Bug 18773

Summary: Crash in JSInspectedObjectWrapper::prepareIncomingValue trying to Inspect Element on an iFrame
Product: WebKit Reporter: Simon Hollingshead <me>
Component: Web Inspector (Deprecated)Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: aroben, dev+webkit, Wout.Mertens
Priority: P1 Keywords: HasReduction, InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://www.dynamiko.net/users/simonh/reduwojs.html
Attachments:
Description Flags
Full crash log none

Simon Hollingshead
Reported 2008-04-27 11:04:07 PDT
1. Visit http://forums.ahmodding.co.uk/index.php?/showuser/753 (or another user if this one happens to have any comments) 2. Click the 'Comments' Tab 3. Right click in the LIGHTER grey, INNER area which contains the message there are no comments, and choose to inspect the element. 4. Gasp at the crash.
Attachments
Full crash log (35.70 KB, text/plain)
2008-04-27 11:09 PDT, Matt Lilek 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Matt Lilek
Comment 1 2008-04-27 11:08:12 PDT
r32601 debug build: ASSERTION FAILED: A wrapper that was not from the inspected page and is not an Inspector callback was passed to a JSInspectedObjectWrapper wrapper->inherits(&JSInspectorCallbackWrapper::s_info) (/Users/matt/Code/WebKit/WebCore/bindings/js/JSInspectedObjectWrapper.cpp:97 virtual KJS::JSValue* WebCore::JSInspectedObjectWrapper::prepareIncomingValue(KJS::ExecState*, KJS::JSValue*) const) Thread 0 Crashed: 0 com.apple.WebCore 0x0232da6a WebCore::JSInspectedObjectWrapper::prepareIncomingValue(KJS::ExecState*, KJS::JSValue*) const + 414 (JSInspectedObjectWrapper.cpp:97) 1 com.apple.WebCore 0x0232fc59 WebCore::JSQuarantinedObjectWrapper::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 81 (JSQuarantinedObjectWrapper.cpp:251) 2 com.apple.JavaScriptCore 0x0042b082 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:101) 3 com.apple.JavaScriptCore 0x004839dc KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 802 (nodes.cpp:1495) 4 com.apple.JavaScriptCore 0x00442112 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1501) 5 com.apple.JavaScriptCore 0x0043311a KJS::AssignLocalVarNode::evaluate(KJS::ExecState*) + 144 (nodes.cpp:3554) 6 com.apple.JavaScriptCore 0x0043255b KJS::VarStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:4010) 7 com.apple.JavaScriptCore 0x00415865 KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3946) 8 com.apple.JavaScriptCore 0x004158d6 KJS::CaseClauseNode::executeStatements(KJS::ExecState*) + 26 (nodes.cpp:4405) 9 com.apple.JavaScriptCore 0x004327a9 KJS::CaseBlockNode::executeBlock(KJS::ExecState*, KJS::JSValue*) + 161 (nodes.cpp:4445) 10 com.apple.JavaScriptCore 0x00432a28 KJS::SwitchNode::execute(KJS::ExecState*) + 124 (nodes.cpp:4508) Safari 3.1.1 does not crash on this page.
Matt Lilek
Comment 2 2008-04-27 11:09:33 PDT
Created attachment 20852 [details] Full crash log
Adam Roben (:aroben)
Comment 3 2008-04-27 19:52:10 PDT
We're crashing when calling getAttribute on a node from the inspected page: var idAttribute = current.getAttribute("id"); <http://trac.webkit.org/browser/trunk/WebCore/page/inspector/ElementsPanel.js#L382> The assertion is happening when trying to prepare the "this" object (i.e., `current`). It looks like we've just traversed from one frame to another via _parentNodeOrFrameElement, and the wrappers are not handling this case correctly. The message in the assertion is misleading in this case; we are in fact passing a wrapped object (i.e., `current` is in fact wrapped), but the wrapped object has a different global object from the one we were expecting. I think we can take 3 actions in response to this: 1. Make the wrappers able to handle this frame traversal (which should fix the assertion). 2. Return jsUndefined() instead of 0 from prepareIncomingValue when we hit an unexpected condition so that we will throw a JS exception instead of crashing. 3. Make the assertion message clearer about what's happening in this case.
Simon Hollingshead
Comment 4 2008-04-28 14:07:01 PDT
Reduction at http://www.dynamiko.net/users/simonh/reduwojs.html (I frame links to empty html document http://www.dynamiko.net/users/simonh/redu1.html - I also made one that fits all on one page, http://www.dynamiko.net/users/simonh/reduwjs.html but I'm not as sure if the JS is 'syntaxically correct' or whatever, so I'd rather use the HTML one for now ;)
Simon Hollingshead
Comment 5 2008-04-28 14:07:47 PDT
(In reply to comment #4) > Reduction at http://www.dynamiko.net/users/simonh/reduwojs.html (I frame links > to empty html document http://www.dynamiko.net/users/simonh/redu1.html - I also > made one that fits all on one page, > http://www.dynamiko.net/users/simonh/reduwjs.html but I'm not as sure if the JS > is 'syntaxically correct' or whatever, so I'd rather use the HTML one for now > ;) > I forgot to mention what to do! Just right click in the iFrame and try to 'inspect element' on it.
Matt Lilek
Comment 6 2008-05-06 05:57:26 PDT
*** Bug 18902 has been marked as a duplicate of this bug. ***
Adam Roben (:aroben)
Comment 7 2008-05-06 11:30:09 PDT
<rdar://problem/5914471>
Adam Roben (:aroben)
Comment 8 2008-05-14 10:10:17 PDT
Fixed in r33414.
Note You need to log in before you can comment on or make changes to this bug.