Bug 134849

Summary: Web Inspector: Crash when using a stale InspectableNode Node
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: Web InspectorAssignee: Joseph Pecoraro <joepeck>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, graouts, joepeck, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
[PATCH] Proposed Fix none

Description Joseph Pecoraro 2014-07-11 16:57:45 PDT 
InspectableNode has a weak pointer to a Node. It should have a RefPtr to prevent it from getting stale out from under it.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x000000003394e57b

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff83201b94 WebCore::InspectorDOMAgent::nodeAsScriptValue(JSC::ExecState*, WebCore::Node*) + 132
1   com.apple.WebCore             	0x00007fff8362dc18 WebCore::InspectableNode::get(JSC::ExecState*) + 24
2   com.apple.WebCore             	0x00007fff832a0414 WebCore::JSCommandLineAPIHost::inspectedObject(JSC::ExecState*) + 164
3   ???                           	0x0000228e27e01034 0 + 37993949696052
4   com.apple.JavaScriptCore      	0x00007fff8d22b4ae llint_entry + 22744
5   com.apple.JavaScriptCore      	0x00007fff8d22b678 llint_entry + 23202
6   com.apple.JavaScriptCore      	0x00007fff8d2259b1 callToJavaScript + 311
...


* STEPS TO REPRODUCE
1. Inspect attached [crash-reduction.html]
2. Show DOM Tree
3. Expand <body>
4. Select the <h1> (it will be deleted in a second)
5. Trigger a garbage collection
6. js> $1
  => CRASH

<rdar://problem/14540951>
Comment 1 Joseph Pecoraro 2014-07-11 16:59:15 PDT 
Created attachment 234792 [details]
[PATCH] Proposed Fix

If needed I could probably create a test for this.
Comment 2 WebKit Commit Bot 2014-07-11 18:49:34 PDT 
Comment on attachment 234792 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 234792

Committed r171018: <http://trac.webkit.org/changeset/171018>
Comment 3 WebKit Commit Bot 2014-07-11 18:49:36 PDT 
All reviewed patches have been landed.  Closing bug.