Bug 139740 - Web Inspector: [Mac] Occasional Crashes Closing Inspector
Summary: Web Inspector: [Mac] Occasional Crashes Closing Inspector
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-12-17 12:12 PST by Joseph Pecoraro
Modified: 2014-12-17 13:32 PST (History)
11 users (show)

See Also:

Attachments
[PATCH] Proposed Fix (5.15 KB, patch)
2014-12-17 12:28 PST, Joseph Pecoraro 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2014-12-17 12:12:25 PST 
* SUMMARY
I've been able to hit some crashes when closing Inspector Windows and using Guard Malloc.

* STEPS TO REPRODUCE
1. shell> DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib run-safari
2. Open http://bogojoker.com
3. Rapidly open/close inspector windows (e.g. hold down Cmd+Shift+I and Cmd+W occasionally when inspector window is focused)
  => Crash

* NOTES
Two frequent crash points:

(1) In WebInspectorProxy::inspectorWindowFrame using destroyed WebInspectorProxy as the client of the WKView's Page. This was because we were clearing our reference to the WKWebInspectorWKView, but it was actually kept alive by a dispatch in WKView, the WebInspectorProxy was destroyed, but still had a weak reference in the UIClient.

    - (void)_updateWindowAndViewFrames
    {
        ...
        dispatch_async(dispatch_get_main_queue(), ^{
            ...
            _data->_page->windowAndViewFramesChanged(viewFrameInWindowCoordinates, accessibilityPosition);
        });
    }

(2) In WebPageProxy::didReceiveEvent. While handling a keypress, the WebPageProxy is destroyed, and we continue and use bad objects.
Comment 1 Radar WebKit Bug Importer 2014-12-17 12:12:50 PST 
<rdar://problem/19282330>
Comment 2 Joseph Pecoraro 2014-12-17 12:28:29 PST 
Created attachment 243451 [details]
[PATCH] Proposed Fix
Comment 3 Timothy Hatcher 2014-12-17 12:44:39 PST 
Comment on attachment 243451 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=243451&action=review

> Source/WebKit2/UIProcess/mac/WebInspectorProxyMac.mm:296
> +        WebPageProxy* inspectorPage = toImpl(m_inspectorView.get().pageRef);
> +        inspectorPage->close();

WKView dealloc calls close(), but that assumes we hold the last ref here.
Comment 4 WebKit Commit Bot 2014-12-17 13:18:35 PST 
Comment on attachment 243451 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 243451

Committed r177459: <http://trac.webkit.org/changeset/177459>
Comment 5 WebKit Commit Bot 2014-12-17 13:18:39 PST 
All reviewed patches have been landed.  Closing bug.
Comment 6 Joseph Pecoraro 2014-12-17 13:32:10 PST 
(In reply to comment #3)
> Comment on attachment 243451 [details]
> [PATCH] Proposed Fix
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=243451&action=review
> 
> > Source/WebKit2/UIProcess/mac/WebInspectorProxyMac.mm:296
> > +        WebPageProxy* inspectorPage = toImpl(m_inspectorView.get().pageRef);
> > +        inspectorPage->close();
> 
> WKView dealloc calls close(), but that assumes we hold the last ref here.

Correct, we were not holding the lat ref, because the WKWebInspectorWKView was being retained by a dispatch_async block. =(