Bug 140968

Summary: Web Inspector: Crash when closing inspected page
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: Web InspectorAssignee: Joseph Pecoraro <joepeck>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, graouts, joepeck, jonowells, mattbaker, nvasilyev, timothy, webkit-bug-importer
Priority: P2 Keywords: DoNotImportToRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
[PATCH] Proposed Fix
joepeck: review-
[PATCH] Proposed Fix none

Description Joseph Pecoraro 2015-01-27 16:33:46 PST 
* SUMMARY
WebContentProcess crash when closing inspected page.

* STEPS TO REPRODUCE
1. Login to iCloud.com
2. Open Pages
3. Create a new file in that app (causes a new tab to be made)
4. Open inspector in new tab
5. Close new tab
  => CRASH

* CRASH:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000070

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit              	0x000000010ec6828b WebCore::Page::inspectorController() const + 43
1   com.apple.WebKit              	0x000000010ec66cc1 WebKit::WebInspector::close() + 33
2   com.apple.WebKit              	0x000000010ec6a339 WebKit::WebInspector::didClose(IPC::Connection&) + 25
3   com.apple.WebKit              	0x000000010ec6a3ff non-virtual thunk to WebKit::WebInspector::didClose(IPC::Connection&) + 47
4   com.apple.WebKit              	0x000000010e6b63fa IPC::Connection::connectionDidClose()::$_4::operator()() const + 122
5   com.apple.WebKit              	0x000000010e6b636c std::__1::__function::__func<IPC::Connection::connectionDidClose()::$_4, std::__1::allocator<IPC::Connection::connectionDidClose()::$_4>, void ()>::operator()() + 60
6   com.apple.JavaScriptCore      	0x0000000111d725ea std::__1::function<void ()>::operator()() const + 26 (functional:1755)
7   com.apple.JavaScriptCore      	0x0000000111e000f1 WTF::RunLoop::performWork() + 561 (RunLoop.cpp:106)
8   com.apple.JavaScriptCore      	0x0000000111e01424 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38)
...

* NOTES
(lldb) up
frame #2: 0x000000010ec66cc1 WebKit`WebKit::WebInspector::close(this=0x00007fec72fb43d8) + 33 at WebInspector.cpp:122
   119 	
   120 	void WebInspector::close()
   121 	{
-> 122 	    m_page->corePage()->inspectorController().close();
   123 	}
   124 	
   125 	void WebInspector::openInNewTab(const String& urlString)

(lldb) p m_page->corePage()
(WebCore::Page *) $1 = 0x0000000000000000
Comment 1 Joseph Pecoraro 2015-01-27 16:34:03 PST 
<rdar://problem/19194743>
Comment 2 Joseph Pecoraro 2015-01-27 16:36:02 PST 
Created attachment 245492 [details]
[PATCH] Proposed Fix
Comment 3 Joseph Pecoraro 2015-01-27 17:14:49 PST 
Comment on attachment 245492 [details]
[PATCH] Proposed Fix

I was also able to get this to happen on sendMessageToBackend. Seems we should do this in more places. I'll just check everywhere.

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000070

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit              	0x0000000113eac28b WebCore::Page::inspectorController() const + 43
1   com.apple.WebKit              	0x0000000113eab325 WebKit::WebInspector::sendMessageToBackend(WTF::String const&) + 37
2   com.apple.WebKit              	0x0000000113eb620f void IPC::callMemberFunctionImpl<WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>, 0ul>(WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>&&, std::index_sequence<0ul>) + 159
3   com.apple.WebKit              	0x0000000113eb6168 void IPC::callMemberFunction<WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>, std::make_index_sequence<1ul> >(std::__1::tuple<WTF::String>&&, WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&)) + 88
4   com.apple.WebKit              	0x0000000113eb60d6 void IPC::handleMessage<Messages::WebInspector::SendMessageToBackend, WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&)>(IPC::MessageDecoder&, WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&)) + 230
5   com.apple.WebKit              	0x0000000113eb560a WebKit::WebInspector::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 1306
6   com.apple.WebKit              	0x0000000113eb5677 non-virtual thunk to WebKit::WebInspector::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 55
...
Comment 4 Joseph Pecoraro 2015-01-27 18:22:53 PST 
Created attachment 245499 [details]
[PATCH] Proposed Fix
Comment 5 Timothy Hatcher 2015-01-27 20:55:20 PST 
Comment on attachment 245499 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=245499&action=review

> Source/WebKit2/WebProcess/WebPage/WebInspector.cpp:262
> +    if (m_page->corePage()) {

Why no early return?

> Source/WebKit2/WebProcess/WebPage/WebInspector.cpp:273
> +    if (m_page->corePage())

Could store corePage in a local here and use on the next line.
Comment 6 Joseph Pecoraro 2015-01-28 12:59:38 PST 
(In reply to comment #5)
> Comment on attachment 245499 [details]
> [PATCH] Proposed Fix
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=245499&action=review
> 
> > Source/WebKit2/WebProcess/WebPage/WebInspector.cpp:262
> > +    if (m_page->corePage()) {
> 
> Why no early return?
> 
> > Source/WebKit2/WebProcess/WebPage/WebInspector.cpp:273
> > +    if (m_page->corePage())
> 
> Could store corePage in a local here and use on the next line.

These two match in style because they are slightly different than the others.

As for storing into a local, I think the compiler is smart enough to do that for us here.
Comment 7 WebKit Commit Bot 2015-01-28 13:24:13 PST 
Comment on attachment 245499 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 245499

Committed r179282: <http://trac.webkit.org/changeset/179282>
Comment 8 WebKit Commit Bot 2015-01-28 13:24:18 PST 
All reviewed patches have been landed.  Closing bug.