* SUMMARY Crash under WebCore::domWindowFromExecState reloading page with inspector open. * STEPS TO REPRODUCE: 1. Open SkyDrive live.com Excel spreadsheet 2. Open Inspector 3. Cmd+R to reload => likely crash * CRASH Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000011024260a WTFCrash + 42 (Assertions.cpp:321) 1 com.apple.WebCore 0x0000000113e4c7e1 JSC::asObject(JSC::JSCell*) + 65 (JSObject.h:1190) 2 com.apple.WebCore 0x0000000113e4c790 JSC::asObject(JSC::JSValue) + 32 (JSObject.h:1196) 3 com.apple.WebCore 0x0000000113e4cb95 JSC::Register::function() const + 85 (JSObject.h:1473) 4 com.apple.WebCore 0x0000000113e4cafc JSC::ExecState::callee() const + 28 (CallFrame.h:46) 5 com.apple.WebCore 0x0000000113f41f75 JSC::ExecState::lexicalGlobalObject() const + 21 (JSScope.h:244) 6 com.apple.WebCore 0x00000001157de565 WebCore::domWindowFromExecState(JSC::ExecState*) + 21 (ScriptState.cpp:52) 7 com.apple.WebCore 0x0000000115cfa608 WebCore::WebInjectedScriptManager::discardInjectedScriptsFor(WebCore::DOMWindow*) + 664 (WebInjectedScriptManager.cpp:76) 8 com.apple.WebCore 0x0000000115cc8613 WebCore::WebConsoleAgent::frameWindowDiscarded(WebCore::DOMWindow*) + 259 (WebConsoleAgent.cpp:68) 9 com.apple.WebCore 0x0000000114a83938 WebCore::InspectorInstrumentation::frameWindowDiscardedImpl(WebCore::InstrumentingAgents&, WebCore::DOMWindow*) + 56 (InspectorInstrumentation.cpp:191) 10 com.apple.WebCore 0x00000001143e4d58 WebCore::InspectorInstrumentation::frameWindowDiscarded(WebCore::Frame*, WebCore::DOMWindow*) + 56 (InspectorInstrumentation.h:547) 11 com.apple.WebCore 0x0000000114615ee4 WebCore::FrameLoader::clear(WebCore::Document*, bool, bool, bool) + 324 (FrameLoader.cpp:628) 12 com.apple.WebCore 0x0000000114347252 WebCore::DocumentWriter::begin(WebCore::URL const&, bool, WebCore::Document*) + 498 (DocumentWriter.cpp:142)
Here we are in frameWindowDiscarded, trying to remove certain (globalExec) ExecStates from our table, but the JSGlobalObject that ExecState is tied to was already destroyed.
<rdar://problem/15811895>
Created attachment 252405 [details] [PATCH] Proposed Fix I was unable to create a reduction/regression test for this, but seeing as this was caught by running tests in the past I think that is fine. In general we should cleanup our management of InjectedScript/ExecutionContextIdentifiers instead of always making an InjectedScript like we do here. I'd like to do that cleanup in a separate change and address the crash now.
Comment on attachment 252405 [details] [PATCH] Proposed Fix r=me
Comment on attachment 252405 [details] [PATCH] Proposed Fix Clearing flags on attachment: 252405 Committed r183838: <http://trac.webkit.org/changeset/183838>
All reviewed patches have been landed. Closing bug.
> this was caught by running tests in the past I think that is fine Should any test expectations be updated now? This was seen on tests, but only because the crash was misattributed sometimes. Looking at the fix, I'm puzzled about why this is Yosemite only. # Also, these tests are flaky in Debug/Release builds, <https://bugs.webkit.org/show_bug.cgi?id=138636> # and <https://bugs.webkit.org/show_bug.cgi?id=129817>. [ Yosemite+ ] inspector/css/matched-style-properties.html [ Pass Timeout ] [ Yosemite+ ] inspector/css/pseudo-element-matches.html [ Pass Timeout ] [ Yosemite+ ] inspector/css/selector-specificity.html [ Pass Timeout Crash ] [ Yosemite+ ] inspector/dom/content-flow-content-removal.html [ Skip ] [ Yosemite+ ] inspector/dom/content-flow-list.html [ Skip ] [ Yosemite+ ] inspector/model/parse-script-syntax-tree.html [ Pass Timeout ] [ Yosemite+ ] inspector/test-harness-trivially-works.html [ Skip ]