Summary: | REGRESSION (r125592): Crash in Console::addMessage, under InjectedBundle::reportException | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Kevin M. Dean <kevin> | ||||||||
Component: | WebCore Misc. | Assignee: | Adam Barth <abarth> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Critical | CC: | abarth, ap, jberlin, webkit.review.bot | ||||||||
Priority: | P1 | Keywords: | Regression | ||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | Mac (Intel) | ||||||||||
OS: | OS X 10.8 | ||||||||||
Bug Depends on: | |||||||||||
Bug Blocks: | 94390 | ||||||||||
Attachments: |
|
Description
Kevin M. Dean
2012-08-16 07:24:38 PDT
Could you please find out which extension triggers this? Franker 1.3.1 https://code.google.com/p/franker/ If I open Webkit with Just Franker active, it'll load the webkit start page. Then if I select my Macworld bookmark it'll mostly load then crash. Perfect, this is immediately reproducible when opening macworld.com with the Franker extension installed. Adam, my bisecting shows that this started with DOMWindow::document() refactoring in r125592, would you be willing to take a look? Sure. How to I install the Franker extension? I went to https://extensions.apple.com and https://ssl.apple.com/search/?q=fanker§ion=global&geo=us but couldn't find anything named Franker. Do you have a link? https://code.google.com/p/franker/downloads/list similarly doesn't have an extension listed. There appears to be another extension exploiting the same bug since I'm periodically having crashes when just opening links from the the bug report emails or from this page. Franker is disabled. It's very likely that the null-check on line 165 of JSDOMBinding.cpp should instead check whether the DOMWindow isCurrentlyDisplayedInFrame. /me is verifying. Ok, the other extension and different test is: Maximieren 0.95 http://www.apfelquak.de/2010/06/12/maximize-safari-extension/ With this extension active, I open Webkit close the window and then go to my bug report email and click the link to open the bug page. The window starts to appear transparent and zooming to size but crashes before it completes. Created attachment 158886 [details]
fixes the problem
Created attachment 158887 [details]
fixes the problem
What's the recommended way to test bugs that only reproduce because of Safari's extension system? By the way, I believe the remaining null check on the ScriptExecutionContext isn't needed. I'm just slightly hesitant to change it since we don't appear to have much test coverage of this function. Comment on attachment 158887 [details] fixes the problem View in context: https://bugs.webkit.org/attachment.cgi?id=158887&action=review So, extensions run scripts in frameless windows? I still don't know a lot about how extensions work. I wonder if we should add a special mode for tests then, where scripts would not be blocked in frameless windows, as they normally are. > Source/WebCore/bindings/js/JSDOMBinding.cpp:167 > // scriptExecutionContext can be null when the relevant global object is a stale inner window object. > // It's harmless to return here without reporting the exception to the log and the debugger in this case. Is this still true? As we're starting with activeDOMWindow, it sounds like it can not be stale. > Is this still true? As we're starting with activeDOMWindow, it sounds like it can not be stale.
I now see that you said the same.
> So, extensions run scripts in frameless windows? I still don't know a lot about how extensions work. There shouldn't be any behavior change with after this patch. The console messages for inactive frames were getting dropped on the floor before this patch and will continue to be dropped after this patch. In more detail, DOMWindow->scriptExecutionContext used to return 0 when the DOMWindow wasn't being displayed in a Frame. r125592 changed things so that it returns a real scriptExecutionContext in these cases. Now the way you check whether the DOMWindow is being displayed in a Frame is by calling DOMWindow->isCurrentlyDisplayedInFrame. > I wonder if we should add a special mode for tests then, where scripts would not be blocked in frameless windows, as they normally are. I think there's some confusion here. Nothing has changed about whether or not scripts can run in frameless windows. > > Source/WebCore/bindings/js/JSDOMBinding.cpp:167 > > // scriptExecutionContext can be null when the relevant global object is a stale inner window object. > > // It's harmless to return here without reporting the exception to the log and the debugger in this case. > > Is this still true? As we're starting with activeDOMWindow, it sounds like it can not be stale. "stale" isn't a useful term to use in this discussion. The script that is running is associated with a particular DOMWindow. That's the DOMWindow that is currently active (i.e., running script right now). There's a separate question of whether that DOMWindow is currently displayed in a Frame. It's possible for DOMWindows that are not displayed in Frames to execute script. It's just not possible for them to add messages to the Console. > I think there's some confusion here. Nothing has changed about whether or not scripts can run in frameless windows. That's understood. > It's possible for DOMWindows that are not displayed in Frames to execute script. This is what I'm confused about. When is this possible? Looking at this patch, I thought that extensions were creating a frameless window of their own, and running scripts there. What are the cases when DOMWindows that are not displayed in Frames execute scripts? > This is what I'm confused about. When is this possible? Looking at this patch, I thought that extensions were creating a frameless window of their own, and running scripts there. What are the cases when DOMWindows that are not displayed in Frames execute scripts?
The easiest way is to have an iframe that defines a function. The parent page takes a reference to that function and then destroys the iframe. Afterwards, the parent page can still call the function from the destroyed iframe.
Another way (and this one is fairly common to do by accident) is to be executing some script that causes the iframe you're in to be destroyed (e.g., by mutating the DOM of your parent frame or by triggering a synchronous load of about:blank). After your frame is destroyed, your script continues to execute.
It's hard for me to tell what's happening in this case because Safari.framework is just calling reportException directly (i.e., there isn't any JavaScript on the stack above WebCore::reportException).
Created attachment 159034 [details]
Patch
Comment on attachment 159034 [details] Patch Clearing flags on attachment: 159034 Committed r125912: <http://trac.webkit.org/changeset/125912> All reviewed patches have been landed. Closing bug. |