Bug 18773

Summary:

Crash in JSInspectedObjectWrapper::prepareIncomingValue trying to Inspect Element on an iFrame

Product:

WebKit

Reporter:

Simon Hollingshead <me>

Component:

Web Inspector (Deprecated)

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

aroben, dev+webkit, Wout.Mertens

Priority:

Keywords:

HasReduction, InRadar, Regression

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

URL:

http://www.dynamiko.net/users/simonh/reduwojs.html

Attachments:

Description	Flags
Full crash log	none

Description Simon Hollingshead 2008-04-27 11:04:07 PDT

1. Visit http://forums.ahmodding.co.uk/index.php?/showuser/753 (or another user if this one happens to have any comments)
2. Click the 'Comments' Tab
3. Right click in the LIGHTER grey, INNER area which contains the message there are no comments, and choose to inspect the element.
4. Gasp at the crash.

Comment 1 Matt Lilek 2008-04-27 11:08:12 PDT

r32601 debug build:

ASSERTION FAILED: A wrapper that was not from the inspected page and is not an Inspector callback was passed to a JSInspectedObjectWrapper
wrapper->inherits(&JSInspectorCallbackWrapper::s_info)
(/Users/matt/Code/WebKit/WebCore/bindings/js/JSInspectedObjectWrapper.cpp:97 virtual KJS::JSValue* WebCore::JSInspectedObjectWrapper::prepareIncomingValue(KJS::ExecState*, KJS::JSValue*) const)

Thread 0 Crashed:
0   com.apple.WebCore             	0x0232da6a WebCore::JSInspectedObjectWrapper::prepareIncomingValue(KJS::ExecState*, KJS::JSValue*) const + 414 (JSInspectedObjectWrapper.cpp:97)
1   com.apple.WebCore             	0x0232fc59 WebCore::JSQuarantinedObjectWrapper::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 81 (JSQuarantinedObjectWrapper.cpp:251)
2   com.apple.JavaScriptCore      	0x0042b082 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:101)
3   com.apple.JavaScriptCore      	0x004839dc KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 802 (nodes.cpp:1495)
4   com.apple.JavaScriptCore      	0x00442112 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1501)
5   com.apple.JavaScriptCore      	0x0043311a KJS::AssignLocalVarNode::evaluate(KJS::ExecState*) + 144 (nodes.cpp:3554)
6   com.apple.JavaScriptCore      	0x0043255b KJS::VarStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:4010)
7   com.apple.JavaScriptCore      	0x00415865 KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3946)
8   com.apple.JavaScriptCore      	0x004158d6 KJS::CaseClauseNode::executeStatements(KJS::ExecState*) + 26 (nodes.cpp:4405)
9   com.apple.JavaScriptCore      	0x004327a9 KJS::CaseBlockNode::executeBlock(KJS::ExecState*, KJS::JSValue*) + 161 (nodes.cpp:4445)
10  com.apple.JavaScriptCore      	0x00432a28 KJS::SwitchNode::execute(KJS::ExecState*) + 124 (nodes.cpp:4508)

Safari 3.1.1 does not crash on this page.

Comment 2 Matt Lilek 2008-04-27 11:09:33 PDT

Created attachment 20852 [details]
Full crash log

Comment 3 Adam Roben (:aroben) 2008-04-27 19:52:10 PDT

We're crashing when calling getAttribute on a node from the inspected page:

var idAttribute = current.getAttribute("id");

<http://trac.webkit.org/browser/trunk/WebCore/page/inspector/ElementsPanel.js#L382>

The assertion is happening when trying to prepare the "this" object (i.e., `current`). It looks like we've just traversed from one frame to another via _parentNodeOrFrameElement, and the wrappers are not handling this case correctly. The message in the assertion is misleading in this case; we are in fact passing a wrapped object (i.e., `current` is in fact wrapped), but the wrapped object has a different global object from the one we were expecting.

I think we can take 3 actions in response to this:
1. Make the wrappers able to handle this frame traversal (which should fix the assertion).
2. Return jsUndefined() instead of 0 from prepareIncomingValue when we hit an unexpected condition so that we will throw a JS exception instead of crashing.
3. Make the assertion message clearer about what's happening in this case.

Comment 4 Simon Hollingshead 2008-04-28 14:07:01 PDT

Reduction at http://www.dynamiko.net/users/simonh/reduwojs.html (I frame links to empty html document http://www.dynamiko.net/users/simonh/redu1.html - I also made one that fits all on one page, http://www.dynamiko.net/users/simonh/reduwjs.html but I'm not as sure if the JS is 'syntaxically correct' or whatever, so I'd rather use the HTML one for now ;)

Comment 5 Simon Hollingshead 2008-04-28 14:07:47 PDT

(In reply to comment #4)
> Reduction at http://www.dynamiko.net/users/simonh/reduwojs.html (I frame links
> to empty html document http://www.dynamiko.net/users/simonh/redu1.html - I also
> made one that fits all on one page,
> http://www.dynamiko.net/users/simonh/reduwjs.html but I'm not as sure if the JS
> is 'syntaxically correct' or whatever, so I'd rather use the HTML one for now
> ;)
> 

I forgot to mention what to do!  Just right click in the iFrame and try to 'inspect element' on it.

Comment 6 Matt Lilek 2008-05-06 05:57:26 PDT

*** Bug 18902 has been marked as a duplicate of this bug. ***

Comment 7 Adam Roben (:aroben) 2008-05-06 11:30:09 PDT

<rdar://problem/5914471>

Comment 8 Adam Roben (:aroben) 2008-05-14 10:10:17 PDT

Fixed in r33414.