Bug 115087
| Summary: | Web Inspector: WebCore::reportException should not evaluate JavaScript handling exceptions | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Joseph Pecoraro <joepeck> |
| Component: | Web Inspector | Assignee: | Chris Curtis <chris_curtis> |
| Status: | NEW | ||
| Severity: | Normal | CC: | chris_curtis, ggaren, inspector-bugzilla-changes, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Joseph Pecoraro
Currently WebCore::reportException can evaluate JavaScript when handling exceptions. The JS evaluation can itself throw an exception if running code in the page.
For example:
function MyError() {
this.name = "MyErrorName";
this.message = "MyErrorMessage";
}
MyError.prototype.toString = function() {
throw "oops";
}
function produceError() {
throw new MyError();
}
produceError();
WebCore::reportException call's this toString, and can potentially get values with hooks in valueOf as well. We should avoid running JS that can trigger its own exceptions if possible.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Geoffrey Garen
Chris is working on similar bugs in JSC, so reassigning to him.
Timothy Hatcher
Moving to the right component.
Radar WebKit Bug Importer
<rdar://problem/15796841>
Joseph Pecoraro
Oliver had a suggestion on IRC:
- if the exception object is a builtin Exception/Error object => directly get "message" property
- if the exception object is a primitive => toString
- otherwise, send the exception object to the inspector frontend like a console.log (RemoteObject)
I think that is a good idea. This would nicely handle these cases:
- SyntaxError / ReferenceError
- throw 1, throw "test", ...
- throw {a:1,b:2}, throw [1,2,3], throw new MyError()