Bug 139740

Summary: Web Inspector: [Mac] Occasional Crashes Closing Inspector
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: Web InspectorAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, ap, commit-queue, enrica, graouts, joepeck, jonowells, mattbaker, nvasilyev, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
[PATCH] Proposed Fix none

Description Joseph Pecoraro 2014-12-17 12:12:25 PST 
* SUMMARY
I've been able to hit some crashes when closing Inspector Windows and using Guard Malloc.

* STEPS TO REPRODUCE
1. shell> DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib run-safari
2. Open http://bogojoker.com
3. Rapidly open/close inspector windows (e.g. hold down Cmd+Shift+I and Cmd+W occasionally when inspector window is focused)
  => Crash

* NOTES
Two frequent crash points:

(1) In WebInspectorProxy::inspectorWindowFrame using destroyed WebInspectorProxy as the client of the WKView's Page. This was because we were clearing our reference to the WKWebInspectorWKView, but it was actually kept alive by a dispatch in WKView, the WebInspectorProxy was destroyed, but still had a weak reference in the UIClient.

    - (void)_updateWindowAndViewFrames
    {
        ...
        dispatch_async(dispatch_get_main_queue(), ^{
            ...
            _data->_page->windowAndViewFramesChanged(viewFrameInWindowCoordinates, accessibilityPosition);
        });
    }

(2) In WebPageProxy::didReceiveEvent. While handling a keypress, the WebPageProxy is destroyed, and we continue and use bad objects.
Comment 1 Radar WebKit Bug Importer 2014-12-17 12:12:50 PST 
<rdar://problem/19282330>
Comment 2 Joseph Pecoraro 2014-12-17 12:28:29 PST 
Created attachment 243451 [details]
[PATCH] Proposed Fix
Comment 3 Timothy Hatcher 2014-12-17 12:44:39 PST 
Comment on attachment 243451 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=243451&action=review

> Source/WebKit2/UIProcess/mac/WebInspectorProxyMac.mm:296
> +        WebPageProxy* inspectorPage = toImpl(m_inspectorView.get().pageRef);
> +        inspectorPage->close();

WKView dealloc calls close(), but that assumes we hold the last ref here.
Comment 4 WebKit Commit Bot 2014-12-17 13:18:35 PST 
Comment on attachment 243451 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 243451

Committed r177459: <http://trac.webkit.org/changeset/177459>
Comment 5 WebKit Commit Bot 2014-12-17 13:18:39 PST 
All reviewed patches have been landed.  Closing bug.
Comment 6 Joseph Pecoraro 2014-12-17 13:32:10 PST 
(In reply to comment #3)
> Comment on attachment 243451 [details]
> [PATCH] Proposed Fix
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=243451&action=review
> 
> > Source/WebKit2/UIProcess/mac/WebInspectorProxyMac.mm:296
> > +        WebPageProxy* inspectorPage = toImpl(m_inspectorView.get().pageRef);
> > +        inspectorPage->close();
> 
> WKView dealloc calls close(), but that assumes we hold the last ref here.

Correct, we were not holding the lat ref, because the WKWebInspectorWKView was being retained by a dispatch_async block. =(