Bug 134849 - Web Inspector: Crash when using a stale InspectableNode Node
Summary: Web Inspector: Crash when using a stale InspectableNode Node
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Joseph Pecoraro
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-07-11 16:57 PDT by Joseph Pecoraro
Modified: 2014-07-11 18:49 PDT (History)
5 users (show)

See Also:


Attachments
[PATCH] Proposed Fix (1.28 KB, patch)
2014-07-11 16:59 PDT, Joseph Pecoraro
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2014-07-11 16:57:45 PDT
InspectableNode has a weak pointer to a Node. It should have a RefPtr to prevent it from getting stale out from under it.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x000000003394e57b

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff83201b94 WebCore::InspectorDOMAgent::nodeAsScriptValue(JSC::ExecState*, WebCore::Node*) + 132
1   com.apple.WebCore             	0x00007fff8362dc18 WebCore::InspectableNode::get(JSC::ExecState*) + 24
2   com.apple.WebCore             	0x00007fff832a0414 WebCore::JSCommandLineAPIHost::inspectedObject(JSC::ExecState*) + 164
3   ???                           	0x0000228e27e01034 0 + 37993949696052
4   com.apple.JavaScriptCore      	0x00007fff8d22b4ae llint_entry + 22744
5   com.apple.JavaScriptCore      	0x00007fff8d22b678 llint_entry + 23202
6   com.apple.JavaScriptCore      	0x00007fff8d2259b1 callToJavaScript + 311
...


* STEPS TO REPRODUCE
1. Inspect attached [crash-reduction.html]
2. Show DOM Tree
3. Expand <body>
4. Select the <h1> (it will be deleted in a second)
5. Trigger a garbage collection
6. js> $1
  => CRASH

<rdar://problem/14540951>
Comment 1 Joseph Pecoraro 2014-07-11 16:59:15 PDT
Created attachment 234792 [details]
[PATCH] Proposed Fix

If needed I could probably create a test for this.
Comment 2 WebKit Commit Bot 2014-07-11 18:49:34 PDT
Comment on attachment 234792 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 234792

Committed r171018: <http://trac.webkit.org/changeset/171018>
Comment 3 WebKit Commit Bot 2014-07-11 18:49:36 PDT
All reviewed patches have been landed.  Closing bug.