Bug 18371 - Crash in KJS::JSValue::toObject closing Safari with Inspector open
Summary: Crash in KJS::JSValue::toObject closing Safari with Inspector open
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (Deprecated) (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Normal
Assignee: Timothy Hatcher
URL:
Keywords: Regression
Depends on:
Blocks:
 
Reported: 2008-04-08 16:18 PDT by Matt Lilek
Modified: 2008-04-08 17:09 PDT (History)
2 users (show)

See Also:


Attachments
Crash log (32.43 KB, text/plain)
2008-04-08 16:22 PDT, Matt Lilek
no flags Details
Patch (3.17 KB, patch)
2008-04-08 16:55 PDT, Timothy Hatcher
aroben: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Lilek 2008-04-08 16:18:24 PDT
Closing Safari with the new inspector open causes the browser to crash:

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x0047d805 KJS::JSValue::toObject(KJS::ExecState*) const + 57 (value.h:458)
1   com.apple.JavaScriptCore      	0x0047e926 KJS::DotAccessorNode::inlineEvaluate(KJS::ExecState*) + 108 (nodes.cpp:961)
2   com.apple.JavaScriptCore      	0x004340e4 KJS::DotAccessorNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:967)
3   com.apple.JavaScriptCore      	0x004316ea KJS::AssignLocalVarNode::evaluate(KJS::ExecState*) + 144 (nodes.cpp:3559)
4   com.apple.JavaScriptCore      	0x00430b2b KJS::VarStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:4015)
5   com.apple.JavaScriptCore      	0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951)
6   com.apple.JavaScriptCore      	0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977)
7   com.apple.JavaScriptCore      	0x00421f5a KJS::FunctionBodyNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4896)
8   com.apple.JavaScriptCore      	0x0042266a KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 (function.cpp:77)
9   com.apple.JavaScriptCore      	0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96)
10  com.apple.JavaScriptCore      	0x0047fe5a KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 800 (nodes.cpp:1500)
11  com.apple.JavaScriptCore      	0x0044118e KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1506)
12  com.apple.JavaScriptCore      	0x00430b95 KJS::ExprStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:3998)
13  com.apple.JavaScriptCore      	0x00430ae3 KJS::IfNode::execute(KJS::ExecState*) + 121 (nodes.cpp:4035)
14  com.apple.JavaScriptCore      	0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951)
15  com.apple.JavaScriptCore      	0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977)
16  com.apple.JavaScriptCore      	0x004302d0 KJS::ForInNode::execute(KJS::ExecState*) + 1686 (nodes.cpp:4297)
17  com.apple.JavaScriptCore      	0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951)
18  com.apple.JavaScriptCore      	0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977)
19  com.apple.JavaScriptCore      	0x00421f5a KJS::FunctionBodyNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4896)
20  com.apple.JavaScriptCore      	0x0042266a KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 (function.cpp:77)
21  com.apple.JavaScriptCore      	0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96)
22  com.apple.JavaScriptCore      	0x0048d643 JSObjectCallAsFunction + 179 (JSObjectRef.cpp:295)
23  com.apple.WebCore             	0x01df9fec WebCore::InspectorController::callSimpleFunction(OpaqueJSContext const*, OpaqueJSValue*, char const*) const + 408 (InspectorController.cpp:92)
24  com.apple.WebCore             	0x01dfa1ab WebCore::InspectorController::resetScriptObjects() + 371 (InspectorController.cpp:1561)
25  com.apple.WebCore             	0x01dfe47a WebCore::InspectorController::setWindowVisible(bool) + 178 (InspectorController.cpp:856)
26  com.apple.WebKit              	0x001eaff2 -[WebInspectorWindowController close] + 92 (WebInspectorClient.mm:272)
27  com.apple.WebKit              	0x001e8d79 WebInspectorClient::closeWindow() + 49 (WebInspectorClient.mm:113)
28  com.apple.WebCore             	0x01df6aab WebCore::InspectorController::close() + 59 (InspectorController.cpp:1016)
29  com.apple.WebCore             	0x01df6b85 WebCore::unloading(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 53 (InspectorController.cpp:471)
30  com.apple.JavaScriptCore      	0x00482361 KJS::JSCallbackFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 241 (JSCallbackFunction.cpp:65)
31  com.apple.JavaScriptCore      	0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96)
32  com.apple.JavaScriptCore      	0x0047fe5a KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 800 (nodes.cpp:1500)
33  com.apple.JavaScriptCore      	0x0044118e KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1506)
34  com.apple.JavaScriptCore      	0x00430b95 KJS::ExprStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:3998)
35  com.apple.JavaScriptCore      	0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951)
36  com.apple.JavaScriptCore      	0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977)
37  com.apple.JavaScriptCore      	0x00421f5a KJS::FunctionBodyNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4896)
38  com.apple.JavaScriptCore      	0x0042266a KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 (function.cpp:77)
39  com.apple.JavaScriptCore      	0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96)
40  com.apple.JavaScriptCore      	0x0042c45e KJS::functionProtoFuncApply(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 440 (function_object.cpp:107)
41  com.apple.JavaScriptCore      	0x00408866 KJS::PrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 34 (function.cpp:889)
42  com.apple.JavaScriptCore      	0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96)
43  com.apple.JavaScriptCore      	0x0047fe5a KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 800 (nodes.cpp:1500)
44  com.apple.JavaScriptCore      	0x0044118e KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1506)
45  com.apple.JavaScriptCore      	0x0042fbf0 KJS::ReturnNode::execute(KJS::ExecState*) + 148 (nodes.cpp:4359)
46  com.apple.JavaScriptCore      	0x004143bd KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3951)
47  com.apple.JavaScriptCore      	0x0041444a KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3977)
48  com.apple.JavaScriptCore      	0x00421f5a KJS::FunctionBodyNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4896)
49  com.apple.JavaScriptCore      	0x0042266a KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 116 (function.cpp:77)
50  com.apple.JavaScriptCore      	0x0042a1de KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96)
51  com.apple.WebCore             	0x0217a432 WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 662 (kjs_events.cpp:101)
52  com.apple.WebCore             	0x01caba65 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 281 (Document.cpp:2586)
53  com.apple.WebCore             	0x01cf75fc WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 288 (EventTargetNode.cpp:144)
54  com.apple.WebCore             	0x01d368ad WebCore::FrameLoader::stopLoading(bool) + 291 (FrameLoader.cpp:588)
55  com.apple.WebCore             	0x01d36f2c WebCore::FrameLoader::closeURL() + 36 (FrameLoader.cpp:659)
56  com.apple.WebCore             	0x01d36f6e WebCore::FrameLoader::detachFromParent() + 38 (FrameLoader.cpp:3358)
57  com.apple.WebKit              	0x0022884c -[WebView(WebPrivate) _close] + 108 (WebView.mm:695)
58  com.apple.WebKit              	0x00219992 -[WebView close] + 36 (WebView.mm:2010)
59  com.apple.WebKit              	0x001e8d29 WebInspectorClient::inspectorDestroyed() + 71 (WebInspectorClient.mm:85)
60  com.apple.WebCore             	0x01dfbbdb WebCore::InspectorController::~InspectorController() + 37 (InspectorController.cpp:711)
61  com.apple.WebCore             	0x01f2b979 void WTF::deleteOwnedPtr<WebCore::InspectorController>(WebCore::InspectorController*) + 29 (OwnPtr.h:52)
62  com.apple.WebCore             	0x01f2b99f WTF::OwnPtr<WebCore::InspectorController>::~OwnPtr() + 19 (OwnPtr.h:70)
63  com.apple.WebCore             	0x01f295de WebCore::Page::~Page() + 438
64  com.apple.WebKit              	0x002289da -[WebView(WebPrivate) _close] + 506 (WebView.mm:718)
65  com.apple.Safari              	0x0003bde6 0x1000 + 241126
66  com.apple.Safari              	0x0003b9b0 0x1000 + 240048
67  com.apple.WebKit              	0x00219992 -[WebView close] + 36 (WebView.mm:2010)
68  com.apple.Safari              	0x0003b7c3 0x1000 + 239555
69  com.apple.Safari              	0x0003b669 0x1000 + 239209
70  com.apple.AppKit              	0x908e7da9 -[NSWindowController _windowDidClose] + 220
71  com.apple.Safari              	0x0003b074 0x1000 + 237684
72  com.apple.Safari              	0x0003afd2 0x1000 + 237522
73  com.apple.CoreFoundation      	0x91367d85 -[NSArray makeObjectsPerformSelector:] + 565
74  com.apple.AppKit              	0x909192af -[NSApplication _deallocHardCore:] + 433
75  com.apple.AppKit              	0x90917fce -[NSApplication terminate:] + 742
76  com.apple.AppKit              	0x90838e56 -[NSApplication sendAction:to:from:] + 112
77  com.apple.Safari              	0x0002ce08 0x1000 + 179720
78  com.apple.AppKit              	0x908e77cc -[NSMenu performActionForItemAtIndex:] + 493
79  com.apple.AppKit              	0x908e74d1 -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 220
80  com.apple.AppKit              	0x908e7157 -[NSMenu performKeyEquivalent:] + 866
81  com.apple.AppKit              	0x908e59fd -[NSApplication _handleKeyEquivalent:] + 492
82  com.apple.AppKit              	0x90802b36 -[NSApplication sendEvent:] + 3838
83  com.apple.Safari              	0x0002af88 0x1000 + 171912
84  com.apple.AppKit              	0x907600f9 -[NSApplication run] + 847
85  com.apple.AppKit              	0x9072d30a NSApplicationMain + 574
86  com.apple.Safari              	0x000b9a76 0x1000 + 756342
Comment 1 Matt Lilek 2008-04-08 16:22:28 PDT
Created attachment 20414 [details]
Crash log

Crash log for easier reading
Comment 2 Adam Roben (:aroben) 2008-04-08 16:37:21 PDT
I get this crash on Windows as well.
Comment 3 Adam Roben (:aroben) 2008-04-08 16:38:44 PDT
Looks like we're crashing inside a call to panel.reset()

http://trac.webkit.org/projects/webkit/browser/trunk/WebCore/page/inspector/inspector.js#L624
Comment 4 Adam Roben (:aroben) 2008-04-08 16:39:46 PDT
Here's the crashing line:

http://trac.webkit.org/projects/webkit/browser/trunk/WebCore/page/inspector/ElementsPanel.js#L129

var inspectedRootDocument = InspectorController.inspectedWindow().document;
Comment 5 Timothy Hatcher 2008-04-08 16:55:40 PDT
Created attachment 20415 [details]
Patch
Comment 6 Adam Roben (:aroben) 2008-04-08 16:57:36 PDT
Comment on attachment 20415 [details]
Patch

 130         if (!inspectedWindow) {
 131             this.rootDOMNode = null;
 132             this.focusedDOMNode = null;
 133         }

I think you need to return after setting focusedDOMNode here. Otherwise you'll get an exception later when you access inspectedWindow.document.

r=me
Comment 7 Timothy Hatcher 2008-04-08 17:09:00 PDT
Comment on attachment 20415 [details]
Patch

Landed in r31743.