Bug 112926

Summary:

Web Inspector: Page crash if ScriptPreprocessor returns 0 bytes

Product:

WebKit

Reporter:

johnjbarton <johnjbarton>

Component:

Web Inspector (Deprecated)

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED INVALID

Severity:

Normal

CC:

apavlov, burg, keishi, loislo, pfeldman, pmuellr, vsevik, web-inspector-bugs, yurys

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Workaround and idea for fix	none

johnjbarton

Reported 2013-03-21 09:57:02 PDT

See also bug 111889 Bug 80992 and Bug 104384 When I apply the script preprocessor twice, the second time the page crashes (sad face page). In a debug build I see: ... injectedScript._commandLineAPIImpl = new CommandLineAPIImpl(); return injectedScript; }) ../../third_party/WebKit/Source/WebCore/bindings/v8/ScriptDebugServer.cpp(158) : WTF::String WebCore::ScriptDebugServer::ScriptPreprocessor::preprocessSourceCode(const WTF::String&, const WTF::String&, WebCore::DOMWindow*) ERROR: Resulted in 0 bytes: ../../third_party/WebKit/Source/WebCore/bindings/v8/ScriptDebugServer.cpp(159) : WTF::String WebCore::ScriptDebugServer::ScriptPreprocessor::preprocessSourceCode(const WTF::String&, const WTF::String&, WebCore::DOMWindow*) ERROR: dispatchDidParseSource: ../../third_party/WebKit/Source/WebCore/bindings/v8/ScriptDebugServer.cpp(557) : void WebCore::ScriptDebugServer::dispatchDidParseSource(WebCore::ScriptDebugListener*, v8::Handle<v8::Object>) ASSERTION FAILED: v->IsFunction() ../../third_party/WebKit/Source/WebCore/bindings/v8/custom/V8InjectedScriptManager.cpp(103) : WebCore::ScriptObject WebCore::InjectedScriptManager::createInjectedScript(const WTF::String&, WebCore::ScriptState*, int) The truncated output and the next two messages are my debugging output, indicating that just before the crash we preprocessed a script and the result has zero bytes then hit an assert in V8InjectedScriptManager.cpp So I guess that the injected script from the reload is being preprocessed with the preprocessor from the previous reload, that preprocessor is failing to return a string, and the assert is hitting before the error from the failure of the preprocessor lands in the Inspector.

Attachments
Workaround and idea for fix (7.86 KB, patch) 2013-03-21 14:44 PDT, johnjbarton	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

johnjbarton

Comment 1 2013-03-21 10:53:37 PDT

The crash occurs during Console_enable(). [0x7f30547603e8] base::debug::StackTrace::StackTrace() [0x7f305475fcef] base::debug::(anonymous namespace)::StackDumpSignalHandler() [0x7f304ebf1cb0] <unknown> [0x7f3055cfddab] WebCore::InjectedScriptManager::createInjectedScript() [0x7f3055c95a08] WebCore::InjectedScriptManager::injectedScriptFor() [0x7f3055d09dba] WebCore::ConsoleMessage::addToFrontend() [0x7f3055cbcbd6] WebCore::InspectorConsoleAgent::enable() [0x7f30567cb776] WebCore::InspectorBackendDispatcherImpl::Console_enable() [0x7f30567f056f] WebCore::InspectorBackendDispatcherImpl::dispatch() [0x7f305584a114] WebCore::InspectorController::dispatchMessageFromFrontend() [0x7f305445262e] WebKit::WebDevToolsAgentImpl::dispatchOnInspectorBackend() [0x7f3056b87783] content::DevToolsAgent::OnDispatchOnInspectorBackend() [0x7f3056b88212] DispatchToMethod<>() [0x7f3056b87e14] DevToolsAgentMsg_DispatchOnInspectorBackend::Dispatch<>() [0x7f3056b8705c] content::DevToolsAgent::OnMessageReceived()

johnjbarton

Comment 2 2013-03-21 14:44:51 PDT

Created attachment 194346 [details] Workaround and idea for fix

johnjbarton

Comment 3 2013-03-21 14:47:47 PDT

As a workaround we can just return the input source if the output has no content. But a better solution is to detect that the script is 'injected-script' and not invoke the preprocessor. And bonus points if we can also detect console command evaluations. Any hints on how to achieve this? I took a stab at it but the data I expected was not associated with the eventData (see patch).

johnjbarton

Comment 4 2013-03-21 17:41:34 PDT

Actually I'm mixing things up here. The zero bytes returned from the preprocessing step should result in an exception against the preprocessor, whether or not the input was injected scripts. If in fact the preprocessor wants to transcode a particular script to a no-op it can return a comment string. Even if the preprocessor is working correctly -- in fact especially if it is -- we need to avoid preprocessing all system JS, anything other than normal web page content. This belongs in a different Bug.

johnjbarton

Comment 5 2013-03-22 12:09:00 PDT

I found another crash, so I changing the summary of this one.

Note You need to log in before you can comment on or make changes to this bug.