Go to any page. Open the Web Inspector. 0 com.apple.WebCore 0x00000001148a7af3 WebCore::Page::setGroupName(WTF::String const&) + 51 (RefPtr.h:66) 1 com.apple.WebKit2 0x000000011342ac3f WebKit::WebPage::WebPage(unsigned long long, WebKit::WebPageCreationParameters const&) + 2049 (WebPage.cpp:355) 2 com.apple.WebKit2 0x000000011342a400 WebKit::WebPage::create(unsigned long long, WebKit::WebPageCreationParameters const&) + 52 (RefPtr.h:57) 3 com.apple.WebKit2 0x0000000113481b10 WebKit::WebProcess::createWebPage(unsigned long long, WebKit::WebPageCreationParameters const&) + 112 (PassRefPtr.h:90) 4 com.apple.WebKit2 0x000000011341892c WebKit::WebInspector::createInspectorPage() + 292 (WebInspector.cpp:90) 5 com.apple.WebKit2 0x0000000113419cce WebKit::WebInspectorClient::openInspectorFrontend(WebCore::InspectorController*) + 26 (WebInspectorClient.cpp:50) 6 com.apple.WebCore 0x00000001144f5206 WebCore::InspectorController::show() + 54 (InspectorController.cpp:263) 7 com.apple.WebKit2 0x000000011341a37f WebKit::WebInspector::didReceiveWebInspectorMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 83 (HandleMessage.h:14) 8 com.apple.WebKit2 0x0000000113365c9d CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 125 (MessageReceiverMap.cpp:86) 9 com.apple.WebKit2 0x0000000113481c9a WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 28 (WebProcess.cpp:638) 10 com.apple.WebKit2 0x00000001133386b4 CoreIPC::Connection::dispatchMessage(std::__1::unique_ptr<CoreIPC::MessageDecoder, std::__1::default_delete<CoreIPC::MessageDecoder> >) + 94 (memory:2665) 11 com.apple.WebKit2 0x000000011333a52a CoreIPC::Connection::dispatchOneMessage() + 106 (memory:2684) 12 com.apple.JavaScriptCore 0x0000000113d68525 WTF::RunLoop::performWork() + 421 (RunLoop.cpp:106) 13 com.apple.JavaScriptCore 0x0000000113d68c02 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 14 com.apple.CoreFoundation 0x00007fff88eb18f1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 15 com.apple.CoreFoundation 0x00007fff88ea3062 __CFRunLoopDoSources0 + 242 16 com.apple.CoreFoundation 0x00007fff88ea27ef __CFRunLoopRun + 831 17 com.apple.CoreFoundation 0x00007fff88ea2275 CFRunLoopRunSpecific + 309 18 com.apple.HIToolbox 0x00007fff8be6df0d RunCurrentEventLoopInMode + 226 19 com.apple.HIToolbox 0x00007fff8be6dcb7 ReceiveNextEventCommon + 479 20 com.apple.HIToolbox 0x00007fff8be6dabc _BlockUntilNextEventMatchingListInModeWithFilter + 65 21 com.apple.AppKit 0x00007fff8c12128e _DPSNextEvent + 1434 22 com.apple.AppKit 0x00007fff8c1208db -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 23 com.apple.AppKit 0x00007fff8c1149cc -[NSApplication run] + 553 24 com.apple.AppKit 0x00007fff8c0ff803 NSApplicationMain + 940 25 com.apple.XPCService 0x00007fff8d4f3c0f _xpc_main + 385 26 libxpc.dylib 0x00007fff8b361b2e xpc_main + 399 27 com.apple.WebKit.WebContent.Development 0x000000010d4416a0 main + 16 (XPCServiceMain.Development.mm:91) 28 libdyld.dylib 0x00007fff929255fd start + 1
The issue is simple, but I don't know how it didn't reproduce so far: WebInspector::createInspectorPage() sends Messages::WebInspectorProxy::CreateInspectorPage and waits in sync mode. WebInspectorProxy::CreateInspectorPage will send back two messages + the sync reply: 1. Messages::WebProcess::CreateWebPageGroup. 2. Messages::WebProcess::CreateWebPage. WebInspector::createInspectorPage wakes up when it receives the reply, but the two messages from the WebInspectorProxy::CreateInspectorPage are still pending to execute. The problem is that WebInspector::createInspectorPage forces the call to WebProcess::shared().createWebPage using the data in the sync reply. That's even though there's a pending message that will creating anyway. The crash happens when the page tries to use the PageGroup that has not been created yet. The page group creation message didn't had a chance to process.
It seems like a simple fix would be to replace the following line in WebPageProxy::initializeWebPage() m_process->send(Messages::WebProcess::CreateWebPageGroup(m_pageGroup->pageGroupID(), m_pageGroup->data()), 0); should be: m_process->send(Messages::WebProcess::CreateWebPageGroup(m_pageGroup->pageGroupID(), m_pageGroup->data()), 0, CoreIPC::DispatchMessageEvenWhenWaitingForSyncReply);
Created attachment 217842 [details] Patch V1
The patch that introduced the initial crash was rolled out :) https://bugs.webkit.org/show_bug.cgi?id=124859
<rdar://problem/15909846>
Comment on attachment 217842 [details] Patch V1 Cleared review? from attachment 217842 [details] so that this bug does not appear in http://webkit.org/pending-review. If you would like this patch reviewed, please attach it to a new bug (or re-open this bug before marking it for review again).