Bug 50868

inspector/styles-source-lines-inline.html is also crashing.

Another bot saw the crash: https://bugs.webkit.org/show_bug.cgi?id=51035#c16

I was able to reproduce this crash by simply running DumpRenderTree on Qt Linux Debug with the following command line(note that the test is different): gdb --args WebKitBuild/Debug/bin/DumpRenderTree LayoutTests/inspector/console-command-clear.html <...> LayoutTests/inspector/console-command-clear.html Stack dump is: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5dc9a2b in WebCore::CSSStyleDeclaration::getPropertyValue (this=0x1355480, propertyName=...) at ../../../WebCore/css/CSSStyleDeclaration.cpp:53 53 return getPropertyValue(propID); (gdb) bt #0 0x00007ffff5dc9a2b in WebCore::CSSStyleDeclaration::getPropertyValue (this=0x1355480, propertyName=...) at ../../../WebCore/css/CSSStyleDeclaration.cpp:53 #1 0x00007ffff6152fe6 in WebCore::InspectorStyle::buildObjectForStyle (this=0x9d7620) at ../../../WebCore/inspector/InspectorStyleSheet.cpp:141 #2 0x00007ffff6158987 in WebCore::InspectorStyleSheet::buildObjectForStyle (this=0xe05410, style=0x884630) at ../../../WebCore/inspector/InspectorStyleSheet.cpp:739 #3 0x00007ffff60e29b1 in WebCore::InspectorCSSAgent::getStylesForNode2 (this=0x566580, nodeId=5, result=0x7fffffff7870) at ../../../WebCore/inspector/InspectorCSSAgent.cpp:186 #4 0x00007ffff5c08dad in WebCore::InspectorBackendDispatcher::getStylesForNode2 (this=0x4f2260, callId=7, requestMessageObject=0x8843e0) at generated/InspectorBackendDispatcher.cpp:1445 #5 0x00007ffff5c2214b in WebCore::InspectorBackendDispatcher::dispatch (this=0x4f2260, message=...) at generated/InspectorBackendDispatcher.cpp:2875 #6 0x00007ffff613b4c3 in WebCore::InspectorFrontendClientLocal::sendMessageToBackend (this=0xb87110, message=...) at ../../../WebCore/inspector/InspectorFrontendClientLocal.cpp:154 #7 0x00007ffff613c298 in WebCore::InspectorFrontendHost::sendMessageToBackend (this=0x6918e0, message=...) at ../../../WebCore/inspector/InspectorFrontendHost.cpp:223 #8 0x00007ffff5a4dd61 in WebCore::jsInspectorFrontendHostPrototypeFunctionSendMessageToBackend (exec=0x7fff65dc85e0) at generated/JSInspectorFrontendHost.cpp:405 #9 0x00007fff661c81b8 in ?? () #10 0x00007fffffff97a0 in ?? () #11 0x00007fff664cc6e3 in ?? () #12 0x00007fffffff9720 in ?? () #13 0x00000000007439c0 in ?? () #14 0x0000000000000005 in ?? () #15 0x00007fff65d45440 in ?? () #16 0x00007fff6622b4a7 in ?? () #17 0x00007ffff5cac3cf in JSC::Register::Register (this=0xffff000000000000) at ../../../JavaScriptCore/interpreter/Register.h:106 #18 0x00007ffff68919e1 in JSC::JITCode::execute (this=0x1531b98, registerFile=0x7fffe800c838, callFrame=0x7fff65dc82f8, globalData=0x7fffe806e220) at ../../../JavaScriptCore/jit/JITCode.h:77 #19 0x00007ffff688e7cd in JSC::Interpreter::executeCall (this=0x7fffe800c820, callFrame=0x7fff65dc82b0, function=0x7fff65d5ba40, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:849 #20 0x00007ffff68badc7 in JSC::call (exec=0x7fff65dc82b0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../JavaScriptCore/runtime/CallData.cpp:38 #21 0x00007ffff68fa869 in JSC::JSObject::put (this=0x7fff65ceaf00, exec=0x7fff65dc82b0, propertyName=..., value=..., slot=...) at ../../../JavaScriptCore/runtime/JSObject.cpp:146 #22 0x00007ffff68a95f4 in JSC::JSValue::put (this=0x7fffffff9c40, exec=0x7fff65dc82b0, propertyName=..., value=..., slot=...) at ../../../JavaScriptCore/runtime/JSObject.h:700 #23 0x00007ffff689ae7f in JSC::cti_op_put_by_id_generic (args=0x7fffffff9c80) at ../../../JavaScriptCore/jit/JITStubs.cpp:1419 #24 0x00007ffff6899e68 in JSC::JITThunks::tryCacheGetByID (callFrame=0x7fffffff9c00, codeBlock=0x7ffff689b022, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7fffe806e220) at ../../../JavaScriptCore/jit/JITStubs.cpp:974 #25 0x00007ffff68919e1 in JSC::JITCode::execute (this=0x129b8a8, registerFile=0x7fffe800c838, callFrame=0x7fff65dc82b0, globalData=0x7fffe806e220) at ../../../JavaScriptCore/jit/JITCode.h:77 #26 0x00007ffff688e7cd in JSC::Interpreter::executeCall (this=0x7fffe800c820, callFrame=0x7fff65dc8230, function=0x7fff65d78000, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:849 #27 0x00007ffff68badc7 in JSC::call (exec=0x7fff65dc8230, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../JavaScriptCore/runtime/CallData.cpp:38 #28 0x00007ffff68fa869 in JSC::JSObject::put (this=0x7fff65cea840, exec=0x7fff65dc8230, propertyName=..., value=..., slot=...) at ../../../JavaScriptCore/runtime/JSObject.cpp:146 #29 0x00007ffff68a95f4 in JSC::JSValue::put (this=0x7fffffffa1d0, exec=0x7fff65dc8230, propertyName=..., value=..., slot=...) at ../../../JavaScriptCore/runtime/JSObject.h:700 #30 0x00007ffff689b203 in JSC::cti_op_put_by_id (args=0x7fffffffa220) at ../../../JavaScriptCore/jit/JITStubs.cpp:1456 #31 0x00007ffff6899e68 in JSC::JITThunks::tryCacheGetByID (callFrame=0x7fff663802be, codeBlock=0x7fffffffa220, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7fffe806e220) at ../../../JavaScriptCore/jit/JITStubs.cpp:974 #32 0x00007ffff68919e1 in JSC::JITCode::execute (this=0xd88408, registerFile=0x7fffe800c838, callFrame=0x7fff65dc8038, globalData=0x7fffe806e220) at ../../../JavaScriptCore/jit/JITCode.h:77 #33 0x00007ffff688e7cd in JSC::Interpreter::executeCall (this=0x7fffe800c820, callFrame=0x687698, function=0x7ffff7ee6600, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:849 #34 0x00007ffff68badc7 in JSC::call (exec=0x687698, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../JavaScriptCore/runtime/CallData.cpp:38 #35 0x00007ffff5c8d69b in WebCore::JSMainThreadExecState::call (exec=0x687698, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../WebCore/bindings/js/JSMainThreadExecState.h:48 #36 0x00007ffff5cd5dc3 in WebCore::ScheduledAction::executeFunctionInContext (this=0x6322f0, globalObject=0x7fff65d45440, thisValue=..., context= 0x69c7f8) at ../../../WebCore/bindings/js/ScheduledAction.cpp:106 #37 0x00007ffff5cd5ffc in WebCore::ScheduledAction::execute (this=0x6322f0, document=0x69c790) at ../../../WebCore/bindings/js/ScheduledAction.cpp:128 #38 0x00007ffff5cd5b82 in WebCore::ScheduledAction::execute (this=0x6322f0, context=0x69c7f8) at ../../../WebCore/bindings/js/ScheduledAction.cpp:76 #39 0x00007ffff6229107 in WebCore::DOMTimer::fired (this=0x911940) at ../../../WebCore/page/DOMTimer.cpp:131 #40 0x00007ffff633b334 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x7fffe803ee70) at ../../../WebCore/platform/ThreadTimers.cpp:112 #41 0x00007ffff633b267 in WebCore::ThreadTimers::sharedTimerFired () at ../../../WebCore/platform/ThreadTimers.cpp:90 #42 0x00007ffff65497a4 in WebCore::SharedTimerQt::timerEvent (this=0x7fffe803eed0, ev=0x7fffffffaf00) at ../../../WebCore/platform/qt/SharedTimerQt.cpp:116 #43 0x00007ffff2a76a63 in QObject::event(QEvent*) () from /usr/lib/libQtCore.so.4 #44 0x00007ffff326822c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4 #45 0x00007ffff326e6fb in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4 #46 0x00007ffff2a6706c in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/libQtCore.so.4 #47 0x00007ffff2a93d42 in ?? () from /usr/lib/libQtCore.so.4 #48 0x00007ffff2a90848 in ?? () from /usr/lib/libQtCore.so.4 #49 0x00007fffefd818c2 in g_main_dispatch (context=0x51ea10) at /tmp/glib2.0.0xzuTt/glib2.0-2.24.1/glib/gmain.c:1960 #50 IA__g_main_context_dispatch (context=0x51ea10) at /tmp/glib2.0.0xzuTt/glib2.0-2.24.1/glib/gmain.c:2513 #51 0x00007fffefd85748 in g_main_context_iterate (context=0x51ea10, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at /tmp/glib2.0.0xzuTt/glib2.0-2.24.1/glib/gmain.c:2591 #52 0x00007fffefd858fc in IA__g_main_context_iteration (context=0x51ea10, may_block=1) at /tmp/glib2.0.0xzuTt/glib2.0-2.24.1/glib/gmain.c:2654 #53 0x00007ffff2a90513 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4 #54 0x00007ffff331846e in ?? () from /usr/lib/libQtGui.so.4 #55 0x00007ffff2a65992 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4 #56 0x00007ffff2a65d6c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4 #57 0x00007ffff2a69aab in QCoreApplication::exec() () from /usr/lib/libQtCore.so.4 #58 0x0000000000437c58 in main (argc=205, argv=0x7fffffffb468) at /usr/local/google/home/yurys/WebKitGit/Tools/DumpRenderTree/qt/main.cpp:168

(In reply to comment #3) The problem is that the style referenced from InspectorStyle::m_style is stale, even though the Element in InspectorStyleSheetForInlineStyle::m_element field of its container is the same as the considered Element. The prob (gdb) f 1 #1 0x00007ffff6152fe6 in WebCore::InspectorStyle::buildObjectForStyle (this=0x9d7620) at ../../../WebCore/inspector/InspectorStyleSheet.cpp:141 141 propertiesObject->setString("width", m_style->getPropertyValue("width")); (gdb) p *this->m_style $50 = {<WebCore::StyleBase> = {<WTF::RefCounted<WebCore::StyleBase>> = {<WTF::RefCountedBase> = {m_refCount = 1131377775, m_deletionHasBegun = 97, m_adoptionIsRequired = 115}, <WTFNoncopyable::Noncopyable> = {<WTF::FastAllocBase> = {<No data fields>}, <No data fields>}, <No data fields>}, _vptr.StyleBase = 0x67207b2020202020, m_parent = 0x6f63203b3938203d}, <No data fields>} (gdb)

Steps to reproduce: 1. Open attached page. 2. Open inspector and select <div id="counter"> in the DOM tree. 3. Click Test button. 4. Select another element in the DOM tree and than return back to the div. Result: Browser crashes.

Created attachment 77337 [details] Test page

Created attachment 77413 [details] Patch

With this patch applied I can't reproduce the crash above using the described scenario. I'm not sure what was the reason for not using RefPtrs from the very beginning in InspectorStyle and InspectorCSSAgent for referencing DOM elements and CSS model elements. (In reply to comment #7) > Created an attachment (id=77413) [details] > Patch

Comment on attachment 77413 [details] Patch The change looks good, but we should be wary of holding a stale RefPtr<CSSStyleDeclaration> that has been dereferenced by the inspected page elements (this is the root cause of the crashes we are observing), which implies that most likely the data in the Web Inspector and the inspected page will be inconsistent.

(In reply to comment #9) > (From update of attachment 77413 [details]) > The change looks good, but we should be wary of holding a stale RefPtr<CSSStyleDeclaration> that has been dereferenced by the inspected page elements (this is the root cause of the crashes we are observing), which implies that most likely the data in the Web Inspector and the inspected page will be inconsistent. I'm pretty sure that the cause of the crash is that the StyledElement pointer is stale as well because I was able to reproduce the crash couple of times even with all pointers to CSS objects being RefPtrs but with raw Element pointer in InspectorStyleSheetForInlineStyle::m_element. Anyways incorrect behavior of CSS inspector is a less severe issue than non-deterministic crashes of all inspector tests. You will be able to roll out this patch locally if you want to use the crashes to spot the real problem in the code.

Committed r74637: <http://trac.webkit.org/changeset/74637>