Bug 127508

Summary: REGRESSION: crash when evaluating JavaScript expression in breakpoint action
Product: WebKit Reporter: Blaze Burg <bburg>
Component: Web InspectorAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: graouts, joepeck, mark.lam, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://www.nihilogic.dk/labs/tetris/
Bug Depends on:    
Bug Blocks: 127117    
Attachments:
Description Flags
stack trace and dump none

Description Blaze Burg 2014-01-23 13:30:10 PST 
Steps to reproduce:

1. Set a breakpoint in the linked page, on tetris.js:95.
2. Edit the breakpoint and add the action "Evaluate Scritp" with expression = "e" (or anything)
3. Press a key in the game

This will crash inside ScriptDebugServer::evaluateBreakpointAction(), in the call to evaluate the expression. This seems to be a recent regression; perhaps the call frame is getting stale somehow.

This blocks further upstreaming of probes backend and UI, since it leaves no way to test probes functionality (which evaluates expressions using the same evaluation code).
Comment 1 Radar WebKit Bug Importer 2014-01-23 13:34:51 PST 
<rdar://problem/15895535>
Comment 2 Timothy Hatcher 2014-01-23 19:41:52 PST 
Is it because the action is throwing an exception?
Comment 3 Blaze Burg 2014-01-24 09:55:26 PST 
As far as I can tell, no. Even evaluating a local variable causes it to crash for me. Could you try to reproduce?
Comment 4 Blaze Burg 2014-01-24 12:19:27 PST 
Created attachment 222136 [details]
stack trace and dump
Comment 5 Mark Lam 2014-01-24 18:59:10 PST 
I've reproduced the issue.  There 2 issues at play here:

1. When I enter the expression "e" into the "Evaluate Script" text box, I see auto completion which suggested that "else" as the text that I might want to enter.  I click outside the text box, and this rejects the auto complete suggestion as far as what is shown to me.

    However, later on, when I press a key and trigger the breakpoint, the expression gets passed to DebuggerCallFrame::evaluateWithCallFrame() to be evaluated.  There, I see that the script string passed in is "else", not "e".  That means the inspector UI lied when it told me that the script to eval is "e".

    Given this bad script, …
 
2. DebuggerCallFrame::evaluateWithCallFrame() fails to create an executable for it.  An exception is thrown.  However, DebuggerCallFrame::evaluateWithCallFrame() clears the exception in the VM, and proceeds to attempt to execute the null executable.  This results in a crash.

I've filed <https://webkit.org/b/127600> to track the second issue.  I'll leave this bug to track the Inspector UI issue.
Comment 6 Mark Lam 2014-01-24 19:13:57 PST 
<https://webkit.org/b/127600> has been fixed, and I no longer see any crash with the steps provided in this bug.  If you're still seeing a crash, please let me know the new steps to reproduce it.  Thanks.
Comment 7 Timothy Hatcher 2014-01-24 21:08:03 PST 
Lets file a new bug about the editor confusion.