Bug 141396

Summary:

Web Inspector: CRASH when debugger pauses inside a Promise handler

Product:

WebKit

Reporter:

Brian Burg <burg>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ggaren, graouts, joepeck, jonowells, mark.lam, mattbaker, msaboff, nvasilyev, sam, timothy, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
crash log	none
Fix with a basic test. I'll likely increase the test coverage.	none
Patch	mark.lam: review+

Description Brian Burg 2015-02-09 12:05:16 PST

Test case:

var p = new Promise(function(resolve, reject) {
debugger;
})

Comment 1 Radar WebKit Bug Importer 2015-02-09 12:05:50 PST

<rdar://problem/19769491>

Comment 2 Brian Burg 2015-02-09 12:08:10 PST

Created attachment 246281 [details]
crash log

Comment 3 Mark Lam 2015-02-09 17:28:11 PST

The JS call stack at the time the debugger breaks:
      frame 0x7fff5af1aca0 {
         name ''
         sourceURL 'file:///Volumes/Data/ws1/OpenSource/brrian-test.js'
         isInlinedFrame 0
         callee 0x11cbd8930
         returnPC 0x10f466e29
         callerFrame 0x7fff5af1b560
         rawLocationBits 25 0x19
         codeBlock 0x11b772960
            bytecodeOffset 25 0x19 / 32
            line 2
            column 5
            jitType 2 <InterpreterThunk> isOptimizingJIT 0
            hasCodeOrigins 0
      }
      frame 0x7fff5af1b560 {
         name 'Promise'
         sourceURL '[native code]'
         isInlinedFrame 0
         callee 0x11cbaf790
         returnPC 0x0
         callerFrame 0x7fff5af1b5d0
         rawLocationBits 32767 0x7fff
         codeBlock 0x0
      }
      frame 0x7fff5af1b5d0 {
         name 'global code'
         sourceURL 'file:///Volumes/Data/ws1/OpenSource/brrian-test.js'
         isInlinedFrame 0
         callee 0x11cbaf5f0
         returnPC 0x10f466e29
         callerFrame 0x0
         rawLocationBits 43 0x2b
         codeBlock 0x11b772708
            bytecodeOffset 43 0x2b / 66
            line 1
            column 20
            jitType 2 <InterpreterThunk> isOptimizingJIT 0
            hasCodeOrigins 0
      }

The crash is due to an assertion when the DebuggerCallFrame tries to get the callee scope of the 2nd frame (“Promise” constructor).  The DebuggerCallFrame does so by jsCast’ing the callee to a JSCallee and invoking its scope() method.  However, the Promise constructor is an InternalFunction which does not inherit from JSCallee.  Hence, the assertion failure.

Comment 4 Mark Lam 2015-02-09 17:39:25 PST

See also https://bugs.webkit.org/show_bug.cgi?id=139167 which concluded that InternalFunctions shouldn’t be JSCallees.

Comment 5 Michael Saboff 2015-02-25 17:03:31 PST

Created attachment 247368 [details]
Fix with a basic test.  I'll likely increase the test coverage.

Comment 6 Michael Saboff 2015-02-25 18:15:07 PST

Created attachment 247382 [details]
Patch

Comment 7 Mark Lam 2015-02-25 18:22:43 PST

Comment on attachment 247382 [details]
Patch

r=me

Comment 8 Michael Saboff 2015-02-25 22:05:18 PST

Committed r180660: <http://trac.webkit.org/changeset/180660>