Bug 77146

Summary: REGRESSION (r105576-r105582): Web Inspector Crash in JSC::JSValue::toString(JSC::ExecState*) const
Product: WebKit Reporter: Kevin M. Dean <kevin>
Component: Web Inspector (Deprecated)Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: barraclough, fpizlo, ggaren
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.7   
URL: http://www.amazon.com/
Attachments:
Description Flags
Crash Log
none
the patch oliver: review+

Kevin M. Dean
Reported 2012-01-26 14:55:38 PST
Created attachment 124183 [details] Crash Log Go to Amazon.com. Open Web Inspector. Switch to Resources tab. Crash... or crash if Resources was already selected. Other sites don't crash. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000106ba07f0 JSC::JSValue::toString(JSC::ExecState*) const + 32 1 com.apple.WebCore 0x0000000107020a74 WebCore::valueToStringWithNullCheck(JSC::ExecState*, JSC::JSValue) + 52 2 com.apple.WebCore 0x00000001070ed34c WebCore::setJSHTMLImageElementSrc(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) + 28 3 com.apple.WebCore 0x00000001070edd6b bool JSC::lookupPut<WebCore::JSHTMLImageElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLImageElement*, bool) + 251 4 com.apple.WebCore 0x00000001070ec68e WebCore::JSHTMLImageElement::put(JSC::JSCell*, JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 62 5 com.apple.JavaScriptCore 0x0000000106928169 cti_op_put_by_id_generic + 137 6 ??? 0x00000001083c61d4 0 + 4433142228 7 com.apple.JavaScriptCore 0x00000001068f82c0 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 912 8 com.apple.JavaScriptCore 0x000000010685ff6a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 42 9 com.apple.JavaScriptCore 0x000000010693a36e JSC::boundFunctionCall(JSC::ExecState*) + 366 10 ??? 0x00000001083a9218 0 + 4433023512 11 com.apple.JavaScriptCore 0x00000001068f82c0 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 912 12 com.apple.JavaScriptCore 0x000000010685ff6a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 42 13 com.apple.JavaScriptCore 0x000000010693a36e JSC::boundFunctionCall(JSC::ExecState*) + 366 14 ??? 0x00000001083a9218 0 + 4433023512 15 com.apple.JavaScriptCore 0x00000001068f82c0 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 912 16 com.apple.JavaScriptCore 0x000000010685ff6a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 42 17 com.apple.WebCore 0x000000010747d445 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 453 18 com.apple.WebCore 0x000000010747d00c WebCore::ScheduledAction::execute(WebCore::Document*) + 156 19 com.apple.WebCore 0x0000000106d80658 WebCore::DOMTimer::fired() + 328 20 com.apple.WebCore 0x00000001075bf7e4 WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 21 com.apple.WebCore 0x00000001074b6ae3 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 51 22 com.apple.CoreFoundation 0x00007fff9400df84 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 23 com.apple.CoreFoundation 0x00007fff9400dad6 __CFRunLoopDoTimer + 534 24 com.apple.CoreFoundation 0x00007fff93fee471 __CFRunLoopRun + 1617 25 com.apple.CoreFoundation 0x00007fff93fedae6 CFRunLoopRunSpecific + 230 26 com.apple.HIToolbox 0x00007fff9816f3d3 RunCurrentEventLoopInMode + 277 27 com.apple.HIToolbox 0x00007fff9817663d ReceiveNextEventCommon + 355 28 com.apple.HIToolbox 0x00007fff981764ca BlockUntilNextEventMatchingListInMode + 62 29 com.apple.AppKit 0x00007fff902fe3f1 _DPSNextEvent + 659 30 com.apple.AppKit 0x00007fff902fdcf5 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135 31 com.apple.AppKit 0x00007fff902fa62d -[NSApplication run] + 470 32 com.apple.WebCore 0x000000010747832f WebCore::RunLoop::run() + 63 33 com.apple.WebKit2 0x00000001066077f0 WebKit::WebProcessMain(WebKit::CommandLine const&) + 2538 34 com.apple.WebKit2 0x00000001065be55b WebKitMain + 285 35 com.apple.WebProcess 0x00000001064f1e5f main + 219 36 com.apple.WebProcess 0x00000001064f1d7c start + 52
Attachments
Crash Log (49.27 KB, text/plain)
2012-01-26 14:55 PST, Kevin M. Dean 		no flags
Details
the patch (1.88 KB, patch)
2012-01-29 14:44 PST, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-01-26 19:35:13 PST
Filip, yours are the only relevant changes sin this range.
Filip Pizlo
Comment 2 2012-01-26 19:37:28 PST
(In reply to comment #1) > Filip, yours are the only relevant changes sin this range. Thanks for pinging me, I'll take a look right away!
Filip Pizlo
Comment 3 2012-01-27 16:01:31 PST
I no longer see this crash. I think that http://trac.webkit.org/changeset/106067 fixed it. I will verify this before closing...
Filip Pizlo
Comment 4 2012-01-27 17:25:27 PST
Correction, I can't even see it in r105582. Kevin, can you comment on how reproducible this is? Was this a one-off crash that I should see immediately, or do I really have to try this multiple times before seeing it? Do you maybe have any extensions installed or any other tabs open when you see this?
Kevin M. Dean
Comment 5 2012-01-27 17:40:05 PST
It crashes immediately when selecting the Resources tab. Also crashes with extensions disabled. However it only crashes when I'm signed into my Amazon account. If I sign out and view the home page, I can select Resources without the crash. If I sign back in, it'll crash again.
Kevin M. Dean
Comment 6 2012-01-27 17:46:34 PST
Crashes on http://www.macworld.com/ as well and I'm not logged into anything there.
Filip Pizlo
Comment 7 2012-01-27 17:47:30 PST
(In reply to comment #5) > It crashes immediately when selecting the Resources tab. Also crashes with extensions disabled. > > However it only crashes when I'm signed into my Amazon account. If I sign out and view the home page, I can select Resources without the crash. If I sign back in, it'll crash again. Just tried logging in with r105582, opening the web inspector, and selecting resources. It worked for me. :-( I'd really like to get to the bottom of this. Can you give a few more details: 1) debug build or release build, or both? 2) does it still happen in tip of tree, or is r105582 the latest revision you tested? 3) do you know for sure that it works prior to r105576?
Filip Pizlo
Comment 8 2012-01-27 17:48:20 PST
(In reply to comment #6) > Crashes on http://www.macworld.com/ as well and I'm not logged into anything there. Aha!! Perfect. I get that crash as well. Good, now I can fix it. :-) Thanks for your help in zeroing in on this, I know it's frustrating.
Kevin M. Dean
Comment 9 2012-01-27 17:53:09 PST
Here's an interesting variation. If I go to http://www.macnn.com/ Switch to Resources. Everything is fine. Switch to Elements and then with the Web Inspector still open load my Amazon or macworld bookmark, it immediately crashes on load even though the resources tab is not open. If I go to http://www.macnn.com/ and don't switch to Resources, leaving it on Elements and then go to my Amazon or macworld bookmark, it doesn't crash until I then switch to Resources.
Kevin M. Dean
Comment 10 2012-01-27 17:56:58 PST
Another odditly. If I start with a new window and open Macworld, the Resources tab won't crash if I invoke the Inspector from the menubar rather that the keyboard. But the second time I do the same, it will crash until I close the window and start with a new one again.
Kevin M. Dean
Comment 11 2012-01-27 17:59:31 PST
(In reply to comment #7) > 1) debug build or release build, or both? > > 2) does it still happen in tip of tree, or is r105582 the latest revision you tested? > > 3) do you know for sure that it works prior to r105576? 1) nightlies only 2) It happens 105582 forward to latest with random spot checks inbetween as I was narrowing that gap on when it started crashing. 3) Yes, in the few versions I tried when finding the range. I feel like good old Conflict Catcher when finding the range.
Filip Pizlo
Comment 12 2012-01-28 00:17:06 PST
<rdar://problem/10770586>
Filip Pizlo
Comment 13 2012-01-29 14:44:17 PST
Created attachment 124471 [details] the patch
Filip Pizlo
Comment 14 2012-01-29 18:40:37 PST
Landed in http://trac.webkit.org/changeset/106207
Filip Pizlo
Comment 15 2012-01-29 18:42:49 PST
(In reply to comment #11) > (In reply to comment #7) > > 1) debug build or release build, or both? > > > > 2) does it still happen in tip of tree, or is r105582 the latest revision you tested? > > > > 3) do you know for sure that it works prior to r105576? > > > 1) nightlies only > > 2) It happens 105582 forward to latest with random spot checks inbetween as I was narrowing that gap on when it started crashing. > > 3) Yes, in the few versions I tried when finding the range. I feel like good old Conflict Catcher when finding the range. Hey Kevin, I think I fixed it. I was only ever able to repro on macworld.com. With this fix, I can't repro at all. But please do reopen this bug if you still see this crash, since it's possible that the other scenarios you were pointing to (amazon.com, etc) are actually due to different bugs.
Kevin M. Dean
Comment 16 2012-01-29 18:48:08 PST
Will check the next nightly, although with it being the exact same trigger and the exact same crash log, I think one will fix the other most likely.
Geoffrey Garen
Comment 17 2012-01-30 11:02:45 PST
You need to fix this in the 32_64 JIT as well.
Kevin M. Dean
Comment 18 2012-01-30 15:28:29 PST
In r106264, I can't seem to be able to open up the Web Inspector at all anymore. Possibly related? So I can't confirm the original issue is fixed because this is blockng it.
Filip Pizlo
Comment 19 2012-01-30 15:41:46 PST
(In reply to comment #18) > In r106264, I can't seem to be able to open up the Web Inspector at all anymore. Possibly related? So I can't confirm the original issue is fixed because this is blockng it. Ouch! That's bad. I was doing my fix on 106198, and I was able to use the Web Inspector just fine. Let me try to figure out where the Web Inspector broke...
Kevin M. Dean
Comment 20 2012-01-30 16:35:09 PST
(In reply to comment #19) > Ouch! That's bad. I was doing my fix on 106198, and I was able to use the Web Inspector just fine. Let me try to figure out where the Web Inspector broke... It works for me with the previous nightly 106204, so that narrows it slightly.
Kevin M. Dean
Comment 21 2012-02-02 09:43:14 PST
(In reply to comment #15) > I think I fixed it. I was only ever able to repro on macworld.com. With this fix, I can't repro at all. But please do reopen this bug if you still see this crash, since it's possible that the other scenarios you were pointing to (amazon.com, etc) are actually due to different bugs. Now that the inspector is finally working again with r106544 I can confirm that the original issue is fixed for me at both macworld and amazon.
Note You need to log in before you can comment on or make changes to this bug.