Bug 136034 - REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
Summary: REGRESSION: Web Inspector crashes when reloading apple.com with Timeline reco...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-17 18:24 PDT by Brian Burg
Modified: 2014-08-20 13:31 PDT (History)
5 users (show)

See Also:


Attachments
Patch (1.73 KB, patch)
2014-08-20 12:59 PDT, Michael Saboff
mark.lam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Burg 2014-08-17 18:24:20 PDT
Steps to reproduce:

1. Navigate to apple.com
2. Open the Web Inspector
3. Start timelines recording from the Timelines panel
4. Reload the inspected page

Looks like we try to walk the stack when creating a new profile but one of the call frames is bogus. Possibly, because this is evaluating script inside a <script> tag. However, this code has not changed in the Inspector side since January so maybe it's fallout from the ftlopt merge. Would appreciate it if others could bisect.

Stack trace:

#0	0x0000000109e51319 in JSC::VMEntryRecord::prevTopVMEntryFrame() [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/VMEntryRecord.h:47
#1	0x0000000109e51319 in JSC::ExecState::callerFrame(void*&) at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/CallFrame.cpp:143
#2	0x000000010a252fbf in JSC::StackVisitor::readNonInlinedFrame(JSC::ExecState*, JSC::CodeOrigin*) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/StackVisitor.cpp:112
#3	0x000000010a252fa3 in JSC::StackVisitor::readFrame(JSC::ExecState*) at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/StackVisitor.cpp:77
#4	0x000000010a222c8c in void JSC::StackVisitor::visit<JSC::AddParentForConsoleStartFunctor>(JSC::ExecState*, JSC::AddParentForConsoleStartFunctor&) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/StackVisitor.h:125
#5	0x000000010a222c84 in void JSC::ExecState::iterate<JSC::AddParentForConsoleStartFunctor>(JSC::AddParentForConsoleStartFunctor&) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/interpreter/CallFrame.h:260
#6	0x000000010a222c84 in JSC::ProfileGenerator::addParentForConsoleStart(JSC::ExecState*) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/ProfileGenerator.cpp:99
#7	0x000000010a222c60 in ProfileGenerator at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/ProfileGenerator.cpp:55
#8	0x000000010a222ac8 in WTF::RefCounted<JSC::ProfileGenerator>::operator new(unsigned long) [inlined] at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/ProfileGenerator.cpp:56
#9	0x000000010a222aaf in JSC::ProfileGenerator::create(JSC::ExecState*, WTF::String const&, unsigned int) at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/ProfileGenerator.cpp:44
#10	0x000000010a14c24b in JSC::LegacyProfiler::startProfiling(JSC::ExecState*, WTF::String const&) at /Users/burg/repos/webkit-dev/Source/JavaScriptCore/profiler/LegacyProfiler.cpp:77
#11	0x000000010ab993fa in WebCore::startProfiling(JSC::ExecState*, WTF::String const&) [inlined] at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorTimelineAgent.cpp:162
#12	0x000000010ab993e7 in WebCore::startProfiling(WebCore::Frame*, WTF::String const&) [inlined] at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorTimelineAgent.cpp:172
#13	0x000000010ab993cc in WebCore::InspectorTimelineAgent::willEvaluateScript(WTF::String const&, int, WebCore::Frame*) at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorTimelineAgent.cpp:410
#14	0x000000010ab6af3b in WebCore::InspectorInstrumentation::willEvaluateScriptImpl(WebCore::InstrumentingAgents*, WTF::String const&, int, WebCore::Frame*) at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorInstrumentation.cpp:396
#15	0x000000010b1b6322 in WebCore::InspectorInstrumentation::willEvaluateScript(WebCore::Frame*, WTF::String const&, int) [inlined] at /Users/burg/repos/webkit-dev/Source/WebCore/inspector/InspectorInstrumentation.h:973
#16	0x000000010b1b62fa in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) at /Users/burg/repos/webkit-dev/Source/WebCore/bindings/js/ScriptController.cpp:148
#17	0x000000010b1b6379 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) at /Users/burg/repos/webkit-dev/Source/WebCore/bindings/js/ScriptController.cpp:168
#18	0x000000010b1bc017 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) at /Users/burg/repos/webkit-dev/Source/WebCore/dom/ScriptElement.cpp:301
#19	0x000000010aa95dd3 in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) at /Users/burg/repos/webkit-dev/Source/WebCore/html/parser/HTMLScriptRunner.cpp:144
#20	0x000000010aa95cc9 in WebCore::HTMLScriptRunner::executeParsingBlockingScript() at /Users/burg/repos/webkit-dev/Source/WebCore/html/parser/HTMLScriptRunner.cpp:120
#21	0x000000010aa9641f in WebCore::HTMLScriptRunner::executeParsingBlockingScripts() at /Users/burg/repos/webkit-dev/Source/WebCore/html/parser/HTMLScriptRunner.cpp:195
#22	0x000000010aa43e0a in WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) at /Users/burg/repos/webkit-dev/Source/WebCore/html/parser/HTMLDocumentParser.cpp:585
#23	0x000000010a6f7955 in WebCore::CachedResource::switchClientsToRevalidatedResource() at /Users/burg/repos/webkit-dev/Source/WebCore/loader/cache/CachedResource.cpp:708
#24	0x000000010af8b02d in WebCore::MemoryCache::revalidationSucceeded(WebCore::CachedResource*, WebCore::ResourceResponse const&) at /Users/burg/repos/webkit-dev/Source/WebCore/loader/cache/MemoryCache.cpp:173
#25	0x000000010b284ede in WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) at /Users/burg/repos/webkit-dev/Source/WebCore/loader/SubresourceLoader.cpp:203
#26	0x0000000109487fb8 in WebKit::WebResourceLoader::didReceiveResponseWithCertificateInfo(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool) at /Users/burg/repos/webkit-dev/Source/WebKit2/WebProcess/Network/WebResourceLoader.cpp:131
#27	0x000000010948891b in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool), std::__1::tuple<WebCore::ResourceResponse, WebCore::CertificateInfo, bool>, 0ul, 1ul, 2ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool), std::__1::tuple<WebCore::ResourceResponse, WebCore::CertificateInfo, bool>&&, std::index_sequence<0ul, 1ul, 2ul>) [inlined] at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/HandleMessage.h:16
#28	0x00000001094888f1 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool), std::__1::tuple<WebCore::ResourceResponse, WebCore::CertificateInfo, bool>, std::make_index_sequence<3ul> >(std::__1::tuple<WebCore::ResourceResponse, WebCore::CertificateInfo, bool>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool)) [inlined] at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/HandleMessage.h:22
#29	0x00000001094888f1 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveResponseWithCertificateInfo, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse const&, WebCore::CertificateInfo const&, bool)) at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/HandleMessage.h:120
#30	0x0000000109488571 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection*, IPC::MessageDecoder&) at /Users/burg/repos/webkit-dev/WebKitBuild/Release/DerivedSources/WebKit2/WebResourceLoaderMessageReceiver.cpp:64
#31	0x00000001092c9ece in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) [inlined] at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/Connection.cpp:809
#32	0x00000001092c9ec1 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/Connection.cpp:828
#33	0x00000001092cc03a in IPC::Connection::dispatchOneMessage() at /Users/burg/repos/webkit-dev/Source/WebKit2/Platform/IPC/Connection.cpp:856
#34	0x000000010a2ddfa3 in std::__1::function<void ()>::operator()() const [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/c++/v1/functional:1755
#35	0x000000010a2ddf99 in WTF::RunLoop::performWork() at /Users/burg/repos/webkit-dev/Source/WTF/wtf/RunLoop.cpp:104
#36	0x000000010a2de682 in WTF::RunLoop::performWork(void*) at /Users/burg/repos/webkit-dev/Source/WTF/wtf/cf/RunLoopCF.cpp:38
#37	0x00007fff96b0e5b1 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ ()
#38	0x00007fff96affd29 in __CFRunLoopDoSources0 ()
#39	0x00007fff96aff3ef in __CFRunLoopRun ()
#40	0x00007fff96afee75 in CFRunLoopRunSpecific ()
#41	0x00007fff8ba39a0d in RunCurrentEventLoopInMode ()
#42	0x00007fff8ba397b7 in ReceiveNextEventCommon ()
#43	0x00007fff8ba395bc in _BlockUntilNextEventMatchingListInModeWithFilter ()
#44	0x00007fff8e4c424e in _DPSNextEvent ()
#45	0x00007fff8e4c389b in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#46	0x00007fff8e4b799c in -[NSApplication run] ()
#47	0x00007fff8e4a2783 in NSApplicationMain ()
#48	0x00007fff91e97c0f in _xpc_main ()
#49	0x00007fff8cc80bde in xpc_main ()
#50	0x0000000105411630 in main at /Users/burg/repos/webkit-dev/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.Development.mm:164
Comment 1 Michael Saboff 2014-08-19 18:23:21 PDT
Found the issue.  DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle of the stack.  After https://trac.webkit.org/changeset/163179, Stack visiting needs to start at the top of the stack.

Patch in progress.
Comment 2 Michael Saboff 2014-08-20 12:59:16 PDT
Created attachment 236891 [details]
Patch
Comment 3 Mark Lam 2014-08-20 13:02:46 PDT
Comment on attachment 236891 [details]
Patch

r=me
Comment 4 Mark Lam 2014-08-20 13:06:06 PDT
(In reply to comment #1)
> Found the issue.  DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle of the stack.  After https://trac.webkit.org/changeset/163179, Stack visiting needs to start at the top of the stack.

Forgot to suggest that you add the above comment into the ChangeLog to explain why the change fixes the crash. Please add it.  Thanks.
Comment 5 Michael Saboff 2014-08-20 13:28:44 PDT
Committed r172807: <http://trac.webkit.org/changeset/172807>
Comment 6 Michael Saboff 2014-08-20 13:31:43 PDT
(In reply to comment #4)
> (In reply to comment #1)
> > Found the issue.  DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle of the stack.  After https://trac.webkit.org/changeset/163179, Stack visiting needs to start at the top of the stack.
> 
> Forgot to suggest that you add the above comment into the ChangeLog to explain why the change fixes the crash. Please add it.  Thanks.

I added the second sentence to ChangeLog before landing.