Bug 9731

Summary: [Drosera] crash when trying to access the scope chain
Product: WebKit Reporter: Timothy Hatcher <timothy>
Component: New BugsAssignee: Timothy Hatcher <timothy>
Status: CLOSED FIXED    
Severity: Major    
Priority: P2    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Bug Depends on:    
Bug Blocks: 9597, 9598    
Attachments:
Description Flags
Patch to fix the crash mjs: review+

Timothy Hatcher
Reported 2006-07-04 12:56:11 PDT
Drosera crashes Safari when it tries to access the scope chain. This is happening because the WebCoreScriptDebugger and one of the WebCoreScriptCallFrames is holding on to an old WebScriptObject for the frame's window. The window object is cleared each time a page loads, so the debugger needs to be detached and reattached when this happens.
Attachments
Patch to fix the crash (2.02 KB, patch)
2006-07-04 13:06 PDT, Timothy Hatcher 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Timothy Hatcher
Comment 1 2006-07-04 13:06:02 PDT
Created attachment 9195 [details] Patch to fix the crash
Darin Adler
Comment 2 2006-07-04 14:37:21 PDT
Comment on attachment 9195 [details] Patch to fix the crash Sounds wrong to me. The window object is cleared, yes, but it is the same window object. Why do we need to create a new WebScriptObject each time when it's the same window object?
Darin Adler
Comment 3 2006-07-04 14:52:07 PDT
Comment on attachment 9195 [details] Patch to fix the crash I talked to Tim and made it clear this is not a fix, but rather a workaround, for whatever bug he's run into. He's going to investigate further.
Timothy Hatcher
Comment 4 2006-07-04 22:39:59 PDT
Turns out this crash is the same root cause of <rdar://problem/4608404> WebScriptObject's _executionContext has no ownership policy. Here is what Goeff had to say in the radar. "Whenever the current page changes, FrameMac::setView calls FrameMac::cleanupPluginRootObjects() (WebCore/bridge/mac/FrameMac.mm), which calls removeAllNativeReferences(), which unprotects all JSObjects that have been bound to wrappers in other languages (Java, C, Objc). The assumption in this code is that JSObjects only get bound to wrappers belonging to plug-ins, and that plug-ins go away when the page changes. This assumption is incorrect. WebKit's WebScriptObject API allows an app to embed a WebView and access its data through WebScriptObject wrappers. As long as those wrappers are alive, the data they bind should remain alive, too." I do not understand the design well enough to fix cleanupPluginRootObjects, I will leave it to Geoff. Can my patch land with a FIXME until <rdar://problem/4608404> is fixed? This fix will unblock bug 9597, and bug 9598.
Maciej Stachowiak
Comment 5 2006-07-04 22:59:28 PDT
Comment on attachment 9195 [details] Patch to fix the crash r=me
Timothy Hatcher
Comment 6 2006-07-04 23:13:01 PDT
Landed in r15159. The [_frame _detachScriptDebugger] lineĀ can be rolled out onceĀ <rdar://problem/4608404> is fixed.
Timothy Hatcher
Comment 7 2008-05-17 09:55:53 PDT
Closing since Drosera has been replaced by the new Web Inspector debugger. Moving to the New Bugs component so the Drosera component can be closed and removed.
Note You need to log in before you can comment on or make changes to this bug.