RESOLVED FIXED 15250
REGRESSION: Reproducible crash in Safari when evaluating script in Drosera console 
https://bugs.webkit.org/show_bug.cgi?id=15250
Summary REGRESSION: Reproducible crash in Safari when evaluating script in Drosera co...
Mark Rowe (bdash)
Reported 2007-09-21 03:37:11 PDT
Evaluating any JavaScript in the Drosera console will crash the Safari instance it is attached to with the following backtrace: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x01640b39 in KJS::JSCell::isObject (this=0x0) at value.h:231 231 return type() == ObjectType; (gdb) bt #0 0x01640b39 in KJS::JSCell::isObject (this=0x0) at value.h:231 #1 0x01875015 in KJS::JSCell::isObject (this=0x0, info=0x1cb2120) at object.h:539 #2 0x0187507d in KJS::JSValue::isObject (this=0x0, c=0x1cb2120) at object.h:545 #3 0x018a1a28 in KJS::ScriptInterpreter::isGlobalObject (this=0x27ef6020, v=0x0) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebCore/bindings/js/kjs_binding.cpp:270 #4 0x02c44cc5 in KJS::GlobalFuncImp::callAsFunction (this=0x27183360, exec=0xbfffd82c, thisObj=0x0, args=@0xbfffc9a0) at function.cpp:820 #5 0x02c2298a in KJS::JSObject::call (this=0x27183360, exec=0xbfffd82c, thisObj=0x0, args=@0xbfffc9a0) at object.cpp:94 #6 0x01640696 in -[WebCoreScriptCallFrame evaluateWebScript:] (self=0x27c93e20, _cmd=0x3bc2fa, script=0x26d9b990) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebCore/bridge/mac/WebCoreScriptDebugger.mm:366 #7 0x00362880 in -[WebScriptCallFrame evaluateWebScript:] (self=0x26c1e9f0, _cmd=0x3bc2fa, script=0x26d9b990) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebKit/WebView/WebScriptDebugDelegate.mm:192 #8 0x935a3f7d in __invoking___ () #9 0x935a3968 in -[NSInvocation invoke] () #10 0x935a3a38 in -[NSInvocation invokeWithTarget:] () #11 0x935a3eaa in ___forwarding___ () #12 0x935a3f12 in __forwarding_prep_0___ () #13 0x935a3f7d in __invoking___ () #14 0x935a3968 in -[NSInvocation invoke] () #15 0x93f4bc94 in -[NSConnection dispatchInvocation:] () #16 0x93f49c47 in -[NSConnection handleRequest:sequence:] () #17 0x93f4948d in -[NSConnection handlePortCoder:] () #18 0x93f48fbe in -[NSConcretePortCoder dispatch] () I'm pretty sure this is due to Antti's changes relating to the global object used by "eval".
Attachments
Proposed patch (1.52 KB, patch)
2007-09-21 03:51 PDT, Mark Rowe (bdash) 		mrowe: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2007-09-21 03:46:09 PDT
-[WebCoreScriptCallFrame evaluateWebScript:] retrieves eval from the global object, if it exists, and then calls it with a NULL this object. It is trivial to null-check thisObj inside GlobalFuncImp::callAsFunction in one place, which resolves the crash, but I'm not sure that it is correct for -[WebCoreScriptCallFrame evaluteWebScript:] to be passing NULL for thisObj in the first place. It clearly used to work, so I'll go ahead and prepare a patch to restore this.
Mark Rowe (bdash)
Comment 2 2007-09-21 03:47:47 PDT
<rdar://problem/5496942>
Mark Rowe (bdash)
Comment 3 2007-09-21 03:51:27 PDT
Created attachment 16338 [details] Proposed patch
Mark Rowe (bdash)
Comment 4 2007-09-21 04:14:07 PDT
Comment on attachment 16338 [details] Proposed patch Antti reviewed this.
Mark Rowe (bdash)
Comment 5 2007-09-21 04:15:21 PDT
Landed in r25681.
Note You need to log in before you can comment on or make changes to this bug.