154403 2016-02-18 11:31:00 -0800 ASSERT on SES selftest page when loading the page while WebInspector is open in debug builds 2016-02-18 12:27:23 -0800 1 1 1 Unclassified WebKit Web Inspector WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 152294 https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html InRadar P2 Normal --- 1 cdumez webkit-unassigned bburg graouts joepeck mattbaker nvasilyev timothy webkit-bug-importer oldest_to_newest 1166110 0 cdumez 2016-02-18 11:31:00 -0800 Crash on SES selftest page when loading the page while WebInspector is open in debug builds: https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html Trace: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0xbbadbeef: --> __TEXT 000000010f456000-000000010f458000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: Bundle controller class: BrowserBundleController Process Model: Multiple Web Processes Global Trace Buffer (reverse chronological seconds): 88.533547 CFNetwork 0x00007fff8f681d29 Explicitly setting CF cookie storage singleton 88.533865 CFNetwork 0x00007fff8f6b8621 Explicitly setting cookie storage singleton Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000011399e487 WTFCrash + 39 (Assertions.cpp:322) 1 com.apple.JavaScriptCore 0x00000001133097f7 Inspector::InjectedScriptBase::makeCall(Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::InspectorValue>*) + 183 (InjectedScriptBase.cpp:98) 2 com.apple.JavaScriptCore 0x0000000113305a0d Inspector::InjectedScript::getDisplayableProperties(WTF::String&, WTF::String const&, bool, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::PropertyDescriptor> >*) + 253 (InjectedScript.cpp:136) 3 com.apple.JavaScriptCore 0x000000011339d9cb Inspector::InspectorRuntimeAgent::getDisplayableProperties(WTF::String&, WTF::String const&, bool const*, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::PropertyDescriptor> >&, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::InternalPropertyDescriptor> >&) + 283 (InspectorRuntimeAgent.cpp:192) 4 com.apple.JavaScriptCore 0x000000011339daba non-virtual thunk to Inspector::InspectorRuntimeAgent::getDisplayableProperties(WTF::String&, WTF::String const&, bool const*, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::PropertyDescriptor> >&, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::InternalPropertyDescriptor> >&) + 90 (InspectorRuntimeAgent.cpp:180) 5 com.apple.JavaScriptCore 0x000000011334887e Inspector::RuntimeBackendDispatcher::getDisplayableProperties(long, WTF::RefPtr<Inspector::InspectorObject>&&) + 718 (InspectorBackendDispatchers.cpp:5154) 6 com.apple.JavaScriptCore 0x0000000113346476 Inspector::RuntimeBackendDispatcher::dispatch(long, WTF::String const&, WTF::Ref<Inspector::InspectorObject>&&) + 886 (InspectorBackendDispatchers.cpp:4970) 7 com.apple.JavaScriptCore 0x0000000113317950 Inspector::BackendDispatcher::dispatch(WTF::String const&) + 2000 (InspectorBackendDispatcher.cpp:181) 8 com.apple.WebCore 0x000000011698651f WebCore::InspectorController::dispatchMessageFromFrontend(WTF::String const&) + 47 (InspectorController.cpp:386) 9 com.apple.WebKit 0x000000010fc07243 WebKit::WebInspector::sendMessageToBackend(WTF::String const&) + 83 (WebInspector.cpp:252) 10 com.apple.WebKit 0x000000010fc1435f void IPC::callMemberFunctionImpl<WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>, 0ul>(WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>&&, std::index_sequence<0ul>) + 159 (HandleMessage.h:17) 11 com.apple.WebKit 0x000000010fc142b8 void IPC::callMemberFunction<WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>, std::make_index_sequence<1ul> >(std::__1::tuple<WTF::String>&&, WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&)) + 88 (HandleMessage.h:23) 12 com.apple.WebKit 0x000000010fc13ed0 void IPC::handleMessage<Messages::WebInspector::SendMessageToBackend, WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&)>(IPC::MessageDecoder&, WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&)) + 240 (HandleMessage.h:93) 13 com.apple.WebKit 0x000000010fc1339a WebKit::WebInspector::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 1306 (WebInspectorMessageReceiver.cpp:77) 14 com.apple.WebKit 0x000000010fc13407 non-virtual thunk to WebKit::WebInspector::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 55 (WebInspectorMessageReceiver.cpp:37) 15 com.apple.WebKit 0x000000010f5174d3 IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 51 (Connection.cpp:892) 16 com.apple.WebKit 0x000000010f50e351 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 785 (Connection.cpp:924) 17 com.apple.WebKit 0x000000010f517acf IPC::Connection::dispatchOneMessage() + 1519 (Connection.cpp:953) 18 com.apple.WebKit 0x000000010f528e3d IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const + 29 (Connection.cpp:886) 19 com.apple.WebKit 0x000000010f528e0d void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) + 45 (__functional_base:441) 20 com.apple.WebKit 0x000000010f528c5c std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() + 44 (functional:1407) 21 com.apple.JavaScriptCore 0x00000001132e2cda std::__1::function<void ()>::operator()() const + 26 (functional:1793) 22 com.apple.JavaScriptCore 0x00000001139e8272 WTF::RunLoop::performWork() + 306 (RunLoop.cpp:106) 23 com.apple.JavaScriptCore 0x00000001139e8a94 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38) 24 com.apple.CoreFoundation 0x00007fff985275c1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 25 com.apple.CoreFoundation 0x00007fff9851941c __CFRunLoopDoSources0 + 556 26 com.apple.CoreFoundation 0x00007fff9851893f __CFRunLoopRun + 927 27 com.apple.CoreFoundation 0x00007fff98518338 CFRunLoopRunSpecific + 296 28 com.apple.HIToolbox 0x00007fff9a7e4935 RunCurrentEventLoopInMode + 235 29 com.apple.HIToolbox 0x00007fff9a7e476f ReceiveNextEventCommon + 432 30 com.apple.HIToolbox 0x00007fff9a7e45af _BlockUntilNextEventMatchingListInModeWithFilter + 71 31 com.apple.AppKit 0x00007fff938cd0ee _DPSNextEvent + 1067 32 com.apple.AppKit 0x00007fff93c99943 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 33 com.apple.WebCore 0x000000011631542a WebCore::EventLoop::cycle() + 138 (EventLoopMac.mm:34) 34 com.apple.WebCore 0x00000001174d2611 WebCore::PageScriptDebugServer::runEventLoopWhilePausedInternal() + 97 (PageScriptDebugServer.cpp:116) 35 com.apple.WebCore 0x00000001174d25a5 WebCore::PageScriptDebugServer::runEventLoopWhilePaused() + 21 (PageScriptDebugServer.cpp:109) 36 com.apple.JavaScriptCore 0x00000001137dde14 Inspector::ScriptDebugServer::handlePause(JSC::JSGlobalObject*, JSC::Debugger::ReasonForPause) + 116 (ScriptDebugServer.cpp:317) 37 com.apple.JavaScriptCore 0x0000000112dc62fd JSC::Debugger::pauseIfNeeded(JSC::ExecState*) + 637 (Debugger.cpp:660) 38 com.apple.JavaScriptCore 0x0000000112dc65bc JSC::Debugger::updateCallFrameAndPauseIfNeeded(JSC::ExecState*) + 60 (Debugger.cpp:612) 39 com.apple.JavaScriptCore 0x0000000112dc6a54 JSC::Debugger::didReachBreakpoint(JSC::ExecState*) + 100 (Debugger.cpp:767) 40 com.apple.JavaScriptCore 0x00000001133ae20b JSC::Interpreter::debug(JSC::ExecState*, JSC::DebugHookID) + 347 (Interpreter.cpp:1366) 41 com.apple.JavaScriptCore 0x00000001135ea25b llint_slow_path_debug + 123 (LLIntSlowPaths.cpp:1379) 42 com.apple.JavaScriptCore 0x00000001135f4ec4 llint_entry + 29472 43 com.apple.JavaScriptCore 0x00000001135f4471 llint_entry + 26829 44 com.apple.JavaScriptCore 0x00000001135f4471 llint_entry + 26829 45 com.apple.JavaScriptCore 0x00000001135f4471 llint_entry + 26829 46 com.apple.JavaScriptCore 0x00000001135f4471 llint_entry + 26829 47 com.apple.JavaScriptCore 0x00000001135f4471 llint_entry + 26829 48 com.apple.JavaScriptCore 0x00000001135ed98e vmEntryToJavaScript + 334 49 com.apple.JavaScriptCore 0x000000011340e6fa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 218 (JITCode.cpp:80) 50 com.apple.JavaScriptCore 0x00000001133ac7b6 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4518 (Interpreter.cpp:972) 51 com.apple.JavaScriptCore 0x0000000112d97b60 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 480 (Completion.cpp:105) 52 com.apple.JavaScriptCore 0x0000000112d97c9e JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 94 (Completion.cpp:120) 53 com.apple.WebCore 0x00000001179b8beb WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 75 (JSMainThreadExecState.h:80) 54 com.apple.WebCore 0x00000001179b6766 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 326 (ScriptController.cpp:164) 55 com.apple.WebCore 0x00000001179b68cc WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) + 76 (ScriptController.cpp:180) 56 com.apple.WebCore 0x00000001179c5ccb WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 491 (ScriptElement.cpp:314) 57 com.apple.WebCore 0x00000001179c4bb3 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1731 (ScriptElement.cpp:245) 58 com.apple.WebCore 0x0000000116711f2c WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 364 (HTMLScriptRunner.cpp:304) 59 com.apple.WebCore 0x0000000116711d3a WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 138 (HTMLScriptRunner.cpp:177) 60 com.apple.WebCore 0x0000000116638021 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 289 (HTMLDocumentParser.cpp:195) 61 com.apple.WebCore 0x0000000116638131 WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 177 (HTMLDocumentParser.cpp:214) 62 com.apple.WebCore 0x000000011663749f WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 399 (HTMLDocumentParser.cpp:252) 63 com.apple.WebCore 0x00000001166370ce WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 174 (HTMLDocumentParser.cpp:167) 64 com.apple.WebCore 0x000000011663914f WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 383 (HTMLDocumentParser.cpp:488) 65 com.apple.WebCore 0x0000000116639557 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 327 (HTMLDocumentParser.cpp:528) 66 com.apple.WebCore 0x000000011663959f non-virtual thunk to WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 47 (HTMLDocumentParser.cpp:512) 67 com.apple.WebCore 0x0000000115ca7212 WebCore::CachedResource::checkNotify() + 130 (CachedResource.cpp:295) 68 com.apple.WebCore 0x0000000115ca7321 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 49 (CachedResource.cpp:313) 69 com.apple.WebCore 0x0000000115cc802e WebCore::CachedScript::finishLoading(WebCore::SharedBuffer*) + 126 (CachedScript.cpp:117) 70 com.apple.WebCore 0x0000000117c9ea54 WebCore::SubresourceLoader::didFinishLoading(double) + 532 (SubresourceLoader.cpp:386) 71 com.apple.WebKit 0x000000010fea6687 WebKit::WebResourceLoader::didFinishResourceLoad(double) + 151 (WebResourceLoader.cpp:154) 72 com.apple.WebKit 0x000000010feabbf3 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) + 163 (HandleMessage.h:17) 73 com.apple.WebKit 0x000000010feabb48 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 88 (HandleMessage.h:23) 74 com.apple.WebKit 0x000000010feaac62 void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 226 (HandleMessage.h:93) 75 com.apple.WebKit 0x000000010feaa3dc WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 636 (WebResourceLoaderMessageReceiver.cpp:66) 76 com.apple.WebKit 0x000000010f8638b0 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 160 (NetworkProcessConnection.cpp:60) 77 com.apple.WebKit 0x000000010f5174d3 IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 51 (Connection.cpp:892) 78 com.apple.WebKit 0x000000010f50e351 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 785 (Connection.cpp:924) 79 com.apple.WebKit 0x000000010f517acf IPC::Connection::dispatchOneMessage() + 1519 (Connection.cpp:953) 80 com.apple.WebKit 0x000000010f528e3d IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const + 29 (Connection.cpp:886) 81 com.apple.WebKit 0x000000010f528e0d void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) + 45 (__functional_base:441) 82 com.apple.WebKit 0x000000010f528c5c std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() + 44 (functional:1407) 83 com.apple.JavaScriptCore 0x00000001132e2cda std::__1::function<void ()>::operator()() const + 26 (functional:1793) 84 com.apple.JavaScriptCore 0x00000001139e83ad WTF::RunLoop::performWork() + 621 (RunLoop.cpp:123) 85 com.apple.JavaScriptCore 0x00000001139e8a94 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38) 86 com.apple.CoreFoundation 0x00007fff985275c1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 87 com.apple.CoreFoundation 0x00007fff9851941c __CFRunLoopDoSources0 + 556 88 com.apple.CoreFoundation 0x00007fff9851893f __CFRunLoopRun + 927 89 com.apple.CoreFoundation 0x00007fff98518338 CFRunLoopRunSpecific + 296 90 com.apple.HIToolbox 0x00007fff9a7e4935 RunCurrentEventLoopInMode + 235 91 com.apple.HIToolbox 0x00007fff9a7e476f ReceiveNextEventCommon + 432 92 com.apple.HIToolbox 0x00007fff9a7e45af _BlockUntilNextEventMatchingListInModeWithFilter + 71 93 com.apple.AppKit 0x00007fff938cd0ee _DPSNextEvent + 1067 94 com.apple.AppKit 0x00007fff93c99943 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 95 com.apple.AppKit 0x00007fff938c2fc8 -[NSApplication run] + 682 96 com.apple.AppKit 0x00007fff93845520 NSApplicationMain + 1176 97 libxpc.dylib 0x00007fff99fcbf6c _xpc_objc_main + 793 98 libxpc.dylib 0x00007fff99fcd6bb xpc_main + 494 99 com.apple.WebKit.WebContent.Development 0x000000010f457110 main + 800 (XPCServiceMain.mm:114) 100 libdyld.dylib 0x00007fff97aed5ad start + 1 1166111 1 webkit-bug-importer 2016-02-18 11:31:45 -0800 <rdar://problem/24724611> 1166114 2 joepeck 2016-02-18 11:36:54 -0800 This is an ASSERT that InjectedScriptSource did not throw an exception, but it did. We've seen this in the past if pages override builtin things (like `Set`). 1166116 3 timothy 2016-02-18 11:38:04 -0800 Dupe to bug 152294? 1166117 4 cdumez 2016-02-18 11:45:27 -0800 file:///Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Views/ScopeChainDetailsSidebarPanel.js:183:27: CONSOLE ERROR file:///Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Views/ScopeChainDetailsSidebarPanel.js:183:27: CONSOLE ERROR file:///Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Views/ScopeChainDetailsSidebarPanel.js:183:27: CONSOLE ERROR CONSOLE LOG Cannot convert null or undefined to object : contract.html line 217 cajaVM.confine(exprSrc, {fakeUrl: cfakeUrl, nested: cnested}, { sourceUrl: 'data:,' + encodeURIComponent(exprSrc) }); file:///Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Models/GarbageCollection.js:32:23: CONSOLE ERROR 1166119 5 joepeck 2016-02-18 11:59:49 -0800 This exception is thrown by user code. It seems like the page's code overrides `Object.prototype.__proto__`. InjectedScript, traversing the prototype chain using __proto__, encounters an error it doesn't expect caused by this code throwing. Here is where the TypeError is defined: > /** > * Repairs both getter and setter. If either are vulnerable, I don't > * care if the other seemed to pass the test. Better to make them > * both safe. > */ > function repair_UNDERBAR_PROTO_accessors_USE_GLOBAL() { > var gopd = Object.getOwnPropertyDescriptor; > > var oldDesc = gopd(Object.prototype, '__proto__'); > var oldGetter = oldDesc.get; > var oldSetter = oldDesc.set; > function newGetter() { > if (this === null || this === void 0) { > throw new TypeError('Cannot convert null or undefined to object'); > } else { > return oldGetter.call(this); > } > } > function newSetter(newProto) { > if (this === null || this === void 0) { > throw new TypeError('Cannot convert null or undefined to object'); > } else { > oldSetter.call(this, newProto); > } > } > Object.defineProperty(Object.prototype, '__proto__', { > get: oldGetter ? newGetter : void 0, > set: oldSetter ? newSetter : void 0 > }); > } And here is code that exercises it with a description (there is code exercising the getter and setter) > /** > * Detects https://bugs.webkit.org/show_bug.cgi?id=141865 > * > * <p>On Safari 7.0.5 (9537.77.4), the getter of the > * Object.prototype.__proto__ property, if applied to undefined, > * acts like a sloppy function would, coercing the undefined to the > * global object and returning the global object's [[Prototype]]. > */ > function test_UNDERBAR_PROTO_GETTER_USES_GLOBAL() { > var gopd = Object.getOwnPropertyDescriptor; > var getProto = Object.getPrototypeOf; > > var desc = gopd(Object.prototype, '__proto__'); > if (!desc) { return false; } > var getter = desc.get; > if (!getter) { return false; } > var globalProto = void 0; > try { > globalProto = getter(); > } catch (ex) { > if (ex instanceof TypeError && globalProto === void 0) { > return false; > } > return 'unexpected error: ' + ex; > } > if (getProto(global) === globalProto) { return true; } > return 'unexpected global.__proto__: ' + globalProto; > } That said, I did not investigate what code in InjectedScriptSource encounters this. I do think moving InjectedScriptSource to a builtin, and using @Object.@getPrototypeOf() instead of __proto__ would probably solve this. 1166132 6 timothy 2016-02-18 12:27:23 -0800 *** This bug has been marked as a duplicate of bug 152294 ***