| Summary: | REGRESSION (r105576-r105582): Web Inspector Crash in JSC::JSValue::toString(JSC::ExecState*) const | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Kevin M. Dean <kevin> | ||||||
| Component: | Web Inspector (Deprecated) | Assignee: | Nobody <webkit-unassigned> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Critical | CC: | barraclough, fpizlo, ggaren | ||||||
| Priority: | P1 | Keywords: | InRadar, Regression | ||||||
| Version: | 528+ (Nightly build) | ||||||||
| Hardware: | Mac (Intel) | ||||||||
| OS: | OS X 10.7 | ||||||||
| URL: | http://www.amazon.com/ | ||||||||
| Attachments: |
|
||||||||
Filip, yours are the only relevant changes sin this range. (In reply to comment #1) > Filip, yours are the only relevant changes sin this range. Thanks for pinging me, I'll take a look right away! I no longer see this crash. I think that http://trac.webkit.org/changeset/106067 fixed it. I will verify this before closing... Correction, I can't even see it in r105582. Kevin, can you comment on how reproducible this is? Was this a one-off crash that I should see immediately, or do I really have to try this multiple times before seeing it? Do you maybe have any extensions installed or any other tabs open when you see this? It crashes immediately when selecting the Resources tab. Also crashes with extensions disabled. However it only crashes when I'm signed into my Amazon account. If I sign out and view the home page, I can select Resources without the crash. If I sign back in, it'll crash again. Crashes on http://www.macworld.com/ as well and I'm not logged into anything there. (In reply to comment #5) > It crashes immediately when selecting the Resources tab. Also crashes with extensions disabled. > > However it only crashes when I'm signed into my Amazon account. If I sign out and view the home page, I can select Resources without the crash. If I sign back in, it'll crash again. Just tried logging in with r105582, opening the web inspector, and selecting resources. It worked for me. :-( I'd really like to get to the bottom of this. Can you give a few more details: 1) debug build or release build, or both? 2) does it still happen in tip of tree, or is r105582 the latest revision you tested? 3) do you know for sure that it works prior to r105576? (In reply to comment #6) > Crashes on http://www.macworld.com/ as well and I'm not logged into anything there. Aha!! Perfect. I get that crash as well. Good, now I can fix it. :-) Thanks for your help in zeroing in on this, I know it's frustrating. Here's an interesting variation. If I go to http://www.macnn.com/ Switch to Resources. Everything is fine. Switch to Elements and then with the Web Inspector still open load my Amazon or macworld bookmark, it immediately crashes on load even though the resources tab is not open. If I go to http://www.macnn.com/ and don't switch to Resources, leaving it on Elements and then go to my Amazon or macworld bookmark, it doesn't crash until I then switch to Resources. Another odditly. If I start with a new window and open Macworld, the Resources tab won't crash if I invoke the Inspector from the menubar rather that the keyboard. But the second time I do the same, it will crash until I close the window and start with a new one again. (In reply to comment #7) > 1) debug build or release build, or both? > > 2) does it still happen in tip of tree, or is r105582 the latest revision you tested? > > 3) do you know for sure that it works prior to r105576? 1) nightlies only 2) It happens 105582 forward to latest with random spot checks inbetween as I was narrowing that gap on when it started crashing. 3) Yes, in the few versions I tried when finding the range. I feel like good old Conflict Catcher when finding the range. Created attachment 124471 [details]
the patch
Landed in http://trac.webkit.org/changeset/106207 (In reply to comment #11) > (In reply to comment #7) > > 1) debug build or release build, or both? > > > > 2) does it still happen in tip of tree, or is r105582 the latest revision you tested? > > > > 3) do you know for sure that it works prior to r105576? > > > 1) nightlies only > > 2) It happens 105582 forward to latest with random spot checks inbetween as I was narrowing that gap on when it started crashing. > > 3) Yes, in the few versions I tried when finding the range. I feel like good old Conflict Catcher when finding the range. Hey Kevin, I think I fixed it. I was only ever able to repro on macworld.com. With this fix, I can't repro at all. But please do reopen this bug if you still see this crash, since it's possible that the other scenarios you were pointing to (amazon.com, etc) are actually due to different bugs. Will check the next nightly, although with it being the exact same trigger and the exact same crash log, I think one will fix the other most likely. You need to fix this in the 32_64 JIT as well. In r106264, I can't seem to be able to open up the Web Inspector at all anymore. Possibly related? So I can't confirm the original issue is fixed because this is blockng it. (In reply to comment #18) > In r106264, I can't seem to be able to open up the Web Inspector at all anymore. Possibly related? So I can't confirm the original issue is fixed because this is blockng it. Ouch! That's bad. I was doing my fix on 106198, and I was able to use the Web Inspector just fine. Let me try to figure out where the Web Inspector broke... (In reply to comment #19) > Ouch! That's bad. I was doing my fix on 106198, and I was able to use the Web Inspector just fine. Let me try to figure out where the Web Inspector broke... It works for me with the previous nightly 106204, so that narrows it slightly. (In reply to comment #15) > I think I fixed it. I was only ever able to repro on macworld.com. With this fix, I can't repro at all. But please do reopen this bug if you still see this crash, since it's possible that the other scenarios you were pointing to (amazon.com, etc) are actually due to different bugs. Now that the inspector is finally working again with r106544 I can confirm that the original issue is fixed for me at both macworld and amazon. |
Created attachment 124183 [details] Crash Log Go to Amazon.com. Open Web Inspector. Switch to Resources tab. Crash... or crash if Resources was already selected. Other sites don't crash. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000106ba07f0 JSC::JSValue::toString(JSC::ExecState*) const + 32 1 com.apple.WebCore 0x0000000107020a74 WebCore::valueToStringWithNullCheck(JSC::ExecState*, JSC::JSValue) + 52 2 com.apple.WebCore 0x00000001070ed34c WebCore::setJSHTMLImageElementSrc(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) + 28 3 com.apple.WebCore 0x00000001070edd6b bool JSC::lookupPut<WebCore::JSHTMLImageElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLImageElement*, bool) + 251 4 com.apple.WebCore 0x00000001070ec68e WebCore::JSHTMLImageElement::put(JSC::JSCell*, JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 62 5 com.apple.JavaScriptCore 0x0000000106928169 cti_op_put_by_id_generic + 137 6 ??? 0x00000001083c61d4 0 + 4433142228 7 com.apple.JavaScriptCore 0x00000001068f82c0 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 912 8 com.apple.JavaScriptCore 0x000000010685ff6a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 42 9 com.apple.JavaScriptCore 0x000000010693a36e JSC::boundFunctionCall(JSC::ExecState*) + 366 10 ??? 0x00000001083a9218 0 + 4433023512 11 com.apple.JavaScriptCore 0x00000001068f82c0 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 912 12 com.apple.JavaScriptCore 0x000000010685ff6a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 42 13 com.apple.JavaScriptCore 0x000000010693a36e JSC::boundFunctionCall(JSC::ExecState*) + 366 14 ??? 0x00000001083a9218 0 + 4433023512 15 com.apple.JavaScriptCore 0x00000001068f82c0 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 912 16 com.apple.JavaScriptCore 0x000000010685ff6a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 42 17 com.apple.WebCore 0x000000010747d445 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 453 18 com.apple.WebCore 0x000000010747d00c WebCore::ScheduledAction::execute(WebCore::Document*) + 156 19 com.apple.WebCore 0x0000000106d80658 WebCore::DOMTimer::fired() + 328 20 com.apple.WebCore 0x00000001075bf7e4 WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 21 com.apple.WebCore 0x00000001074b6ae3 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 51 22 com.apple.CoreFoundation 0x00007fff9400df84 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 23 com.apple.CoreFoundation 0x00007fff9400dad6 __CFRunLoopDoTimer + 534 24 com.apple.CoreFoundation 0x00007fff93fee471 __CFRunLoopRun + 1617 25 com.apple.CoreFoundation 0x00007fff93fedae6 CFRunLoopRunSpecific + 230 26 com.apple.HIToolbox 0x00007fff9816f3d3 RunCurrentEventLoopInMode + 277 27 com.apple.HIToolbox 0x00007fff9817663d ReceiveNextEventCommon + 355 28 com.apple.HIToolbox 0x00007fff981764ca BlockUntilNextEventMatchingListInMode + 62 29 com.apple.AppKit 0x00007fff902fe3f1 _DPSNextEvent + 659 30 com.apple.AppKit 0x00007fff902fdcf5 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135 31 com.apple.AppKit 0x00007fff902fa62d -[NSApplication run] + 470 32 com.apple.WebCore 0x000000010747832f WebCore::RunLoop::run() + 63 33 com.apple.WebKit2 0x00000001066077f0 WebKit::WebProcessMain(WebKit::CommandLine const&) + 2538 34 com.apple.WebKit2 0x00000001065be55b WebKitMain + 285 35 com.apple.WebProcess 0x00000001064f1e5f main + 219 36 com.apple.WebProcess 0x00000001064f1d7c start + 52