cpp:678 frame #25: 0x000000010be8ed30 WebCore`WebCore::Style::resolveTree(current=0x00007fb1915f8200, change=NoChange) + 336 at StyleResolveTree.cpp:832 frame #26: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb190b987e0, change=NoChange) + 784 at StyleResolveTree.cpp:864 frame #27: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb191262250, change=NoChange) + 784 at StyleResolveTree.cpp:864 frame #28: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb1912b7fb0, change=NoChange) + 784 at StyleResolveTree.cpp:864 frame #29: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb1910a5350, change=NoChange) + 784 at StyleResolveTree.cpp:864 frame #30: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb1910a56f0, change=NoChange) + 784 at StyleResolveTree.cpp:864 frame #31: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb1910a4720, change=NoChange) + 784 at StyleResolveTree.cpp:864 frame #32: 0x000000010be8eef0 WebCore`WebCore::Style::resolveTree(current=0x00007fb18a4c0900, change=NoChange) + 784 at StyleResolveTree.cpp:864 frame #33: 0x000000010be8ebd1 WebCore`WebCore::Style::resolveTree(document=0x00007fb18d80d400, change=NoChange) + 497 at StyleResolveTree.cpp:906 frame #34: 0x000000010c1b7416 WebCore`WebCore::Document::recalcStyle(this=0x00007fb18d80d400, change=NoChange) + 470 at Document.cpp:1733 frame #35: 0x000000010c1b3c4f WebCore`WebCore::Document::updateStyleIfNeeded(this=0x00007fb18d80d400) + 431 at Document.cpp:1781 frame #36: 0x000000010c1b49c4 WebCore`WebCore::Document::updateLayout(this=0x00007fb18d80d400) + 244 at Document.cpp:1800 frame #37: 0x000000010c1b7cbf WebCore`WebCore::Document::updateLayoutIgnorePendingStylesheets(this=0x00007fb18d80d400) + 207 at Document.cpp:1841 frame #38: 0x000000010c352837 WebCore`WebCore::Element::offsetHeight(this=0x00007fb19110eb10) + 39 at Element.cpp:712 frame #39: 0x000000010caf0818 WebCore`WebCore::jsElementOffsetHeight(exec=0x00007fff5b250940, slotBase=4616082416, thisValue=4616082416, =PropertyName at 0x00007fff5b250888) + 104 at JSElement.cpp:386 frame #40: 0x00004cb01721ae3a frame #41: 0x00004cb017381312 frame #42: 0x00004cb0172be2d4 frame #43: 0x000000010aa3d9bb JavaScriptCore`llint_op_call + 262

Geoffrey Garen

Comment 12 2014-02-03 09:27:29 PST

I think that means that the optimized call out to jsElementOffsetHeight neglected to set topCallFrame.

Michael Saboff

Comment 13 2014-02-03 16:27:27 PST

Created attachment 223039 [details] Patch

Geoffrey Garen

Comment 14 2014-02-03 16:29:33 PST

Comment on attachment 223039 [details] Patch r=me Would be nice to have a test case for this.

Michael Saboff

Comment 15 2014-02-03 16:33:08 PST

Committed r163342: <http://trac.webkit.org/changeset/163342>

Note You need to log in before you can comment on or make changes to this bug.