15250 2007-09-21 03:37:11 -0700 REGRESSION: Reproducible crash in Safari when evaluating script in Drosera console 2007-09-21 04:15:21 -0700 1 1 1 Unclassified WebKit JavaScriptCore 523.x (Safari 3) Mac OS X 10.4 RESOLVED FIXED InRadar, Regression P1 Major --- 1 mrowe webkit-unassigned koivisto oldest_to_newest 210 0 mrowe 2007-09-21 03:37:11 -0700 Evaluating any JavaScript in the Drosera console will crash the Safari instance it is attached to with the following backtrace: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x01640b39 in KJS::JSCell::isObject (this=0x0) at value.h:231 231 return type() == ObjectType; (gdb) bt #0 0x01640b39 in KJS::JSCell::isObject (this=0x0) at value.h:231 #1 0x01875015 in KJS::JSCell::isObject (this=0x0, info=0x1cb2120) at object.h:539 #2 0x0187507d in KJS::JSValue::isObject (this=0x0, c=0x1cb2120) at object.h:545 #3 0x018a1a28 in KJS::ScriptInterpreter::isGlobalObject (this=0x27ef6020, v=0x0) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebCore/bindings/js/kjs_binding.cpp:270 #4 0x02c44cc5 in KJS::GlobalFuncImp::callAsFunction (this=0x27183360, exec=0xbfffd82c, thisObj=0x0, args=@0xbfffc9a0) at function.cpp:820 #5 0x02c2298a in KJS::JSObject::call (this=0x27183360, exec=0xbfffd82c, thisObj=0x0, args=@0xbfffc9a0) at object.cpp:94 #6 0x01640696 in -[WebCoreScriptCallFrame evaluateWebScript:] (self=0x27c93e20, _cmd=0x3bc2fa, script=0x26d9b990) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebCore/bridge/mac/WebCoreScriptDebugger.mm:366 #7 0x00362880 in -[WebScriptCallFrame evaluateWebScript:] (self=0x26c1e9f0, _cmd=0x3bc2fa, script=0x26d9b990) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebKit/WebView/WebScriptDebugDelegate.mm:192 #8 0x935a3f7d in __invoking___ () #9 0x935a3968 in -[NSInvocation invoke] () #10 0x935a3a38 in -[NSInvocation invokeWithTarget:] () #11 0x935a3eaa in ___forwarding___ () #12 0x935a3f12 in __forwarding_prep_0___ () #13 0x935a3f7d in __invoking___ () #14 0x935a3968 in -[NSInvocation invoke] () #15 0x93f4bc94 in -[NSConnection dispatchInvocation:] () #16 0x93f49c47 in -[NSConnection handleRequest:sequence:] () #17 0x93f4948d in -[NSConnection handlePortCoder:] () #18 0x93f48fbe in -[NSConcretePortCoder dispatch] () I'm pretty sure this is due to Antti's changes relating to the global object used by "eval". 209 1 mrowe 2007-09-21 03:46:09 -0700 -[WebCoreScriptCallFrame evaluateWebScript:] retrieves eval from the global object, if it exists, and then calls it with a NULL this object. It is trivial to null-check thisObj inside GlobalFuncImp::callAsFunction in one place, which resolves the crash, but I'm not sure that it is correct for -[WebCoreScriptCallFrame evaluteWebScript:] to be passing NULL for thisObj in the first place. It clearly used to work, so I'll go ahead and prepare a patch to restore this. 208 2 mrowe 2007-09-21 03:47:47 -0700 <rdar://problem/5496942> 204 3 16338 mrowe 2007-09-21 03:51:27 -0700 Created attachment 16338 Proposed patch 205 4 16338 mrowe 2007-09-21 04:14:07 -0700 Comment on attachment 16338 Proposed patch Antti reviewed this. 206 5 mrowe 2007-09-21 04:15:21 -0700 Landed in r25681. 16338 2007-09-21 03:51:27 -0700 2007-09-21 04:14:07 -0700 Proposed patch patch.txt text/plain 1557 mrowe ZGlmZiAtLWdpdCBhL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZyBiL0phdmFTY3JpcHRDb3JlL0No YW5nZUxvZwppbmRleCA3ZWFlM2Y1Li40MDkwM2VmIDEwMDY0NAotLS0gYS9KYXZhU2NyaXB0Q29y ZS9DaGFuZ2VMb2cKKysrIGIvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMg QEAKKzIwMDctMDktMjEgIE1hcmsgUm93ZSAgPG1yb3dlQGFwcGxlLmNvbT4KKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBodHRwOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0xNTI1MAorICAgICAgICA8cmRhcjovL3Byb2JsZW0vNTQ5Njk0 Mj4gUkVHUkVTU0lPTjogUmVwcm9kdWNpYmxlIGNyYXNoIGluIFNhZmFyaSB3aGVuIGV2YWx1YXRp bmcgc2NyaXB0IGluIERyb3NlcmEgY29uc29sZSAoMTUyNTApCisKKyAgICAgICAgKiBranMvZnVu Y3Rpb24uY3BwOgorICAgICAgICAoS0pTOjpHbG9iYWxGdW5jSW1wOjpjYWxsQXNGdW5jdGlvbik6 IE51bGwtY2hlY2sgdGhpc09iaiBiZWZvcmUgcGFzc2luZyBpdCB0byBpbnRlcnByZXRlckZvckds b2JhbE9iamVjdC4KKwogMjAwNy0wOS0xOSAgSG9sZ2VyIEhhbnMgUGV0ZXIgRnJleXRoZXIgIDx6 ZWNrZUBzZWxmaXNoLm9yZz4KIAogICAgICAgICBSdWJiZXIgc3RhbXBlZCBieSBBZGFtLgpkaWZm IC0tZ2l0IGEvSmF2YVNjcmlwdENvcmUva2pzL2Z1bmN0aW9uLmNwcCBiL0phdmFTY3JpcHRDb3Jl L2tqcy9mdW5jdGlvbi5jcHAKaW5kZXggMTQ4ODVkZi4uNjY4Yjk3OCAxMDA2NDQKLS0tIGEvSmF2 YVNjcmlwdENvcmUva2pzL2Z1bmN0aW9uLmNwcAorKysgYi9KYXZhU2NyaXB0Q29yZS9ranMvZnVu Y3Rpb24uY3BwCkBAIC04MTcsNyArODE3LDcgQEAgSlNWYWx1ZSogR2xvYmFsRnVuY0ltcDo6Y2Fs bEFzRnVuY3Rpb24oRXhlY1N0YXRlKiBleGVjLCBKU09iamVjdCogdGhpc09iaiwgY29uc3QKICAg ICAgICAgaWYgKCFwcm9nTm9kZSkKICAgICAgICAgICByZXR1cm4gdGhyb3dFcnJvcihleGVjLCBT eW50YXhFcnJvciwgZXJyTXNnLCBlcnJMaW5lLCBzaWQsIE5VTEwpOwogCi0gICAgICAgIGJvb2wg c3dpdGNoR2xvYmFsID0gZXhlYy0+ZHluYW1pY0ludGVycHJldGVyKCktPmlzR2xvYmFsT2JqZWN0 KHRoaXNPYmopICYmIHRoaXNPYmogIT0gZXhlYy0+ZHluYW1pY0ludGVycHJldGVyKCktPmdsb2Jh bE9iamVjdCgpOworICAgICAgICBib29sIHN3aXRjaEdsb2JhbCA9IHRoaXNPYmogJiYgZXhlYy0+ ZHluYW1pY0ludGVycHJldGVyKCktPmlzR2xvYmFsT2JqZWN0KHRoaXNPYmopICYmIHRoaXNPYmog IT0gZXhlYy0+ZHluYW1pY0ludGVycHJldGVyKCktPmdsb2JhbE9iamVjdCgpOwogICAgICAgICAg IAogICAgICAgICAvLyBlbnRlciBhIG5ldyBleGVjdXRpb24gY29udGV4dAogICAgICAgICBJbnRl cnByZXRlciogaW50ZXJwcmV0ZXIgPSBzd2l0Y2hHbG9iYWwgPyBleGVjLT5keW5hbWljSW50ZXJw cmV0ZXIoKS0+aW50ZXJwcmV0ZXJGb3JHbG9iYWxPYmplY3QodGhpc09iaikgOiBleGVjLT5keW5h bWljSW50ZXJwcmV0ZXIoKTsK