Bug 121982

Summary: A mutation observer triggered in a method which throws an exception will cause an ASSERT.
Product: WebKit Reporter: Jer Noble <jer.noble>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ap, fpizlo, ggaren, mhahnenberg, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Simplified test case none

Jer Noble
Reported 2013-09-26 14:33:16 PDT
Triggering a mutation observer then, in the same stack frame, throwing an exception will cause an ASSERT when the mutation observers are triggered. The ASSERTion is testing (!vm->hasException()), and since the exception thrown in the event handler has not yet been cleared, the ASSERT is triggered. 0 com.apple.JavaScriptCore 0x00000001101a565a WTFCrash + 42 (Assertions.cpp:342) 1 com.apple.JavaScriptCore 0x000000010fecfbfc JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 124 (Interpreter.cpp:903) 2 com.apple.JavaScriptCore 0x000000010fc4540e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:39) 3 com.apple.WebCore 0x0000000111accd8b WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 91 (JSMainThreadExecState.h:53) 4 com.apple.WebCore 0x0000000111d2fa16 WebCore::JSMutationCallback::call(WTF::Vector<WTF::RefPtr<WebCore::MutationRecord>, 0ul, WTF::CrashOnOverflow> const&, WebCore::MutationObserver*) + 694 (JSMutationCallback.cpp:90) 5 com.apple.WebCore 0x00000001120f0ec2 WebCore::MutationObserver::deliver() + 514 (MutationObserver.cpp:207) 6 com.apple.WebCore 0x00000001120f1152 WebCore::MutationObserver::deliverAllMutations() + 594 (MutationObserver.cpp:237) 7 com.apple.WebCore 0x0000000111d07b6e WebCore::JSMainThreadExecState::didLeaveScriptContext() + 14 (JSMainThreadExecState.cpp:47) 8 com.apple.WebCore 0x0000000111acceef WebCore::JSMainThreadExecState::~JSMainThreadExecState() + 159 (JSMainThreadExecState.h:82) 9 com.apple.WebCore 0x0000000111acce45 WebCore::JSMainThreadExecState::~JSMainThreadExecState() + 21 (JSMainThreadExecState.h:82) 10 com.apple.WebCore 0x0000000111accd9f WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 111 (JSMainThreadExecState.h:54) 11 com.apple.WebCore 0x0000000111c0463f WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1199 (JSEventListener.cpp:132) 12 com.apple.WebCore 0x000000011157e682 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 498 (EventTarget.cpp:278)
Attachments
Simplified test case (490 bytes, text/html)
2013-09-26 14:33 PDT, Jer Noble 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Jer Noble
Comment 1 2013-09-26 14:33:40 PDT
Created attachment 212748 [details] Simplified test case
Jer Noble
Comment 2 2013-09-26 14:35:00 PDT
In a debug build, clicking on the "mutate" button in the test case will cause an ASSERTion crash.
Radar WebKit Bug Importer
Comment 3 2013-09-26 18:46:07 PDT
<rdar://problem/15094333>
Note You need to log in before you can comment on or make changes to this bug.