RESOLVED FIXED 180590
Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages 
https://bugs.webkit.org/show_bug.cgi?id=180590
Summary Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable ...
Joseph Pecoraro
Reported 2017-12-08 11:23:37 PST
CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages > void InspectorConsoleAgent::enable() > { > ... > size_t messageCount = m_consoleMessages.size(); > for (size_t i = 0; i < messageCount; ++i) > m_consoleMessages[i]->addToFrontend(*m_frontendDispatcher, m_injectedScriptManager, false); > } Saw a crash in the debugger at this point: * Original messagesCount was 96 * i was 93 and the m_consoleMessages.size() was 93 This is likely only possible if when logging a console message causes another console message to happen, but we shouldn't iterate a list that can mutate (m_consoleMessages).
Attachments
[PATCH] Proposed Fix (1.76 KB, patch)
2017-12-08 11:24 PST, Joseph Pecoraro 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Joseph Pecoraro
Comment 1 2017-12-08 11:23:47 PST
<rdar://problem/35882767>
Joseph Pecoraro
Comment 2 2017-12-08 11:24:53 PST
Created attachment 328839 [details] [PATCH] Proposed Fix
Mark Lam
Comment 3 2017-12-08 11:28:47 PST
Comment on attachment 328839 [details] [PATCH] Proposed Fix r=me
WebKit Commit Bot
Comment 4 2017-12-08 12:21:31 PST
Comment on attachment 328839 [details] [PATCH] Proposed Fix Clearing flags on attachment: 328839 Committed r225693: <https://trac.webkit.org/changeset/225693>
WebKit Commit Bot
Comment 5 2017-12-08 12:21:32 PST
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 6 2017-12-08 21:12:12 PST
Comment on attachment 328839 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=328839&action=review > Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp:90 > + Vector<std::unique_ptr<ConsoleMessage>> messages; > + m_consoleMessages.swap(messages); > + > + for (size_t i = 0; i < messages.size(); ++i) > + messages[i]->addToFrontend(*m_frontendDispatcher, m_injectedScriptManager, false); The above is how we used to write code like this before we had move semantics. Now we can do better: auto messages = WTFMove(m_consoleMessage); for (auto message : messages) message->addToFrontend(*m_frontendDispatcher, m_injectedScriptManager, false);
Note You need to log in before you can comment on or make changes to this bug.